Commit e8b338d6 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] reiserfs use-after-free fix

From: Chris Mason <mason@suse.com>

reiserfs-delayed-work started using queue_delayed_work, but did not make sure
the timer was finished before it freed the work queue structs during unmount. 
This leads to timer oopsen if you unmount at just the right time.
parent f3276a18
...@@ -1657,6 +1657,7 @@ static int do_journal_release(struct reiserfs_transaction_handle *th, struct sup ...@@ -1657,6 +1657,7 @@ static int do_journal_release(struct reiserfs_transaction_handle *th, struct sup
reiserfs_mounted_fs_count-- ; reiserfs_mounted_fs_count-- ;
/* wait for all commits to finish */ /* wait for all commits to finish */
cancel_delayed_work(&SB_JOURNAL(p_s_sb)->j_work);
flush_workqueue(commit_wq); flush_workqueue(commit_wq);
if (!reiserfs_mounted_fs_count) { if (!reiserfs_mounted_fs_count) {
destroy_workqueue(commit_wq); destroy_workqueue(commit_wq);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment