From: Nick Piggin Fix a race where __block_prepare_write can leak out an in-flight read against a bh if get_block returns an error. This can lead to the page becoming unlocked while the buffer is locked and the read still in flight. __mpage_writepage BUGs on this condition. BUG sighted on a 2-way Itanium2 system with 16K PAGE_SIZE running fsstress -v -d $DIR/tmp -n 1000 -p 1000 -l 2 where $DIR is a new ext2 filesystem with 4K blocks that is quite small (causing get_block to fail often with -ENOSPC). Signed-off-by: Nick Piggin Signed-off-by: Andrew Morton --- fs/buffer.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff -puN fs/buffer.c~fix-race-in-__block_prepare_write fs/buffer.c --- 25/fs/buffer.c~fix-race-in-__block_prepare_write 2005-04-26 02:05:34.940899600 -0700 +++ 25-akpm/fs/buffer.c 2005-04-26 02:05:34.946898688 -0700 @@ -1952,7 +1952,7 @@ static int __block_prepare_write(struct if (!buffer_mapped(bh)) { err = get_block(inode, block, bh, 1); if (err) - goto out; + break; if (buffer_new(bh)) { clear_buffer_new(bh); unmap_underlying_metadata(bh->b_bdev, @@ -1994,10 +1994,12 @@ static int __block_prepare_write(struct while(wait_bh > wait) { wait_on_buffer(*--wait_bh); if (!buffer_uptodate(*wait_bh)) - return -EIO; + err = -EIO; } - return 0; -out: + if (!err) + return err; + + /* Error case: */ /* * Zero out any newly allocated blocks to avoid exposing stale * data. If BH_New is set, we know that the block was newly _