Btrfs: fix a double free on pending snapshots in error handling

When creating a snapshot, failing to commit a transaction can end up
with aborting the transaction, following by doing a cleanup for it, where
we'll free all snapshots pending to disk.

So we check it and avoid double free on pending snapshots.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 14c0d2e0790c95a8c2814fdfb4506939b5f2f765..e262cd8c4a7d9132880ab75ad5ca4adf63f86f20 100644 (file)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -571,8 +571,12 @@ static int create_snapshot(struct btrfs_root *root, struct dentry *dentry,
                ret = btrfs_commit_transaction(trans,
                                               root->fs_info->extent_root);
        }
-       if (ret)
+       if (ret) {
+               /* cleanup_transaction has freed this for us */
+               if (trans->aborted)
+                       pending_snapshot = NULL;
                goto fail;
+       }
 
        ret = pending_snapshot->error;
        if (ret)