Btrfs: fix use-after-free in __btrfs_end_transaction

49b25e0540904be0bf558b84475c69d72e4de66e introduced a use-after-free bug
that caused spurious -EIO's to be returned.

Do the check before we free the transaction.

Cc: David Sterba <dsterba@suse.cz>
Cc: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>

1 files changed, 5 insertions, 4 deletions

diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
index 8da29e8e4de1..11b77a59db62 100644
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -480,6 +480,7 @@ static int __btrfs_end_transaction(struct btrfs_trans_handle *trans,
         struct btrfs_transaction *cur_trans = trans->transaction;
         struct btrfs_fs_info *info = root->fs_info;
         int count = 0;
+        int err = 0;
 
         if (--trans->use_count) {
                 trans->block_rsv = trans->orig_rsv;
@@ -532,18 +533,18 @@ static int __btrfs_end_transaction(struct btrfs_trans_handle *trans,
 
         if (current->journal_info == trans)
                 current->journal_info = NULL;
-        memset(trans, 0, sizeof(*trans));
-        kmem_cache_free(btrfs_trans_handle_cachep, trans);
 
         if (throttle)
                 btrfs_run_delayed_iputs(root);
 
         if (trans->aborted ||
             root->fs_info->fs_state & BTRFS_SUPER_FLAG_ERROR) {
-                return -EIO;
+                err = -EIO;
         }
 
-        return 0;
+        memset(trans, 0, sizeof(*trans));
+        kmem_cache_free(btrfs_trans_handle_cachep, trans);
+        return err;
 }
 
 int btrfs_end_transaction(struct btrfs_trans_handle *trans,