diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index f0f7bc5d2e4a05f020fe2ee91e8ea72e3f2779fb..6f4598583f578c587ab8f09ad1b703d96fbbd1ae 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -9700,6 +9700,18 @@ static int btrfs_rename_exchange(struct inode *old_dir, commit_transaction = true; } if (commit_transaction) { + /* + * We may have set commit_transaction when logging the new name + * in the destination root, in which case we left the source + * root context in the list of log contextes. So make sure we + * remove it to avoid invalid memory accesses, since the context + * was allocated in our stack frame. + */ + if (sync_log_root) { + mutex_lock(&root->log_mutex); + list_del_init(&ctx_root.list); + mutex_unlock(&root->log_mutex); + } ret = btrfs_commit_transaction(trans); } else { int ret2; @@ -9713,6 +9725,9 @@ static int btrfs_rename_exchange(struct inode *old_dir, if (old_ino == BTRFS_FIRST_FREE_OBJECTID) up_read(&fs_info->subvol_sem); + ASSERT(list_empty(&ctx_root.list)); + ASSERT(list_empty(&ctx_dest.list)); + return ret; }