[XFS] Fix use-after-free during log unmount. Don't reference the log buffer after running the callbacks as the callback can trigger the log buffers to be freed during unmount. SGI-PV: 964545 SGI-Modid: xfs-linux-melb:xfs-kern:28567a Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Christoph Hellwig <hch@infradead.org> Signed-off-by: Tim Shimmin <tes@sgi.com>

commit: 3db296f341b5902c4f9317022ae5d4da2d59d598 [log] [tgz]
author: David Chinner <dgc@sgi.com> Mon May 14 18:24:16 2007 +1000
committer: Tim Shimmin <tes@chook.melbourne.sgi.com> Sat Jul 14 15:22:34 2007 +1000
tree: f351eb33c6bac70d82d9f3adf0836d4c424bad92
parent: 40095b64f5da601a8ab61fbe4b40feb46830052e [diff] [blame]
diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
index 635f99e..5bb9020 100644
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c

@@ -967,14 +967,16 @@
 	} else if (iclog->ic_state & XLOG_STATE_IOERROR) {
 		aborted = XFS_LI_ABORTED;
 	}
+
+	/* log I/O is always issued ASYNC */
+	ASSERT(XFS_BUF_ISASYNC(bp));
 	xlog_state_done_syncing(iclog, aborted);
-	if (!(XFS_BUF_ISASYNC(bp))) {
-		/*
-		 * Corresponding psema() will be done in bwrite().  If we don't
-		 * vsema() here, panic.
-		 */
-		XFS_BUF_V_IODONESEMA(bp);
-	}
+	/*
+	 * do not reference the buffer (bp) here as we could race
+	 * with it being freed after writing the unmount record to the
+	 * log.
+	 */
+
 }	/* xlog_iodone */
 
 /*
commit	3db296f341b5902c4f9317022ae5d4da2d59d598	[log] [tgz]
author	David Chinner <dgc@sgi.com>	Mon May 14 18:24:16 2007 +1000
committer	Tim Shimmin <tes@chook.melbourne.sgi.com>	Sat Jul 14 15:22:34 2007 +1000
tree	f351eb33c6bac70d82d9f3adf0836d4c424bad92
parent	40095b64f5da601a8ab61fbe4b40feb46830052e [diff] [blame]