Re: Fw: [Bugme-new] [Bug 9849] New: NULL pointer deref in journal_wait_on_commit_record

["Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>]

On Wed, Jan 30, 2008 at 03:17:57PM -0800, Mingming Cao wrote:
> 
> The buufer head pointer passed to journal_wait_on_commit_record() could
> be NULL if the previous journal_submit_commit_record() failed or journal
> has already aborted.
> 
> Looking at the jbd2 debug messages, before the oops happen, the jbd2 is
> aborted due to trying to access the next log block beyond the end of
> device. This might be caused by using a corrupted image.
> 
> We need to check the error returns from journal_submit_commit_record()
> and avoid calling journal_wait_on_commit_record() in the failure case.
> 
> Signed-off-by: Mingming Cao <cmm@us.ibm.com>
> The buufer head pointer passed to journal_wait_on_commit_record()
> could be NULL if the previous journal_submit_commit_record() failed
> or journal has already aborted.
> 
> We need to check the error returns from journal_submit_commit_record()
> and avoid calling journal_wait_on_commit_record() in the failure case.
> 
> Signed-off-by: Mingming Cao <cmm@us.ibm.com>
> ---
>  fs/jbd2/commit.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Index: linux-2.6.24-rc8/fs/jbd2/commit.c
> ===================================================================
> --- linux-2.6.24-rc8.orig/fs/jbd2/commit.c	2008-01-30 14:12:10.000000000 -0800
> +++ linux-2.6.24-rc8/fs/jbd2/commit.c	2008-01-30 15:09:50.000000000 -0800
> @@ -872,7 +872,8 @@ wait_for_iobuf:
>  		if (err)
>  			__jbd2_journal_abort_hard(journal);
>  	}
> -	err = journal_wait_on_commit_record(cbh);
> +	if (!err && !is_journal_aborted(journal))
> +		err = journal_wait_on_commit_record(cbh);
> 
>  	if (err)
>  		jbd2_journal_abort(journal, err);
> 
> 

Needs the below small change also. I don't see this patch in the patch
queue. So i guess we can add the below diff to the same. The change was
suggested by Girish. Before journal checksum changes sync_dirty_buffer
did the get_bh.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>

diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
index da8d0eb..2b88ab0 100644
--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
@@ -136,7 +136,7 @@ static int journal_submit_commit_record(journal_t *journal,
 
 	JBUFFER_TRACE(descriptor, "submit commit block");
 	lock_buffer(bh);
-
+	get_bh(bh);
 	set_buffer_dirty(bh);
 	set_buffer_uptodate(bh);
 	bh->b_end_io = journal_end_buffer_io_sync;