[XFS] Fix use-after-free with log and quotas

Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE() ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then xfs_log_move_tail(). By this time the log has already been destroyed. Just move the cleanup of the quota code earlier in xfs_unmountfs() before the call to xfs_log_unmount(). Moving XFS_QM_DONE() up near XFS_QM_DQPURGEALL() seems like a good spot. SGI-PV: 987086 SGI-Modid: xfs-linux-melb:xfs-kern:32148a Signed-off-by: Lachlan McIlroy <lachlan@sgi.com> Signed-off-by: Christoph Hellwig <hch@infradead.org> Signed-off-by: Peter Leckie <pleckie@sgi.com>
author: Lachlan McIlroy <lachlan@sgi.com> 2008-10-30 01:53:25 -0400
committer: Lachlan McIlroy <lachlan@redback.melbourne.sgi.com> 2008-11-10 01:43:23 -0500
commit: 9ccbece546cf836f67f6d9bb4bf2f70f7476cb2c (patch)
tree: 86b6b97537c46eb70555fbe8ffdc16e1ec8b69d0 /fs
parent: 75fa67706cce5272bcfc51ed646f2da21f3bdb6e (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
index a4503f5e9497..15f5dd22fbb2 100644
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -1245,6 +1245,9 @@ xfs_unmountfs(
        XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING);
+        if (mp->m_quotainfo)
+                XFS_QM_DONE(mp);
        /*
         * Flush out the log synchronously so that we know for sure
         * that nothing is pinned.  This is important because bflush()
@@ -1297,8 +1300,6 @@ xfs_unmountfs(
        xfs_errortag_clearall(mp, 0);
 #endif
        xfs_free_perag(mp);
-        if (mp->m_quotainfo)
-                XFS_QM_DONE(mp);
 }
 STATIC void
author	Lachlan McIlroy <lachlan@sgi.com>	2008-10-30 01:53:25 -0400
committer	Lachlan McIlroy <lachlan@redback.melbourne.sgi.com>	2008-11-10 01:43:23 -0500
commit	9ccbece546cf836f67f6d9bb4bf2f70f7476cb2c (patch)
tree	86b6b97537c46eb70555fbe8ffdc16e1ec8b69d0 /fs
parent	75fa67706cce5272bcfc51ed646f2da21f3bdb6e (diff)