Received: with ECARTIS (v1.0.0; list xfs); Thu, 26 Jun 2008 22:09:53 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.3.0-r574664 (2007-09-11) on oss.sgi.com X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.3.0-r574664 Received: from larry.melbourne.sgi.com (larry.melbourne.sgi.com [134.14.52.130]) by oss.sgi.com (8.12.11.20060308/8.12.11/SuSE Linux 0.7) with SMTP id m5R59lV6012248 for ; Thu, 26 Jun 2008 22:09:48 -0700 Received: from [134.14.55.78] (redback.melbourne.sgi.com [134.14.55.78]) by larry.melbourne.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA13726; Fri, 27 Jun 2008 15:10:45 +1000 Message-ID: <48647746.5010007@sgi.com> Date: Fri, 27 Jun 2008 15:14:46 +1000 From: Lachlan McIlroy Reply-To: lachlan@sgi.com User-Agent: Thunderbird 2.0.0.14 (X11/20080421) MIME-Version: 1.0 To: xfs-dev , xfs-oss Subject: [PATCH] Fix use after free when closing log/rt devices Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/6021/Wed Feb 27 15:55:48 2008 on oss.sgi.com X-Virus-Status: Clean X-archive-position: 16599 X-ecartis-version: Ecartis v1.0.0 Sender: xfs-bounce@oss.sgi.com Errors-to: xfs-bounce@oss.sgi.com X-original-sender: lachlan@sgi.com Precedence: bulk X-list: xfs The call to xfs_free_buftarg() will free the memory used by it's argument so we need to save the bdev to pass to xfs_blkdev_put() Lachlan --- fs/xfs/linux-2.6/xfs_super.c_1.432 2008-06-27 14:51:17.000000000 +1000 +++ fs/xfs/linux-2.6/xfs_super.c 2008-06-27 14:59:26.000000000 +1000 @@ -781,13 +781,17 @@ STATIC void xfs_close_devices( struct xfs_mount *mp) { + struct block_device *bdev; + if (mp->m_logdev_targp && mp->m_logdev_targp != mp->m_ddev_targp) { + bdev = mp->m_logdev_targp->bt_bdev; xfs_free_buftarg(mp->m_logdev_targp); - xfs_blkdev_put(mp->m_logdev_targp->bt_bdev); + xfs_blkdev_put(bdev); } if (mp->m_rtdev_targp) { + bdev = mp->m_rtdev_targp->bt_bdev; xfs_free_buftarg(mp->m_rtdev_targp); - xfs_blkdev_put(mp->m_rtdev_targp->bt_bdev); + xfs_blkdev_put(bdev); } xfs_free_buftarg(mp->m_ddev_targp); }