Received: with ECARTIS (v1.0.0; list xfs); Thu, 26 Jun 2008 23:31:24 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.3.0-r574664 (2007-09-11) on oss.sgi.com
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.3.0-r574664
Received: from cuda.sgi.com (cuda1.sgi.com [192.48.168.28])
	by oss.sgi.com (8.12.11.20060308/8.12.11/SuSE Linux 0.7) with ESMTP id m5R6VJed026490
	for <xfs@oss.sgi.com>; Thu, 26 Jun 2008 23:31:20 -0700
X-ASG-Debug-ID: 1214548339-513003a90000-NocioJ
X-Barracuda-URL: http://cuda.sgi.com:80/cgi-bin/mark.cgi
Received: from bombadil.infradead.org (localhost [127.0.0.1])
	by cuda.sgi.com (Spam Firewall) with ESMTP
	id BD0D9D64581; Thu, 26 Jun 2008 23:32:19 -0700 (PDT)
Received: from bombadil.infradead.org (bombadil.infradead.org [18.85.46.34]) by cuda.sgi.com with ESMTP id E8n6P7WUhyldjEdA; Thu, 26 Jun 2008 23:32:19 -0700 (PDT)
Received: from hch by bombadil.infradead.org with local (Exim 4.68 #1 (Red Hat Linux))
	id 1KC7VL-0008Pj-AD; Fri, 27 Jun 2008 06:32:19 +0000
Date: Fri, 27 Jun 2008 02:32:19 -0400
From: Christoph Hellwig <hch@infradead.org>
To: Lachlan McIlroy <lachlan@sgi.com>
Cc: xfs-dev <xfs-dev@sgi.com>, xfs-oss <xfs@oss.sgi.com>
X-ASG-Orig-Subj: Re: [PATCH] Fix use after free when closing log/rt devices
Subject: Re: [PATCH] Fix use after free when closing log/rt devices
Message-ID: <20080627063219.GA25015@infradead.org>
References: <48647746.5010007@sgi.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48647746.5010007@sgi.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SRS-Rewrite: SMTP reverse-path rewritten from <hch@infradead.org> by bombadil.infradead.org
	See http://www.infradead.org/rpr.html
X-Barracuda-Connect: bombadil.infradead.org[18.85.46.34]
X-Barracuda-Start-Time: 1214548340
X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210
X-Barracuda-Virus-Scanned: by cuda.sgi.com at sgi.com
X-Barracuda-Spam-Score: -1.42
X-Barracuda-Spam-Status: No, SCORE=-1.42 using per-user scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.1 tests=MARKETING_SUBJECT
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.54459
	Rule breakdown below
	 pts rule name              description
	---- ---------------------- --------------------------------------------------
	0.60 MARKETING_SUBJECT      Subject contains popular marketing words
X-Virus-Scanned: ClamAV 0.91.2/6021/Wed Feb 27 15:55:48 2008 on oss.sgi.com
X-Virus-Status: Clean
X-archive-position: 16600
X-ecartis-version: Ecartis v1.0.0
Sender: xfs-bounce@oss.sgi.com
Errors-to: xfs-bounce@oss.sgi.com
X-original-sender: hch@infradead.org
Precedence: bulk
X-list: xfs

On Fri, Jun 27, 2008 at 03:14:46PM +1000, Lachlan McIlroy wrote:
> The call to xfs_free_buftarg() will free the memory used by it's argument
> so we need to save the bdev to pass to xfs_blkdev_put()
>
> Lachlan
>
> --- fs/xfs/linux-2.6/xfs_super.c_1.432	2008-06-27 14:51:17.000000000 +1000
> +++ fs/xfs/linux-2.6/xfs_super.c	2008-06-27 14:59:26.000000000 +1000
> @@ -781,13 +781,17 @@ STATIC void
> xfs_close_devices(
> 	struct xfs_mount	*mp)
> {
> +	struct block_device	*bdev;
> +
> 	if (mp->m_logdev_targp && mp->m_logdev_targp != mp->m_ddev_targp) {
> +		bdev = mp->m_logdev_targp->bt_bdev;
> 		xfs_free_buftarg(mp->m_logdev_targp);
> -		xfs_blkdev_put(mp->m_logdev_targp->bt_bdev);
> +		xfs_blkdev_put(bdev);
> 	}
> 	if (mp->m_rtdev_targp) {
> +		bdev = mp->m_rtdev_targp->bt_bdev;
> 		xfs_free_buftarg(mp->m_rtdev_targp);
> -		xfs_blkdev_put(mp->m_rtdev_targp->bt_bdev);
> +		xfs_blkdev_put(bdev);
> 	}

Looks good, alhough two local variables inside the ifs might be cleaner:

	if (mp->m_logdev_targp && mp->m_logdev_targp != mp->m_ddev_targp) {
		struct block_device *logdev = mp->m_logdev_targp->bt_bdev;

		xfs_free_buftarg(mp->m_logdev_targp);
		xfs_blkdev_put(logdev);
	}

	...