From: Larry Woodman <lwoodman@redhat.com>
Date: Tue, 15 Apr 2008 13:31:39 -0400
Subject: [fs] fix bad unlock_page in pip_to_file() error path
Message-id: 1208280700.19199.27.camel@dhcp83-220.boston.redhat.com
O-Subject: [RHEL5-U3 patch] Fix bad unlock_page() in pip_to_file() error path
Bugzilla: 439917
RH-Acked-by: Rik van Riel <riel@redhat.com>
RH-Acked-by: Pete Zaitcev <zaitcev@redhat.com>
RH-Acked-by: Jeff Moyer <jmoyer@redhat.com>

If add_to_page_cache_lru() fails in pipe_to_file(), the page will not be
locked. Since the pipe_to_file() code jumps to an error path that does a
page release and unlock, this causes a BUG() in unlock_page().

The attached upstream patch was applied to 2.6.23 and fixes this BUG()
as well as BZ 439917.

diff --git a/fs/splice.c b/fs/splice.c
index d108451..cee12d8 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -615,7 +615,7 @@ find_page:
 			ret = add_to_page_cache_lru(page, mapping, index,
 						    gfp_mask);
 			if (unlikely(ret))
-				goto out;
+				goto out_release;
 		}
 
 		/*
@@ -696,8 +696,9 @@ find_page:
 		goto find_page;
 	}
 out:
-	page_cache_release(page);
 	unlock_page(page);
+out_release:
+	page_cache_release(page);
 out_ret:
 	return ret;
 }