nilfs2: fix buffer head leak in nilfs_btnode_submit_block

nilfs_btnode_submit_block() refers to buffer head just before returning from the function, but it releases the buffer head earlier than that if nilfs_dat_translate() gets an error. This has potential for oops in the erroneous case. This fixes the issue. Signed-off-by: N Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>

nilfs2: fix buffer head leak in nilfs_btnode_submit_block
nilfs_btnode_submit_block() refers to buffer head just before returning from the function, but it releases the buffer head earlier than that if nilfs_dat_translate() gets an error. This has potential for oops in the erroneous case. This fixes the issue. Signed-off-by: N Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
f8e6cc01 · Ryusuke Konishi · 7c397a81 · f8e6cc01
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

fs/nilfs2/btnode.c fs/nilfs2/btnode.c +4 -2

未找到文件。
--- a/fs/nilfs2/btnode.c
+++ b/fs/nilfs2/btnode.c
@@ -100,6 +100,7 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr,
 {
 	struct buffer_head *bh;
 	struct inode *inode = NILFS_BTNC_I(btnc);
+	struct page *page;
 	int err;
 	bh = nilfs_grab_buffer(inode, btnc, blocknr, 1 << BH_NILFS_Node);
@@ -107,6 +108,7 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr,
 		return -ENOMEM;
 	err = -EEXIST; /* internal code */
+	page = bh->b_page;
 	if (buffer_uptodate(bh) || buffer_dirty(bh))
 		goto found;
@@ -143,8 +145,8 @@ int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr,
 	*pbh = bh;
 out_locked:
-	unlock_page(bh->b_page);
+	unlock_page(page);
-	page_cache_release(bh->b_page);
+	page_cache_release(page);
 	return err;
 }