xfs: Don't reference the EFI after it is freed

Checking the EFI for whether it is being released from recovery after we've already released the known active reference is a mistake worthy of a brown paper bag. Fix the (now) obvious use after free that it can cause. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Ben Myers <bpm@sgi.com>
author: Dave Chinner <dchinner@redhat.com> 2013-05-19 23:51:10 (GMT)
committer: Ben Myers <bpm@sgi.com> 2013-05-20 19:29:34 (GMT)
commit: 52c24ad39ff02d7bd73c92eb0c926fb44984a41d (patch)
tree: 66a033ff6538570691dc60957564e3c4f9de38fe /fs/xfs
parent: 28ca489c63e9aceed8801d2f82d731b3c9aa50f5 (diff)
download: linux-52c24ad39ff02d7bd73c92eb0c926fb44984a41d.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c
index c0f3750..452920a 100644
--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -305,11 +305,12 @@ xfs_efi_release(xfs_efi_log_item_t	*efip,
 {
 	ASSERT(atomic_read(&efip->efi_next_extent) >= nextents);
 	if (atomic_sub_and_test(nextents, &efip->efi_next_extent)) {
-		__xfs_efi_release(efip);
-
 		/* recovery needs us to drop the EFI reference, too */
 		if (test_bit(XFS_EFI_RECOVERED, &efip->efi_flags))
 			__xfs_efi_release(efip);
+
+		__xfs_efi_release(efip);
+		/* efip may now have been freed, do not reference it again. */
 	}
 }
author	Dave Chinner <dchinner@redhat.com>	2013-05-19 23:51:10 (GMT)
committer	Ben Myers <bpm@sgi.com>	2013-05-20 19:29:34 (GMT)
commit	52c24ad39ff02d7bd73c92eb0c926fb44984a41d (patch)
tree	66a033ff6538570691dc60957564e3c4f9de38fe /fs/xfs
parent	28ca489c63e9aceed8801d2f82d731b3c9aa50f5 (diff)
download	linux-52c24ad39ff02d7bd73c92eb0c926fb44984a41d.tar.xz