From: Eric Sandeen <sandeen@redhat.com> Date: Tue, 28 Oct 2008 13:08:39 -0500 Subject: [fs] ext3: fix accessing freed memory in ext3_abort Message-id: 49075527.2040505@redhat.com O-Subject: [PATCH RHEL5.3] ext3: fix a bug accessing freed memory in ext3_abort Bugzilla: 468547 RH-Acked-by: Josef Bacik <jbacik@redhat.com> RH-Acked-by: Peter Staubach <staubach@redhat.com> This is for Bug 468547 - RHEL5.3: Regression in ext3/jbd This regression was recently found upstream, and we have the patch that caused it in RHEL5.3 as well. The author of the original patch also provided the following fix: http://marc.info/?l=linux-ext4&m=122510792614385&w=2 It simply NULLs out the journal pointer after journal_destroy(), so that a subsequent call to ext3_abort() will allow that function to check whether the journal is NULL, and not call journal_abort() on the now-freed journal. Thanks, -Eric diff --git a/fs/ext3/super.c b/fs/ext3/super.c index e79804f..fc9bf9b 100644 --- a/fs/ext3/super.c +++ b/fs/ext3/super.c @@ -278,7 +278,8 @@ void ext3_abort (struct super_block * sb, const char * function, EXT3_SB(sb)->s_mount_state |= EXT3_ERROR_FS; sb->s_flags |= MS_RDONLY; EXT3_SB(sb)->s_mount_opt |= EXT3_MOUNT_ABORT; - journal_abort(EXT3_SB(sb)->s_journal, -EIO); + if (EXT3_SB(sb)->s_journal) + journal_abort(EXT3_SB(sb)->s_journal, -EIO); } void ext3_warning (struct super_block * sb, const char * function, @@ -387,11 +388,14 @@ static void ext3_put_super (struct super_block * sb) { struct ext3_sb_info *sbi = EXT3_SB(sb); struct ext3_super_block *es = sbi->s_es; - int i; + int i, err; ext3_xattr_put_super(sb); - if (journal_destroy(sbi->s_journal) < 0) - ext3_abort(sb, __FUNCTION__, "Couldn't clean up the journal"); + err = journal_destroy(sbi->s_journal); + sbi->s_journal = NULL; + if (err < 0) + ext3_abort(sb, __func__, "Couldn't clean up the journal"); + if (!(sb->s_flags & MS_RDONLY)) { EXT3_CLEAR_INCOMPAT_FEATURE(sb, EXT3_FEATURE_INCOMPAT_RECOVER); es->s_state = cpu_to_le16(sbi->s_mount_state);