Commit f8e6cc013b896d75d6ce4ec9e168014af1257fd8
1 parent
7c397a81fe
Exists in
master
and in
4 other branches
nilfs2: fix buffer head leak in nilfs_btnode_submit_block
nilfs_btnode_submit_block() refers to buffer head just before returning from the function, but it releases the buffer head earlier than that if nilfs_dat_translate() gets an error. This has potential for oops in the erroneous case. This fixes the issue. Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
fs/nilfs2/btnode.c
... | ... | @@ -100,6 +100,7 @@ |
100 | 100 | { |
101 | 101 | struct buffer_head *bh; |
102 | 102 | struct inode *inode = NILFS_BTNC_I(btnc); |
103 | + struct page *page; | |
103 | 104 | int err; |
104 | 105 | |
105 | 106 | bh = nilfs_grab_buffer(inode, btnc, blocknr, 1 << BH_NILFS_Node); |
... | ... | @@ -107,6 +108,7 @@ |
107 | 108 | return -ENOMEM; |
108 | 109 | |
109 | 110 | err = -EEXIST; /* internal code */ |
111 | + page = bh->b_page; | |
110 | 112 | |
111 | 113 | if (buffer_uptodate(bh) || buffer_dirty(bh)) |
112 | 114 | goto found; |
... | ... | @@ -143,8 +145,8 @@ |
143 | 145 | *pbh = bh; |
144 | 146 | |
145 | 147 | out_locked: |
146 | - unlock_page(bh->b_page); | |
147 | - page_cache_release(bh->b_page); | |
148 | + unlock_page(page); | |
149 | + page_cache_release(page); | |
148 | 150 | return err; |
149 | 151 | } |
150 | 152 |