• Jan Kara's avatar
    jbd2: fix use after free in jbd2_journal_dirty_metadata() · ad56edad
    Jan Kara authored
    jbd2_journal_dirty_metadata() didn't get a reference to journal_head it
    was working with. This is OK in most of the cases since the journal head
    should be attached to a transaction but in rare occasions when we are
    journalling data, __ext4_journalled_writepage() can race with
    jbd2_journal_invalidatepage() stripping buffers from a page and thus
    journal head can be freed under hands of jbd2_journal_dirty_metadata().
    
    Fix the problem by getting own journal head reference in
    jbd2_journal_dirty_metadata() (and also in jbd2_journal_set_triggers()
    which can possibly have the same issue).
    Reported-by: default avatarZheng Liu <gnehzuil.liu@gmail.com>
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    Signed-off-by: default avatar"Theodore Ts'o" <tytso@mit.edu>
    Cc: stable@vger.kernel.org
    ad56edad
transaction.c 70.7 KB