The use of journal_release_buffer is unsafe; it can overflow the journal:
When a buffer is stolen from a transaction and later removed from that
transaction with journal_release_buffer, the buffer is not accounted to the
transaction that now "owns" the buffer, and one extra credit appears to be
available.  Don't use journal_release_buffer:

We did rely on the buffer lock to synchronize xattr block accesses, and get
write access to the buffer first to get atomicity.  Return the
mb_cache_entry from ext3_xattr_cache_find instead, and do the check/update
under its lock.  Only get write access when we know we will use the buffer.
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>