Commit f8e6cc013b896d75d6ce4ec9e168014af1257fd8
1 parent
7c397a81fe
Exists in
master
and in
4 other branches
nilfs2: fix buffer head leak in nilfs_btnode_submit_block
nilfs_btnode_submit_block() refers to buffer head just before returning from the function, but it releases the buffer head earlier than that if nilfs_dat_translate() gets an error. This has potential for oops in the erroneous case. This fixes the issue. Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
fs/nilfs2/btnode.c
| ... | ... | @@ -100,6 +100,7 @@ |
| 100 | 100 | { |
| 101 | 101 | struct buffer_head *bh; |
| 102 | 102 | struct inode *inode = NILFS_BTNC_I(btnc); |
| 103 | + struct page *page; | |
| 103 | 104 | int err; |
| 104 | 105 | |
| 105 | 106 | bh = nilfs_grab_buffer(inode, btnc, blocknr, 1 << BH_NILFS_Node); |
| ... | ... | @@ -107,6 +108,7 @@ |
| 107 | 108 | return -ENOMEM; |
| 108 | 109 | |
| 109 | 110 | err = -EEXIST; /* internal code */ |
| 111 | + page = bh->b_page; | |
| 110 | 112 | |
| 111 | 113 | if (buffer_uptodate(bh) || buffer_dirty(bh)) |
| 112 | 114 | goto found; |
| ... | ... | @@ -143,8 +145,8 @@ |
| 143 | 145 | *pbh = bh; |
| 144 | 146 | |
| 145 | 147 | out_locked: |
| 146 | - unlock_page(bh->b_page); | |
| 147 | - page_cache_release(bh->b_page); | |
| 148 | + unlock_page(page); | |
| 149 | + page_cache_release(page); | |
| 148 | 150 | return err; |
| 149 | 151 | } |
| 150 | 152 |