提交 bac8dca9 编写于 作者: C Christoph Hellwig 提交者: Niv Sardi

[XFS] fix NULL pointer dereference in xfs_log_force_umount

xfs_log_force_umount may be called very early during log recovery where

If we fail a buffer read in xlog_recover_do_inode_trans we abort the mount.
But at that point log recovery has started delayed writeback of inode
buffers.   As part of the aborted mount we try to flush out all delwri
buffers, but at that point we have already freed the superblock, and set
mp->m_sb_bp to NULL, and xfs_log_force_umount which gets called after
the inode buffer writeback trips over it.

Make xfs_log_force_umount a little more careful when accessing mp->m_sb_bp
to avoid this.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Reviewed-by: NEric Sandeen <sandeen@sandeen.net>
Signed-off-by: NNiv Sardi <xaiki@sgi.com>
上级 b5a20aa2
...@@ -3569,6 +3569,7 @@ xfs_log_force_umount( ...@@ -3569,6 +3569,7 @@ xfs_log_force_umount(
if (!log || if (!log ||
log->l_flags & XLOG_ACTIVE_RECOVERY) { log->l_flags & XLOG_ACTIVE_RECOVERY) {
mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN; mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN;
if (mp->m_sb_bp)
XFS_BUF_DONE(mp->m_sb_bp); XFS_BUF_DONE(mp->m_sb_bp);
return 0; return 0;
} }
...@@ -3590,7 +3591,9 @@ xfs_log_force_umount( ...@@ -3590,7 +3591,9 @@ xfs_log_force_umount(
spin_lock(&log->l_icloglock); spin_lock(&log->l_icloglock);
spin_lock(&log->l_grant_lock); spin_lock(&log->l_grant_lock);
mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN; mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN;
if (mp->m_sb_bp)
XFS_BUF_DONE(mp->m_sb_bp); XFS_BUF_DONE(mp->m_sb_bp);
/* /*
* This flag is sort of redundant because of the mount flag, but * This flag is sort of redundant because of the mount flag, but
* it's good to maintain the separation between the log and the rest * it's good to maintain the separation between the log and the rest
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册