ext3_orphan_del may double-decrement bh->b_count

From: Jeff Mahoney
Date: Wed Jun 02 2004 - 15:02:38 EST

Next message: Hugh Dickins: "[PATCH] swapper_space.i_mmap_nonlinear"
Previous message: viro: "Re: [RFC PATCH] explicitly mark recursion count"
Next in thread: Andrew Morton: "Re: ext3_orphan_del may double-decrement bh->b_count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew -

Chris Mason and I ran across this one while hunting down another bug.

If ext3_mark_iloc_dirty() fails in ext3_orphan_del() on the outer
buffer, bh->b_count will be decremented twice. ext3_mark_iloc_dirty()
will brelse the buffer, even on error. ext3_orphan_del() is explicity
brelse'ing the buffer on error. Prior to calling ext3_mark_iloc_dirty(),
this is the correct behavior.

Fix attached.

- -Jeff

- --
Jeff Mahoney
SuSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAvjI1LPWxlyuTD7IRAht5AJ9sM8mN2TiLb+RFCqHF/Fj/pVsuCgCfWXse
izGrI5bgD1zhoM5sqXgkM5Q=
=Td4v
-----END PGP SIGNATURE-----
#
# ext3_mark_iloc_dirty brelse's the buffer even on error,
# jumping to the out_brelse label causes a double decrement to occur.
#
--- linux-2.5.orig/fs/ext3/namei.c.orig 2004-06-02 11:46:52.903565552 -0400
+++ linux-2.5/fs/ext3/namei.c 2004-06-02 11:47:00.494411568 -0400
@@ -1963,7 +1963,7 @@
NEXT_ORPHAN(inode) = 0;
err = ext3_mark_iloc_dirty(handle, inode, &iloc);
if (err)
- goto out_brelse;
+ goto out_err;

out_err:
ext3_std_error(inode->i_sb, err);

Next message: Hugh Dickins: "[PATCH] swapper_space.i_mmap_nonlinear"
Previous message: viro: "Re: [RFC PATCH] explicitly mark recursion count"
Next in thread: Andrew Morton: "Re: ext3_orphan_del may double-decrement bh->b_count"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]