Btrfs: don't delete fs_roots until after we cleanup the transaction
authorJosef Bacik <jbacik@fusionio.com>
Thu, 6 Jun 2013 14:29:40 +0000 (10:29 -0400)
committerChris Mason <chris.mason@fusionio.com>
Sat, 8 Jun 2013 19:07:53 +0000 (15:07 -0400)
We get a use after free if we had a transaction to cleanup since there could be
delayed inodes which refer to their respective fs_root.  Thanks

Reported-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
fs/btrfs/disk-io.c

index e7b3cb5286a5a699c4716a8a5dc2ae6a0e54f622..bdaa092d6296c046458ec7e24da924f64a20e1b5 100644 (file)
@@ -2859,8 +2859,8 @@ fail_qgroup:
        btrfs_free_qgroup_config(fs_info);
 fail_trans_kthread:
        kthread_stop(fs_info->transaction_kthread);
        btrfs_free_qgroup_config(fs_info);
 fail_trans_kthread:
        kthread_stop(fs_info->transaction_kthread);
-       del_fs_roots(fs_info);
        btrfs_cleanup_transaction(fs_info->tree_root);
        btrfs_cleanup_transaction(fs_info->tree_root);
+       del_fs_roots(fs_info);
 fail_cleaner:
        kthread_stop(fs_info->cleaner_kthread);
 
 fail_cleaner:
        kthread_stop(fs_info->cleaner_kthread);