Jan Kara a61d90d75d jbd: fix race in buffer processing in commit code
In commit code, we scan buffers attached to a transaction.  During this
scan, we sometimes have to drop j_list_lock and then we recheck whether
the journal buffer head didn't get freed by journal_try_to_free_buffers().
 But checking for buffer_jbd(bh) isn't enough because a new journal head
could get attached to our buffer head.  So add a check whether the journal
head remained the same and whether it's still at the same transaction and
list.

This is a nasty bug and can cause problems like memory corruption (use after
free) or trigger various assertions in JBD code (observed).

Signed-off-by: Jan Kara <jack@suse.cz>
Cc: <stable@kernel.org>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-06-09 16:59:03 -07:00
..
2009-04-02 19:05:08 -07:00
2009-04-20 23:01:15 -04:00
2009-04-08 10:21:43 -07:00
2009-01-22 13:15:57 +03:00
2009-04-02 19:05:09 -07:00
2009-03-31 19:44:38 +03:00
2009-04-17 09:32:11 -07:00
2009-01-22 13:15:58 +03:00
2009-04-13 15:04:29 -07:00
2009-03-31 23:00:26 -04:00
2009-04-20 23:02:51 -04:00
2009-05-09 10:49:40 -04:00
2009-04-02 19:05:10 -07:00
2009-04-02 19:05:10 -07:00
2009-03-27 14:44:03 -04:00
2009-03-31 23:00:27 -04:00
2009-05-09 10:49:40 -04:00
2009-04-02 19:04:48 -07:00
2009-03-31 23:00:26 -04:00
2009-06-06 14:33:41 -07:00
2009-04-07 08:31:16 -07:00
2009-04-07 08:31:16 -07:00
2009-04-17 07:38:07 -07:00
2009-04-20 23:02:52 -04:00
2009-02-18 15:37:53 -08:00
2009-04-20 23:02:50 -04:00