diff options
| author | Dave Chinner <dchinner@redhat.com> | 2013-08-12 20:50:11 +1000 |
|---|---|---|
| committer | Ben Myers <bpm@sgi.com> | 2013-08-15 16:42:29 -0500 |
| commit | 2ad01f53dc34ef3180e555d40b331f95f269a0fa (patch) | |
| tree | 49729386fa5b0d6e7cf743e768b4e8170713b26a | |
| parent | d6970d4b726cea6d7a9bc4120814f95c09571fc3 (diff) | |
| download | op-kernel-dev-2ad01f53dc34ef3180e555d40b331f95f269a0fa.zip op-kernel-dev-2ad01f53dc34ef3180e555d40b331f95f269a0fa.tar.gz | |
xfs: use reference counts to free clean buffer items
When a transaction is cancelled and the buffer log item is clean in
the transaction, the buffer log item is unconditionally freed. If
the log item is in the AIL, however, this leads to a use after free
condition as the item still has other users.
In this case, xfs_buf_item_relse() should only be called on clean
buffer items if the reference count has dropped to zero. This
ensures only the last user frees the item.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
| -rw-r--r-- | fs/xfs/xfs_buf_item.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c index 9358504..3a944b1 100644 --- a/fs/xfs/xfs_buf_item.c +++ b/fs/xfs/xfs_buf_item.c @@ -613,11 +613,9 @@ xfs_buf_item_unlock( } } } - if (clean) - xfs_buf_item_relse(bp); - else if (aborted) { + if (clean || aborted) { if (atomic_dec_and_test(&bip->bli_refcount)) { - ASSERT(XFS_FORCED_SHUTDOWN(lip->li_mountp)); + ASSERT(!aborted || XFS_FORCED_SHUTDOWN(lip->li_mountp)); xfs_buf_item_relse(bp); } } else |
