Commit dd71e33f authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] ext3: ext3_writepage race fix

After ext3_writepage() has called block_write_full_page() it will walk the
page's buffer ring dropping the buffer_head refcounts.

It does this wrong - on the final loop it will dereference the buffer_head
which it just dropped the refcount on.  Poisoned oopses have been seen
against bh->b_this_page.

Change it to take a local copy of b_this_page prior to dropping the bh's
refcount.
parent e3380360
...@@ -1026,11 +1026,13 @@ static int walk_page_buffers( handle_t *handle, ...@@ -1026,11 +1026,13 @@ static int walk_page_buffers( handle_t *handle,
unsigned block_start, block_end; unsigned block_start, block_end;
unsigned blocksize = head->b_size; unsigned blocksize = head->b_size;
int err, ret = 0; int err, ret = 0;
struct buffer_head *next;
for ( bh = head, block_start = 0; for ( bh = head, block_start = 0;
ret == 0 && (bh != head || !block_start); ret == 0 && (bh != head || !block_start);
block_start = block_end, bh = bh->b_this_page) block_start = block_end, bh = next)
{ {
next = bh->b_this_page;
block_end = block_start + blocksize; block_end = block_start + blocksize;
if (block_end <= from || block_start >= to) { if (block_end <= from || block_start >= to) {
if (partial && !buffer_uptodate(bh)) if (partial && !buffer_uptodate(bh))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment