[XFS] Fix use-after-free during log unmount.
authorDavid Chinner <dgc@sgi.com>
Mon, 14 May 2007 08:24:16 +0000 (18:24 +1000)
committerTim Shimmin <tes@chook.melbourne.sgi.com>
Sat, 14 Jul 2007 05:22:34 +0000 (15:22 +1000)
Don't reference the log buffer after running the callbacks as the callback
can trigger the log buffers to be freed during unmount.

SGI-PV: 964545
SGI-Modid: xfs-linux-melb:xfs-kern:28567a

Signed-off-by: David Chinner <dgc@sgi.com>
Signed-off-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Tim Shimmin <tes@sgi.com>
fs/xfs/xfs_log.c

index 635f99e6302ff642f940bd0d448cf6a06760c6f3..5bb902056e61734a44cc4ccad1e223fd992065bf 100644 (file)
@@ -967,14 +967,16 @@ xlog_iodone(xfs_buf_t *bp)
        } else if (iclog->ic_state & XLOG_STATE_IOERROR) {
                aborted = XFS_LI_ABORTED;
        }
+
+       /* log I/O is always issued ASYNC */
+       ASSERT(XFS_BUF_ISASYNC(bp));
        xlog_state_done_syncing(iclog, aborted);
-       if (!(XFS_BUF_ISASYNC(bp))) {
-               /*
-                * Corresponding psema() will be done in bwrite().  If we don't
-                * vsema() here, panic.
-                */
-               XFS_BUF_V_IODONESEMA(bp);
-       }
+       /*
+        * do not reference the buffer (bp) here as we could race
+        * with it being freed after writing the unmount record to the
+        * log.
+        */
+
 }      /* xlog_iodone */
 
 /*