[PATCH] ext3: ext3_writepage race fix

After ext3_writepage() has called block_write_full_page() it will walk the page's buffer ring dropping the buffer_head refcounts. It does this wrong - on the final loop it will dereference the buffer_head which it just dropped the refcount on. Poisoned oopses have been seen against bh->b_this_page. Change it to take a local copy of b_this_page prior to dropping the bh's refcount.

[PATCH] ext3: ext3_writepage race fix
After ext3_writepage() has called block_write_full_page() it will walk the page's buffer ring dropping the buffer_head refcounts. It does this wrong - on the final loop it will dereference the buffer_head which it just dropped the refcount on. Poisoned oopses have been seen against bh->b_this_page. Change it to take a local copy of b_this_page prior to dropping the bh's refcount.
dd71e33f · Andrew Morton · Linus Torvalds · e3380360 · dd71e33f
Commit dd71e33f authored Jun 17, 2003 by Andrew Morton Committed by Linus Torvalds Jun 17, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

fs/ext3/inode.c fs/ext3/inode.c +3 -1

No files found.
--- a/fs/ext3/inode.c
+++ b/fs/ext3/inode.c
@@ -1026,11 +1026,13 @@ static int walk_page_buffers(	handle_t *handle,
 	unsigned block_start, block_end;
 	unsigned blocksize = head->b_size;
 	int err, ret = 0;
+	struct buffer_head *next;

 	for (	bh = head, block_start = 0;
 		ret == 0 && (bh != head || !block_start);
-	    	block_start = block_end, bh = bh->b_this_page)
+	    	block_start = block_end, bh = next)
 	{
+		next = bh->b_this_page;
 		block_end = block_start + blocksize;
 		if (block_end <= from || block_start >= to) {
 			if (partial && !buffer_uptodate(bh))