fix-mmp-use-after-free-during-umount

   1 ext4: fix mmp use after free during unmount
   2
   3 From: Eric Sandeen <sandeen@redhat.com>
   4
   5 In ext4_put_super, we call brelse on the buffer head containing
   6 the ext4 superblock, but then try to use it when we stop the
   7 mmp thread, because when the thread shuts down it does:
   8
   9 write_mmp_block
  10   ext4_mmp_csum_set
  11     ext4_has_metadata_csum
  12       WARN_ON_ONCE(ext4_has_feature_metadata_csum(sb)...)
  13
  14 which reaches into sb->s_fs_info->s_es->s_feature_ro_compat,
  15 which lives in the superblock buffer s_sbh which we just released.
  16
  17 Fix this by moving the brelse down to a point where we are no
  18 longer using it.
  19
  20 Reported-by: Wang Shu <shuwang@redhat.com>
  21 Signed-off-by: Eric Sandeen <sandeen@redhat.com>
  22 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  23 Reviewed-by: Andreas Dilger <adilger@dilger.ca>
  24 ---
  25  fs/ext4/super.c | 2 +-
  26  1 file changed, 1 insertion(+), 1 deletion(-)
  27
  28 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
  29 index bb3a8edc75db..a526956e49e7 100644
  30 --- a/fs/ext4/super.c
  31 +++ b/fs/ext4/super.c
  32 @@ -863,7 +863,6 @@ static void ext4_put_super(struct super_block *sb)
  33         percpu_counter_destroy(&sbi->s_dirs_counter);
  34         percpu_counter_destroy(&sbi->s_dirtyclusters_counter);
  35         percpu_free_rwsem(&sbi->s_journal_flag_rwsem);
  36 -       brelse(sbi->s_sbh);
  37  #ifdef CONFIG_QUOTA
  38         for (i = 0; i < EXT4_MAXQUOTAS; i++)
  39                 kfree(sbi->s_qf_names[i]);
  40 @@ -895,6 +894,7 @@ static void ext4_put_super(struct super_block *sb)
  41         }
  42         if (sbi->s_mmp_tsk)
  43                 kthread_stop(sbi->s_mmp_tsk);
  44 +       brelse(sbi->s_sbh);
  45         sb->s_fs_info = NULL;
  46         /*
  47          * Now that we are completely done shutting down the