[PATCH] fix NULL pointer dereference in xfs_log_force_umount

[PATCH] fix NULL pointer dereference in xfs_log_force_umount

[Christoph Hellwig]

xfs_log_force_umount may be called very early during log recovery where

If we fail a buffer read in xlog_recover_do_inode_trans we abort the mount.
But at that point log recovery has started delayed writeback of inode
buffers.   As part of the aborted mount we try to flush out all delwri
buffers, but at that point we have already freed the superblock, and set
mp->m_sb_bp to NULL, and xfs_log_force_umount which gets called after
the inode buffer writeback trips over it.

Make xfs_log_force_umounr a little more careful when accessing mp->m_sb_bp
to avoid this.


Signed-off-by: Christoph Hellwig <hch@lst.de>

Index: xfs-2.6/fs/xfs/xfs_log.c
===================================================================
--- xfs-2.6.orig/fs/xfs/xfs_log.c	2008-11-21 17:07:30.000000000 +0100
+++ xfs-2.6/fs/xfs/xfs_log.c	2008-11-21 17:13:02.000000000 +0100
@@ -3525,7 +3525,8 @@ xfs_log_force_umount(
 	if (!log ||
 	    log->l_flags & XLOG_ACTIVE_RECOVERY) {
 		mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN;
-		XFS_BUF_DONE(mp->m_sb_bp);
+		if (mp->m_sb_bp)
+			XFS_BUF_DONE(mp->m_sb_bp);
 		return 0;
 	}
 
@@ -3546,7 +3547,9 @@ xfs_log_force_umount(
 	spin_lock(&log->l_icloglock);
 	spin_lock(&log->l_grant_lock);
 	mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN;
-	XFS_BUF_DONE(mp->m_sb_bp);
+	if (mp->m_sb_bp)
+		XFS_BUF_DONE(mp->m_sb_bp);
+
 	/*
 	 * This flag is sort of redundant because of the mount flag, but
 	 * it's good to maintain the separation between the log and the rest

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH] fix NULL pointer dereference in xfs_log_force_umount

[Eric Sandeen]

Christoph Hellwig wrote:
> xfs_log_force_umount may be called very early during log recovery where
> 
> If we fail a buffer read in xlog_recover_do_inode_trans we abort the mount.
> But at that point log recovery has started delayed writeback of inode
> buffers.   As part of the aborted mount we try to flush out all delwri
> buffers, but at that point we have already freed the superblock, and set
> mp->m_sb_bp to NULL, and xfs_log_force_umount which gets called after
> the inode buffer writeback trips over it.
> 
> Make xfs_log_force_umounr a little more careful when accessing mp->m_sb_bp
> to avoid this.

Seems fine (btw:  s/unmounr/unmount/)  ;)

-eric

> 
> Signed-off-by: Christoph Hellwig <hch@lst.de>
> 
> Index: xfs-2.6/fs/xfs/xfs_log.c
> ===================================================================
> --- xfs-2.6.orig/fs/xfs/xfs_log.c	2008-11-21 17:07:30.000000000 +0100
> +++ xfs-2.6/fs/xfs/xfs_log.c	2008-11-21 17:13:02.000000000 +0100
> @@ -3525,7 +3525,8 @@ xfs_log_force_umount(
>  	if (!log ||
>  	    log->l_flags & XLOG_ACTIVE_RECOVERY) {
>  		mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN;
> -		XFS_BUF_DONE(mp->m_sb_bp);
> +		if (mp->m_sb_bp)
> +			XFS_BUF_DONE(mp->m_sb_bp);
>  		return 0;
>  	}
>  
> @@ -3546,7 +3547,9 @@ xfs_log_force_umount(
>  	spin_lock(&log->l_icloglock);
>  	spin_lock(&log->l_grant_lock);
>  	mp->m_flags |= XFS_MOUNT_FS_SHUTDOWN;
> -	XFS_BUF_DONE(mp->m_sb_bp);
> +	if (mp->m_sb_bp)
> +		XFS_BUF_DONE(mp->m_sb_bp);
> +
>  	/*
>  	 * This flag is sort of redundant because of the mount flag, but
>  	 * it's good to maintain the separation between the log and the rest
> 
> _______________________________________________
> xfs mailing list
> xfs@oss.sgi.com
> http://oss.sgi.com/mailman/listinfo/xfs
> 

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs