releases/2.6.11.7/ext3-release-race.patch - pub/scm/linux/kernel/git/warthog9/stable-queue - Git at Google

 From linux-kernel-owner+chrisw=40osdl.org-S262440AbVCXKkU@vger.kernel.org  Thu Mar 24 02:42:49 2005
 Date: 	Thu, 24 Mar 2005 11:39:45 +0100
 From: Jan Kara <jack@suse.cz>
 To: Mark Wong <markw@osdl.org>, linux-kernel@vger.kernel.org, sct@redhat.com
 Subject: [PATCH] Prevent race condition in jbd

 From: Stephen Tweedie
 Subject: Prevent race condition in jbd

 This patch from Stephen Tweedie which fixes a race in jbd code (it
 demonstrated itself as more or less random NULL dereferences in the
 journal code).

 Acked-by: Jan Kara <jack@suse.cz>
 Acked-by: Chris Mason <mason@suse.com>
 Signed-off-by: Chris Wright <chrisw@osdl.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 --- linux-2.6-ext3/fs/jbd/transaction.c.=K0000=.orig
 +++ linux-2.6-ext3/fs/jbd/transaction.c
 @@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
  			JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
  			ret = __dispose_buffer(jh,
  					journal->j_running_transaction);
 +			journal_put_journal_head(jh);
  			spin_unlock(&journal->j_list_lock);
  			jbd_unlock_bh_state(bh);
  			spin_unlock(&journal->j_state_lock);
 -			journal_put_journal_head(jh);
  			return ret;
  		} else {
  			/* There is no currently-running transaction. So the
 @@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
  				JBUFFER_TRACE(jh, "give to committing trans");
  				ret = __dispose_buffer(jh,
  					journal->j_committing_transaction);
 +				journal_put_journal_head(jh);
  				spin_unlock(&journal->j_list_lock);
  				jbd_unlock_bh_state(bh);
  				spin_unlock(&journal->j_state_lock);
 -				journal_put_journal_head(jh);
  				return ret;
  			} else {
  				/* The orphan record's transaction has
 @@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
  					journal->j_running_transaction);
  			jh->b_next_transaction = NULL;
  		}
 +		journal_put_journal_head(jh);
  		spin_unlock(&journal->j_list_lock);
  		jbd_unlock_bh_state(bh);
  		spin_unlock(&journal->j_state_lock);
 -		journal_put_journal_head(jh);
  		return 0;
  	} else {
  		/* Good, the buffer belongs to the running transaction.
	From linux-kernel-owner+chrisw=40osdl.org-S262440AbVCXKkU@vger.kernel.org Thu Mar 24 02:42:49 2005
	Date: Thu, 24 Mar 2005 11:39:45 +0100
	From: Jan Kara <jack@suse.cz>
	To: Mark Wong <markw@osdl.org>, linux-kernel@vger.kernel.org, sct@redhat.com
	Subject: [PATCH] Prevent race condition in jbd

	From: Stephen Tweedie
	Subject: Prevent race condition in jbd

	This patch from Stephen Tweedie which fixes a race in jbd code (it
	demonstrated itself as more or less random NULL dereferences in the
	journal code).

	Acked-by: Jan Kara <jack@suse.cz>
	Acked-by: Chris Mason <mason@suse.com>
	Signed-off-by: Chris Wright <chrisw@osdl.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	--- linux-2.6-ext3/fs/jbd/transaction.c.=K0000=.orig
	+++ linux-2.6-ext3/fs/jbd/transaction.c
	@@ -1775,10 +1775,10 @@ static int journal_unmap_buffer(journal_
	JBUFFER_TRACE(jh, "checkpointed: add to BJ_Forget");
	ret = __dispose_buffer(jh,
	journal->j_running_transaction);
	+ journal_put_journal_head(jh);
	spin_unlock(&journal->j_list_lock);
	jbd_unlock_bh_state(bh);
	spin_unlock(&journal->j_state_lock);
	- journal_put_journal_head(jh);
	return ret;
	} else {
	/* There is no currently-running transaction. So the
	@@ -1789,10 +1789,10 @@ static int journal_unmap_buffer(journal_
	JBUFFER_TRACE(jh, "give to committing trans");
	ret = __dispose_buffer(jh,
	journal->j_committing_transaction);
	+ journal_put_journal_head(jh);
	spin_unlock(&journal->j_list_lock);
	jbd_unlock_bh_state(bh);
	spin_unlock(&journal->j_state_lock);
	- journal_put_journal_head(jh);
	return ret;
	} else {
	/* The orphan record's transaction has
	@@ -1813,10 +1813,10 @@ static int journal_unmap_buffer(journal_
	journal->j_running_transaction);
	jh->b_next_transaction = NULL;
	}
	+ journal_put_journal_head(jh);
	spin_unlock(&journal->j_list_lock);
	jbd_unlock_bh_state(bh);
	spin_unlock(&journal->j_state_lock);
	- journal_put_journal_head(jh);
	return 0;
	} else {
	/* Good, the buffer belongs to the running transaction.