aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorLiu Bo <bo.li.liu@oracle.com>2013-05-26 09:50:27 -0400
committerChris Mason <chris.mason@fusionio.com>2013-06-08 15:10:01 -0400
commit2932505abe7c56477315a3d93ffb3c27c5182e9d (patch)
tree87fadf5f979b36cdcad79a5d4f4c6cd587b68422 /fs
parenta9995eece39a0630ebbfc1ab38570bce6c8a8f5b (diff)
Btrfs: fix use-after-free bug during umount
Commit be283b2e674a09457d4563729015adb637ce7cc1 ( Btrfs: use helper to cleanup tree roots) introduced the following bug, BUG: unable to handle kernel NULL pointer dereference at 0000000000000034 IP: [<ffffffffa039368c>] extent_buffer_get+0x4/0xa [btrfs] [...] Pid: 2463, comm: btrfs-cache-1 Tainted: G O 3.9.0+ #4 innotek GmbH VirtualBox/VirtualBox RIP: 0010:[<ffffffffa039368c>] [<ffffffffa039368c>] extent_buffer_get+0x4/0xa [btrfs] Process btrfs-cache-1 (pid: 2463, threadinfo ffff880112d60000, task ffff880117679730) [...] Call Trace: [<ffffffffa0398a99>] btrfs_search_slot+0x104/0x64d [btrfs] [<ffffffffa039aea4>] btrfs_next_old_leaf+0xa7/0x334 [btrfs] [<ffffffffa039b141>] btrfs_next_leaf+0x10/0x12 [btrfs] [<ffffffffa039ea13>] caching_thread+0x1a3/0x2e0 [btrfs] [<ffffffffa03d8811>] worker_loop+0x14b/0x48e [btrfs] [<ffffffffa03d86c6>] ? btrfs_queue_worker+0x25c/0x25c [btrfs] [<ffffffff81068d3d>] kthread+0x8d/0x95 [<ffffffff81068cb0>] ? kthread_freezable_should_stop+0x43/0x43 [<ffffffff8151e5ac>] ret_from_fork+0x7c/0xb0 [<ffffffff81068cb0>] ? kthread_freezable_should_stop+0x43/0x43 RIP [<ffffffffa039368c>] extent_buffer_get+0x4/0xa [btrfs] We've free'ed commit_root before actually getting to free block groups where caching thread needs valid extent_root->commit_root. Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Signed-off-by: Josef Bacik <jbacik@fusionio.com> Signed-off-by: Chris Mason <chris.mason@fusionio.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/btrfs/disk-io.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index bdaa092d6296..7c66c2314c14 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3512,10 +3512,10 @@ int close_ctree(struct btrfs_root *root)
3512 percpu_counter_sum(&fs_info->delalloc_bytes)); 3512 percpu_counter_sum(&fs_info->delalloc_bytes));
3513 } 3513 }
3514 3514
3515 free_root_pointers(fs_info, 1);
3516
3517 btrfs_free_block_groups(fs_info); 3515 btrfs_free_block_groups(fs_info);
3518 3516
3517 free_root_pointers(fs_info, 1);
3518
3519 del_fs_roots(fs_info); 3519 del_fs_roots(fs_info);
3520 3520
3521 iput(fs_info->btree_inode); 3521 iput(fs_info->btree_inode);