[XFS] Fix use-after-free during log unmount.

Don't reference the log buffer after running the callbacks as the callback
can trigger the log buffers to be freed during unmount.

SGI-PV: 964545
SGI-Modid: xfs-linux-melb:xfs-kern:28567a

Signed-off-by: David Chinner <dgc@sgi.com>
Signed-off-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Tim Shimmin <tes@sgi.com>

fs/xfs/xfs_log.c

@@ -967,14 +967,16 @@ xlog_iodone(xfs_buf_t *bp)
 	} else if (iclog->ic_state & XLOG_STATE_IOERROR) {
 		aborted = XFS_LI_ABORTED;
 	}
+
+	/* log I/O is always issued ASYNC */
+	ASSERT(XFS_BUF_ISASYNC(bp));
 	xlog_state_done_syncing(iclog, aborted);
-	if (!(XFS_BUF_ISASYNC(bp))) {
+	/*
-		/*
+	 * do not reference the buffer (bp) here as we could race
-		 * Corresponding psema() will be done in bwrite().  If we don't
+	 * with it being freed after writing the unmount record to the
-		 * vsema() here, panic.
+	 * log.
-		 */
+	 */
-		XFS_BUF_V_IODONESEMA(bp);
+
-	}
 }	/* xlog_iodone */
 
 /*