--- /dev/null
+From 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 12 Aug 2013 09:53:28 -0400
+Subject: jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 91aa11fae1cf8c2fd67be0609692ea9741cdcc43 upstream.
+
+When jbd2_journal_dirty_metadata() returns error,
+__ext4_handle_dirty_metadata() stops the handle. However callers of this
+function do not count with that fact and still happily used now freed
+handle. This use after free can result in various issues but very likely
+we oops soon.
+
+The motivation of adding __ext4_journal_stop() into
+__ext4_handle_dirty_metadata() in commit 9ea7a0df seems to be only to
+improve error reporting. So replace __ext4_journal_stop() with
+ext4_journal_abort_handle() which was there before that commit and add
+WARN_ON_ONCE() to dump stack to provide useful information.
+
+Reported-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4_jbd2.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/ext4_jbd2.c
++++ b/fs/ext4/ext4_jbd2.c
+@@ -109,10 +109,10 @@ int __ext4_handle_dirty_metadata(const c
+
+ if (ext4_handle_valid(handle)) {
+ err = jbd2_journal_dirty_metadata(handle, bh);
+- if (err) {
+- /* Errors can only happen if there is a bug */
+- handle->h_err = err;
+- __ext4_journal_stop(where, line, handle);
++ /* Errors can only happen if there is a bug */
++ if (WARN_ON_ONCE(err)) {
++ ext4_journal_abort_handle(where, line, __func__, bh,
++ handle, err);
+ }
+ } else {
+ if (inode)
projects / thirdparty / kernel / stable-queue.git / commitdiff
