[PATCH] JBD: use-after-free fix

The wait_event() in there can touch the memory at *transaction after kjournald has freed it. Rework the code to not wait until the transaction enters T_FLUSH state: just loop back and try against after the wakeup.

[PATCH] JBD: use-after-free fix
The wait_event() in there can touch the memory at *transaction after kjournald has freed it. Rework the code to not wait until the transaction enters T_FLUSH state: just loop back and try against after the wakeup.
0294f13f · Andrew Morton · Linus Torvalds · c11ea16f · 0294f13f
Commit 0294f13f authored Oct 28, 2003 by Andrew Morton Committed by Linus Torvalds Oct 28, 2003
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

fs/jbd/transaction.c fs/jbd/transaction.c +6 -3

No files found.
--- a/fs/jbd/transaction.c
+++ b/fs/jbd/transaction.c
@@ -147,10 +147,13 @@ static int start_this_handle(journal_t *journal, handle_t *handle)
 	 * lock to be released.
 	 */
 	if (transaction->t_state == T_LOCKED) {
+		DEFINE_WAIT(wait);
+
+		prepare_to_wait(&journal->j_wait_transaction_locked,
+					&wait, TASK_UNINTERRUPTIBLE);
 		spin_unlock(&journal->j_state_lock);
-		jbd_debug(3, "Handle %p stalling...\n", handle);
-		wait_event(journal->j_wait_transaction_locked,
-				transaction->t_state != T_LOCKED);
+		schedule();
+		finish_wait(&journal->j_wait_transaction_locked, &wait);
 		goto repeat;
 	}