xfs: use reference counts to free clean buffer items

When a transaction is cancelled and the buffer log item is clean in the transaction, the buffer log item is unconditionally freed. If the log item is in the AIL, however, this leads to a use after free condition as the item still has other users. In this case, xfs_buf_item_relse() should only be called on clean buffer items if the reference count has dropped to zero. This ensures only the last user frees the item. Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Mark Tinguely <tinguely@sgi.com> Signed-off-by: Ben Myers <bpm@sgi.com>

xfs: use reference counts to free clean buffer items
When a transaction is cancelled and the buffer log item is clean in the transaction, the buffer log item is unconditionally freed. If the log item is in the AIL, however, this leads to a use after free condition as the item still has other users. In this case, xfs_buf_item_relse() should only be called on clean buffer items if the reference count has dropped to zero. This ensures only the last user frees the item. Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Mark Tinguely <tinguely@sgi.com> Signed-off-by: Ben Myers <bpm@sgi.com>
2ad01f53 · Dave Chinner · Ben Myers · d6970d4b · 2ad01f53
Commit 2ad01f53 authored Aug 12, 2013 by Dave Chinner Committed by Ben Myers Aug 15, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 4 deletions

fs/xfs/xfs_buf_item.c fs/xfs/xfs_buf_item.c +2 -4

No files found.
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -613,11 +613,9 @@ xfs_buf_item_unlock(
 			}
 		}
 	}
-	if (clean)
+	if (clean || aborted) {
-		xfs_buf_item_relse(bp);
-	else if (aborted) {
 		if (atomic_dec_and_test(&bip->bli_refcount)) {
-			ASSERT(XFS_FORCED_SHUTDOWN(lip->li_mountp));
+			ASSERT(!aborted || XFS_FORCED_SHUTDOWN(lip->li_mountp));
 			xfs_buf_item_relse(bp);
 		}
 	} else