[XFS] Do not access buffers after dropping reference count
authorLachlan McIlroy <lachlan@sgi.com>
Wed, 13 Aug 2008 05:42:10 +0000 (15:42 +1000)
committerLachlan McIlroy <lachlan@redback.melbourne.sgi.com>
Wed, 13 Aug 2008 05:42:10 +0000 (15:42 +1000)
We should not access a buffer after dropping it's reference count
otherwise we could race with another thread that releases the final
reference count and frees the buffer causing us to access potentially
unmapped memory. The bug this change fixes only occured on DEBUG XFS since
the offending code was in an ASSERT.

SGI-PV: 984429

SGI-Modid: xfs-linux-melb:xfs-kern:31715a

Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Signed-off-by: David Chinner <david@fromorbit.com>
fs/xfs/linux-2.6/xfs_buf.c

index 9cc8f0213095b92e868fa396b099bc13c2a2ec47..9f45c74f1a840a649b7d30bedd11d0514291862e 100644 (file)
@@ -838,6 +838,7 @@ xfs_buf_rele(
                return;
        }
 
+       ASSERT(atomic_read(&bp->b_hold) > 0);
        if (atomic_dec_and_lock(&bp->b_hold, &hash->bh_lock)) {
                if (bp->b_relse) {
                        atomic_inc(&bp->b_hold);
@@ -851,11 +852,6 @@ xfs_buf_rele(
                        spin_unlock(&hash->bh_lock);
                        xfs_buf_free(bp);
                }
-       } else {
-               /*
-                * Catch reference count leaks
-                */
-               ASSERT(atomic_read(&bp->b_hold) >= 0);
        }
 }