summaryrefslogtreecommitdiffstats
path: root/fs/ext4
diff options
context:
space:
mode:
authorEric Sandeen <sandeen@redhat.com>2016-11-26 14:24:51 -0500
committerTheodore Ts'o <tytso@mit.edu>2016-11-26 14:24:51 -0500
commit9060dd2c5036b12132f9b97e3486ca6422d5bdfc (patch)
treed37b9d76081781a38165e9d31d55726db76bfbd3 /fs/ext4
parent4f5a763c9a0d4b179064d51dddde8421fdbb76c7 (diff)
downloadlinux-9060dd2c5036b12132f9b97e3486ca6422d5bdfc.tar.bz2
ext4: fix mmp use after free during unmount
In ext4_put_super, we call brelse on the buffer head containing the ext4 superblock, but then try to use it when we stop the mmp thread, because when the thread shuts down it does: write_mmp_block ext4_mmp_csum_set ext4_has_metadata_csum WARN_ON_ONCE(ext4_has_feature_metadata_csum(sb)...) which reaches into sb->s_fs_info->s_es->s_feature_ro_compat, which lives in the superblock buffer s_sbh which we just released. Fix this by moving the brelse down to a point where we are no longer using it. Reported-by: Wang Shu <shuwang@redhat.com> Signed-off-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Diffstat (limited to 'fs/ext4')
-rw-r--r--fs/ext4/super.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index bb3a8edc75db..a526956e49e7 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -863,7 +863,6 @@ static void ext4_put_super(struct super_block *sb)
percpu_counter_destroy(&sbi->s_dirs_counter);
percpu_counter_destroy(&sbi->s_dirtyclusters_counter);
percpu_free_rwsem(&sbi->s_journal_flag_rwsem);
- brelse(sbi->s_sbh);
#ifdef CONFIG_QUOTA
for (i = 0; i < EXT4_MAXQUOTAS; i++)
kfree(sbi->s_qf_names[i]);
@@ -895,6 +894,7 @@ static void ext4_put_super(struct super_block *sb)
}
if (sbi->s_mmp_tsk)
kthread_stop(sbi->s_mmp_tsk);
+ brelse(sbi->s_sbh);
sb->s_fs_info = NULL;
/*
* Now that we are completely done shutting down the