diff options
author | Lachlan McIlroy <lachlan@sgi.com> | 2008-10-30 01:53:25 -0400 |
---|---|---|
committer | Lachlan McIlroy <lachlan@redback.melbourne.sgi.com> | 2008-11-10 01:43:23 -0500 |
commit | 9ccbece546cf836f67f6d9bb4bf2f70f7476cb2c (patch) | |
tree | 86b6b97537c46eb70555fbe8ffdc16e1ec8b69d0 /fs/xfs/xfs_mount.c | |
parent | 75fa67706cce5272bcfc51ed646f2da21f3bdb6e (diff) |
[XFS] Fix use-after-free with log and quotas
Destroying the quota stuff on unmount can access the log - ie
XFS_QM_DONE() ends up in xfs_dqunlock() which calls
xfs_trans_unlocked_item() and then xfs_log_move_tail(). By this time the
log has already been destroyed. Just move the cleanup of the quota code
earlier in xfs_unmountfs() before the call to xfs_log_unmount(). Moving
XFS_QM_DONE() up near XFS_QM_DQPURGEALL() seems like a good spot.
SGI-PV: 987086
SGI-Modid: xfs-linux-melb:xfs-kern:32148a
Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Signed-off-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Peter Leckie <pleckie@sgi.com>
Diffstat (limited to 'fs/xfs/xfs_mount.c')
-rw-r--r-- | fs/xfs/xfs_mount.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c index a4503f5e9497..15f5dd22fbb2 100644 --- a/fs/xfs/xfs_mount.c +++ b/fs/xfs/xfs_mount.c | |||
@@ -1245,6 +1245,9 @@ xfs_unmountfs( | |||
1245 | 1245 | ||
1246 | XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING); | 1246 | XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING); |
1247 | 1247 | ||
1248 | if (mp->m_quotainfo) | ||
1249 | XFS_QM_DONE(mp); | ||
1250 | |||
1248 | /* | 1251 | /* |
1249 | * Flush out the log synchronously so that we know for sure | 1252 | * Flush out the log synchronously so that we know for sure |
1250 | * that nothing is pinned. This is important because bflush() | 1253 | * that nothing is pinned. This is important because bflush() |
@@ -1297,8 +1300,6 @@ xfs_unmountfs( | |||
1297 | xfs_errortag_clearall(mp, 0); | 1300 | xfs_errortag_clearall(mp, 0); |
1298 | #endif | 1301 | #endif |
1299 | xfs_free_perag(mp); | 1302 | xfs_free_perag(mp); |
1300 | if (mp->m_quotainfo) | ||
1301 | XFS_QM_DONE(mp); | ||
1302 | } | 1303 | } |
1303 | 1304 | ||
1304 | STATIC void | 1305 | STATIC void |