Date: Mon, 23 Oct 2006 12:12:25 -0400
From: Jeff Layton <jlayton@redhat.com>
Subject: [RHEL5 Patch] Fix oops in nfs_cancel_commit_list (BZ 210679)

IBM was doing NFS stress testing on the beta kernel with
CONFIG_DEBUG_SLAB and noticed an occasional panic in
dec_zone_page_state() when called from nfs_cancel_commit_list(). They
posted the problem on the nfs@sf.net list and Trond M. eventually posted
the following patch that fixed the problem for them.

The patch description explains the problem and solution as well as I
can, so here it is. Please ACK.

-- Jeff

commit b6dff26a08189932eeb0fa4261e09e733b0fc540
Author: Trond Myklebust <Trond.Myklebust@netapp.com>
Date:   Thu Oct 19 23:28:38 2006 -0700

    [PATCH] NFS: Fix oops in nfs_cancel_commit_list
    
    Fix two bugs:
     - nfs_inode_remove_request will call nfs_clear_request, so we cannot
       reference req->wb_page after it. Move the call to dec_zone_page_state so
       that it occurs while req->wb_page is still valid.
     - Calling nfs_clear_page_writeback is unnecessary since the radix tree
       tags will have been cleared by the call to nfs_inode_remove_request.
       Replace with a simple call to nfs_unlock_request.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index ca92ac3..883dd4a 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -590,10 +590,10 @@ static void nfs_cancel_commit_list(struc
 
 	while(!list_empty(head)) {
 		req = nfs_list_entry(head->next);
+		dec_zone_page_state(req->wb_page, NR_UNSTABLE_NFS);
 		nfs_list_remove_request(req);
 		nfs_inode_remove_request(req);
-		dec_zone_page_state(req->wb_page, NR_UNSTABLE_NFS);
-		nfs_clear_page_writeback(req);
+		nfs_unlock_request(req);
 	}
 }