projects
/
firefly-linux-kernel-4.4.55.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
a9995ee
)
Btrfs: fix use-after-free bug during umount
author
Liu Bo
<bo.li.liu@oracle.com>
Sun, 26 May 2013 13:50:27 +0000
(13:50 +0000)
committer
Chris Mason
<chris.mason@fusionio.com>
Sat, 8 Jun 2013 19:10:01 +0000
(15:10 -0400)
Commit
be283b2e674a09457d4563729015adb637ce7cc1
( Btrfs: use helper to cleanup tree roots) introduced the following bug,
BUG: unable to handle kernel NULL pointer dereference at
0000000000000034
IP: [<
ffffffffa039368c
>] extent_buffer_get+0x4/0xa [btrfs]
[...]
Pid: 2463, comm: btrfs-cache-1 Tainted: G O 3.9.0+ #4 innotek GmbH VirtualBox/VirtualBox
RIP: 0010:[<
ffffffffa039368c
>] [<
ffffffffa039368c
>] extent_buffer_get+0x4/0xa [btrfs]
Process btrfs-cache-1 (pid: 2463, threadinfo
ffff880112d60000
, task
ffff880117679730
)
[...]
Call Trace:
[<
ffffffffa0398a99
>] btrfs_search_slot+0x104/0x64d [btrfs]
[<
ffffffffa039aea4
>] btrfs_next_old_leaf+0xa7/0x334 [btrfs]
[<
ffffffffa039b141
>] btrfs_next_leaf+0x10/0x12 [btrfs]
[<
ffffffffa039ea13
>] caching_thread+0x1a3/0x2e0 [btrfs]
[<
ffffffffa03d8811
>] worker_loop+0x14b/0x48e [btrfs]
[<
ffffffffa03d86c6
>] ? btrfs_queue_worker+0x25c/0x25c [btrfs]
[<
ffffffff81068d3d
>] kthread+0x8d/0x95
[<
ffffffff81068cb0
>] ? kthread_freezable_should_stop+0x43/0x43
[<
ffffffff8151e5ac
>] ret_from_fork+0x7c/0xb0
[<
ffffffff81068cb0
>] ? kthread_freezable_should_stop+0x43/0x43
RIP [<
ffffffffa039368c
>] extent_buffer_get+0x4/0xa [btrfs]
We've free'ed commit_root before actually getting to free block groups where
caching thread needs valid extent_root->commit_root.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
fs/btrfs/disk-io.c
patch
|
blob
|
history
diff --git
a/fs/btrfs/disk-io.c
b/fs/btrfs/disk-io.c
index bdaa092d6296c046458ec7e24da924f64a20e1b5..7c66c2314c14021e5488f99ebce182372798bebc 100644
(file)
--- a/
fs/btrfs/disk-io.c
+++ b/
fs/btrfs/disk-io.c
@@
-3512,10
+3512,10
@@
int close_ctree(struct btrfs_root *root)
percpu_counter_sum(&fs_info->delalloc_bytes));
}
- free_root_pointers(fs_info, 1);
-
btrfs_free_block_groups(fs_info);
+ free_root_pointers(fs_info, 1);
+
del_fs_roots(fs_info);
iput(fs_info->btree_inode);