The bug: reiser4_writeout() calls jput for jnode
which is already destroyed:
Fix up: take the reference earler (at the point where the
jnode is attached for entd work).
Signed-off-by: Edward Shishkin <edward.shishkin@xxxxxxxxx>
---
fs/reiser4/plugin/file/file.c | 6 ++++--
fs/reiser4/vfs_ops.c | 4 +++-
2 files changed, 7 insertions(+), 3 deletions(-)
Index: linux-2.6.33-rc5-mm1/fs/reiser4/plugin/file/file.c
===================================================================
--- linux-2.6.33-rc5-mm1.orig/fs/reiser4/plugin/file/file.c
+++ linux-2.6.33-rc5-mm1/fs/reiser4/plugin/file/file.c
@@ -824,14 +824,16 @@ int find_or_create_extent(struct page *p
BUG_ON(node->atom == NULL);
JF_CLR(node, JNODE_WRITE_PREPARED);
- jput(node);
if (get_current_context()->entd) {
entd_context *ent = get_entd_context(node->tree->super);
if (ent->cur_request->page == page)
- ent->cur_request->node = node;
+ /* the following reference will be
+ dropped in reiser4_writeout */
+ ent->cur_request->node = jref(node);
}
+ jput(node);
return 0;
}
Index: linux-2.6.33-rc5-mm1/fs/reiser4/vfs_ops.c
===================================================================
--- linux-2.6.33-rc5-mm1.orig/fs/reiser4/vfs_ops.c
+++ linux-2.6.33-rc5-mm1/fs/reiser4/vfs_ops.c
@@ -184,7 +184,7 @@ void reiser4_writeout(struct super_block
* requested page itself - start flush from
* that page
*/
- node = jref(ent->cur_request->node);
+ node = ent->cur_request->node;
}
result = flush_some_atom(node, &nr_submitted, wbc,
@@ -192,6 +192,8 @@ void reiser4_writeout(struct super_block
if (result != 0)
warning("nikita-31001", "Flush failed: %i", result);
if (node)
+ /* drop the reference aquired
+ in find_or_create_extent() */
jput(node);
if (!nr_submitted)
break;
--
To unsubscribe from this list: send the line "unsubscribe reiserfs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
