Btrfs: don't delete fs_roots until after we cleanup the transaction

We get a use after free if we had a transaction to cleanup since there could be delayed inodes which refer to their respective fs_root. Thanks Reported-by: David Sterba <[email protected]> Signed-off-by: Josef Bacik <[email protected]> Signed-off-by: Chris Mason <[email protected]>
kishon · Jun 8, 2013 · 7b5ff90 · 7b5ff90
1 parent c5cb6a0
commit 7b5ff90
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
@@ -2859,8 +2859,8 @@ int open_ctree(struct super_block *sb,
 	btrfs_free_qgroup_config(fs_info);
 fail_trans_kthread:
 	kthread_stop(fs_info->transaction_kthread);
-	del_fs_roots(fs_info);
 	btrfs_cleanup_transaction(fs_info->tree_root);
+	del_fs_roots(fs_info);
 fail_cleaner:
 	kthread_stop(fs_info->cleaner_kthread);