From e1036d5ff1b51c9c37c3b54166e6a6f3287cb3dd Mon Sep 17 00:00:00 2001
From: Pierre Schweitzer <pierre@reactos.org>
Date: Tue, 10 May 2016 21:07:56 +0000
Subject: [PATCH] [BTRFS] Cherry pick aa04ca0ea4cadb0c70ff6d659916cc98b7b02c27:
 uninit: don't free roots before FCBs are freed

This avoids use-after-free on shutdown

svn path=/trunk/; revision=71314
---
 reactos/drivers/filesystems/btrfs/btrfs.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/reactos/drivers/filesystems/btrfs/btrfs.c b/reactos/drivers/filesystems/btrfs/btrfs.c
index a9fb3e51514..b31059aeb94 100644
--- a/reactos/drivers/filesystems/btrfs/btrfs.c
+++ b/reactos/drivers/filesystems/btrfs/btrfs.c
@@ -2374,6 +2374,13 @@ void STDCALL uninit(device_extension* Vcb, BOOL flush) {
 
         release_tree_lock(Vcb, TRUE);
     }
+    
+    // FIXME - stop async threads
+    
+    free_fcb(Vcb->volume_fcb);
+    free_fileref(Vcb->root_fileref);
+    
+    // FIXME - free any open fcbs?
 
     while (!IsListEmpty(&Vcb->roots)) {
         LIST_ENTRY* le = RemoveHeadList(&Vcb->roots);
@@ -2402,9 +2409,6 @@ void STDCALL uninit(device_extension* Vcb, BOOL flush) {
         ExFreePool(c);
     }
     
-    free_fcb(Vcb->volume_fcb);
-    free_fileref(Vcb->root_fileref);
-    
     for (i = 0; i < Vcb->superblock.num_devices; i++) {
         while (!IsListEmpty(&Vcb->devices[i].disk_holes)) {
             LIST_ENTRY* le = RemoveHeadList(&Vcb->devices[i].disk_holes);