From: Eric Sandeen <sandeen@redhat.com>
Date: Tue, 28 Oct 2008 13:08:39 -0500
Subject: [fs] ext3: fix accessing freed memory in ext3_abort
Message-id: 49075527.2040505@redhat.com
O-Subject: [PATCH RHEL5.3] ext3: fix a bug accessing freed memory in ext3_abort
Bugzilla: 468547
RH-Acked-by: Josef Bacik <jbacik@redhat.com>
RH-Acked-by: Peter Staubach <staubach@redhat.com>

This is for Bug 468547 - RHEL5.3: Regression in ext3/jbd

This regression was recently found upstream, and we have the patch that
caused it in RHEL5.3 as well.  The author of the original patch
also provided the following fix:

http://marc.info/?l=linux-ext4&m=122510792614385&w=2

It simply NULLs out the journal pointer after journal_destroy(),
so that a subsequent call to ext3_abort() will allow that function
to check whether the journal is NULL, and not call journal_abort()
on the now-freed journal.

Thanks,
-Eric

diff --git a/fs/ext3/super.c b/fs/ext3/super.c
index e79804f..fc9bf9b 100644
--- a/fs/ext3/super.c
+++ b/fs/ext3/super.c
@@ -278,7 +278,8 @@ void ext3_abort (struct super_block * sb, const char * function,
 	EXT3_SB(sb)->s_mount_state |= EXT3_ERROR_FS;
 	sb->s_flags |= MS_RDONLY;
 	EXT3_SB(sb)->s_mount_opt |= EXT3_MOUNT_ABORT;
-	journal_abort(EXT3_SB(sb)->s_journal, -EIO);
+	if (EXT3_SB(sb)->s_journal)
+		journal_abort(EXT3_SB(sb)->s_journal, -EIO);
 }
 
 void ext3_warning (struct super_block * sb, const char * function,
@@ -387,11 +388,14 @@ static void ext3_put_super (struct super_block * sb)
 {
 	struct ext3_sb_info *sbi = EXT3_SB(sb);
 	struct ext3_super_block *es = sbi->s_es;
-	int i;
+	int i, err;
 
 	ext3_xattr_put_super(sb);
-	if (journal_destroy(sbi->s_journal) < 0)
-		ext3_abort(sb, __FUNCTION__, "Couldn't clean up the journal");
+	err = journal_destroy(sbi->s_journal);
+	sbi->s_journal = NULL;
+	if (err < 0)
+		ext3_abort(sb, __func__, "Couldn't clean up the journal");
+
 	if (!(sb->s_flags & MS_RDONLY)) {
 		EXT3_CLEAR_INCOMPAT_FEATURE(sb, EXT3_FEATURE_INCOMPAT_RECOVER);
 		es->s_state = cpu_to_le16(sbi->s_mount_state);