[PATCH] reiserfs use-after-free fix

From: Chris Mason <mason@suse.com>

reiserfs-delayed-work started using queue_delayed_work, but did not make sure
the timer was finished before it freed the work queue structs during unmount.
This leads to timer oopsen if you unmount at just the right time.

diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index f1624617cc9db54233d78c6aa4dd56de590dbc02..42425d8b657bf6bbe0a04fa689990ef2421c8825 100644 (file)
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -1657,6 +1657,7 @@ static int do_journal_release(struct reiserfs_transaction_handle *th, struct sup
 
   reiserfs_mounted_fs_count-- ;
   /* wait for all commits to finish */
+  cancel_delayed_work(&SB_JOURNAL(p_s_sb)->j_work);
   flush_workqueue(commit_wq);
   if (!reiserfs_mounted_fs_count) {
     destroy_workqueue(commit_wq);