[XFS] Fix use-after-free with log and quotas
Destroying the quota stuff on unmount can access the log - ie XFS_QM_DONE() ends up in xfs_dqunlock() which calls xfs_trans_unlocked_item() and then xfs_log_move_tail(). By this time the log has already been destroyed. Just move the cleanup of the quota code earlier in xfs_unmountfs() before the call to xfs_log_unmount(). Moving XFS_QM_DONE() up near XFS_QM_DQPURGEALL() seems like a good spot. SGI-PV: 987086 SGI-Modid: xfs-linux-melb:xfs-kern:32148a Signed-off-by: Lachlan McIlroy <lachlan@sgi.com> Signed-off-by: Christoph Hellwig <hch@infradead.org> Signed-off-by: Peter Leckie <pleckie@sgi.com>
This commit is contained in:
parent
75fa67706c
commit
9ccbece546
|
@ -1245,6 +1245,9 @@ xfs_unmountfs(
|
||||||
|
|
||||||
XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING);
|
XFS_QM_DQPURGEALL(mp, XFS_QMOPT_QUOTALL | XFS_QMOPT_UMOUNTING);
|
||||||
|
|
||||||
|
if (mp->m_quotainfo)
|
||||||
|
XFS_QM_DONE(mp);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Flush out the log synchronously so that we know for sure
|
* Flush out the log synchronously so that we know for sure
|
||||||
* that nothing is pinned. This is important because bflush()
|
* that nothing is pinned. This is important because bflush()
|
||||||
|
@ -1297,8 +1300,6 @@ xfs_unmountfs(
|
||||||
xfs_errortag_clearall(mp, 0);
|
xfs_errortag_clearall(mp, 0);
|
||||||
#endif
|
#endif
|
||||||
xfs_free_perag(mp);
|
xfs_free_perag(mp);
|
||||||
if (mp->m_quotainfo)
|
|
||||||
XFS_QM_DONE(mp);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
STATIC void
|
STATIC void
|
||||||
|
|
Loading…
Reference in New Issue