Commit 9ccbece5 authored by Lachlan McIlroy's avatar Lachlan McIlroy Committed by Lachlan McIlroy

[XFS] Fix use-after-free with log and quotas

Destroying the quota stuff on unmount can access the log - ie
XFS_QM_DONE() ends up in xfs_dqunlock() which calls
xfs_trans_unlocked_item() and then xfs_log_move_tail(). By this time the
log has already been destroyed. Just move the cleanup of the quota code
earlier in xfs_unmountfs() before the call to xfs_log_unmount(). Moving
XFS_QM_DONE() up near XFS_QM_DQPURGEALL() seems like a good spot.

SGI-PV: 987086

SGI-Modid: xfs-linux-melb:xfs-kern:32148a
Signed-off-by: default avatarLachlan McIlroy <lachlan@sgi.com>
Signed-off-by: default avatarChristoph Hellwig <hch@infradead.org>
Signed-off-by: default avatarPeter Leckie <pleckie@sgi.com>
parent 75fa6770
...@@ -1245,6 +1245,9 @@ xfs_unmountfs( ...@@ -1245,6 +1245,9 @@ xfs_unmountfs(
XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING); XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING);
if (mp->m_quotainfo)
XFS_QM_DONE(mp);
/* /*
* Flush out the log synchronously so that we know for sure * Flush out the log synchronously so that we know for sure
* that nothing is pinned. This is important because bflush() * that nothing is pinned. This is important because bflush()
...@@ -1297,8 +1300,6 @@ xfs_unmountfs( ...@@ -1297,8 +1300,6 @@ xfs_unmountfs(
xfs_errortag_clearall(mp, 0); xfs_errortag_clearall(mp, 0);
#endif #endif
xfs_free_perag(mp); xfs_free_perag(mp);
if (mp->m_quotainfo)
XFS_QM_DONE(mp);
} }
STATIC void STATIC void
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment