On Mon, Aug 12, 2013 at 08:50:11PM +1000, Dave Chinner wrote: > From: Dave Chinner <dchinner@xxxxxxxxxx> > > When a transaction is cancelled and the buffer log item is clean in > the transaction, the buffer log item is unconditionally freed. If > the log item is in the AIL, however, this leads to a use after free > condition as the item still has other users. > > In this case, xfs_buf_item_relse() should only be called on clean > buffer items if the reference count has dropped to zero. This > ensures only the last user frees the item. > > Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx> Applied. _______________________________________________ xfs mailing list xfs@xxxxxxxxxxx http://oss.sgi.com/mailman/listinfo/xfs
