jbd: Fix oops in journal_remove_journal_head()

	if (jh->b_jlist == BJ_None && !buffer_locked(bh) &&

	    !buffer_dirty(bh) && !buffer_write_io_error(bh)) {

		/*

		 * Get our reference so that bh cannot be freed before

		 * we unlock it

		 */

		get_bh(bh);

		JBUFFER_TRACE(jh, "remove from checkpoint list");

		ret = __journal_remove_checkpoint(jh) + 1;

		jbd_unlock_bh_state(bh);

		journal_remove_journal_head(bh);

		BUFFER_TRACE(bh, "release");

		__brelse(bh);

	} else {

			spin_lock(&journal->j_list_lock);

			goto restart;

		}

		if (buffer_locked(bh)) {

		get_bh(bh);

		if (buffer_locked(bh)) {

			spin_unlock(&journal->j_list_lock);

			jbd_unlock_bh_state(bh);

			wait_on_buffer(bh);

		 */

		released = __journal_remove_checkpoint(jh);

		jbd_unlock_bh_state(bh);

		journal_remove_journal_head(bh);

		__brelse(bh);

	}

		ret = 1;

		if (unlikely(buffer_write_io_error(bh)))

			ret = -EIO;

		get_bh(bh);

		J_ASSERT_JH(jh, !buffer_jbddirty(bh));

		BUFFER_TRACE(bh, "remove from checkpoint");

		__journal_remove_checkpoint(jh);

		spin_unlock(&journal->j_list_lock);

		jbd_unlock_bh_state(bh);

		journal_remove_journal_head(bh);

		__brelse(bh);

	} else {

		/*

/*

 * journal_clean_one_cp_list

 *

 * Find all the written-back checkpoint buffers in the given list and release them.

 * Find all the written-back checkpoint buffers in the given list and release

 * them.

 *

 * Called with the journal locked.

 * Called with j_list_lock held.

 * Returns number of bufers reaped (for debug)

 */

 * checkpoint lists.

 *

 * The function returns 1 if it frees the transaction, 0 otherwise.

 * The function can free jh and bh.

 *

 * This function is called with the journal locked.

 * This function is called with j_list_lock held.

 * This function is called with jbd_lock_bh_state(jh2bh(jh))

 */

	}

	journal = transaction->t_journal;

	JBUFFER_TRACE(jh, "removing from transaction");

	__buffer_unlink(jh);

	jh->b_cp_transaction = NULL;

	journal_put_journal_head(jh);

	if (transaction->t_checkpoint_list != NULL ||

	    transaction->t_checkpoint_io_list != NULL)

		goto out;

	JBUFFER_TRACE(jh, "transaction has no more buffers");

	/*

	 * There is one special case to worry about: if we have just pulled the

	 * The locking here around t_state is a bit sleazy.

	 * See the comment at the end of journal_commit_transaction().

	 */

	if (transaction->t_state != T_FINISHED) {

		JBUFFER_TRACE(jh, "belongs to running/committing transaction");

	if (transaction->t_state != T_FINISHED)

		goto out;

	}

	/* OK, that was the last buffer for the transaction: we can now

	   safely remove this transaction from the log */

	wake_up(&journal->j_wait_logspace);

	ret = 1;

out:

	JBUFFER_TRACE(jh, "exit");

	return ret;

}

	J_ASSERT_JH(jh, buffer_dirty(jh2bh(jh)) || buffer_jbddirty(jh2bh(jh)));

	J_ASSERT_JH(jh, jh->b_cp_transaction == NULL);

	/* Get reference for checkpointing transaction */

	journal_grab_journal_head(jh2bh(jh));

	jh->b_cp_transaction = transaction;

	if (!transaction->t_checkpoint_list) {

			jbd_unlock_bh_state(bh);

			if (locked)

				unlock_buffer(bh);

			journal_remove_journal_head(bh);

			/* One for our safety reference, other for

			 * journal_remove_journal_head() */

			put_bh(bh);

			release_data_buffer(bh);

		}

		}

		if (buffer_jbd(bh) && bh2jh(bh) == jh &&

		    jh->b_transaction == commit_transaction &&

		    jh->b_jlist == BJ_Locked) {

		    jh->b_jlist == BJ_Locked)

			__journal_unfile_buffer(jh);

		jbd_unlock_bh_state(bh);

			journal_remove_journal_head(bh);

			put_bh(bh);

		} else {

			jbd_unlock_bh_state(bh);

		}

		release_data_buffer(bh);

		cond_resched_lock(&journal->j_list_lock);

	}

	while (commit_transaction->t_forget) {

		transaction_t *cp_transaction;

		struct buffer_head *bh;

		int try_to_free = 0;

		jh = commit_transaction->t_forget;

		spin_unlock(&journal->j_list_lock);

		bh = jh2bh(jh);

		/*

		 * Get a reference so that bh cannot be freed before we are

		 * done with it.

		 */

		get_bh(bh);

		jbd_lock_bh_state(bh);

		J_ASSERT_JH(jh,	jh->b_transaction == commit_transaction ||

			jh->b_transaction == journal->j_running_transaction);

			__journal_insert_checkpoint(jh, commit_transaction);

			if (is_journal_aborted(journal))

				clear_buffer_jbddirty(bh);

			JBUFFER_TRACE(jh, "refile for checkpoint writeback");

			__journal_refile_buffer(jh);

			jbd_unlock_bh_state(bh);

		} else {

			J_ASSERT_BH(bh, !buffer_dirty(bh));

			/* The buffer on BJ_Forget list and not jbddirty means

			/*

			 * The buffer on BJ_Forget list and not jbddirty means

			 * it has been freed by this transaction and hence it

			 * could not have been reallocated until this

			 * transaction has committed. *BUT* it could be

			 * reallocated once we have written all the data to

			 * disk and before we process the buffer on BJ_Forget

			 * list. */

			 * list.

			 */

			if (!jh->b_next_transaction)

				try_to_free = 1;

		}

		JBUFFER_TRACE(jh, "refile or unfile freed buffer");

		__journal_refile_buffer(jh);

			if (!jh->b_transaction) {

		jbd_unlock_bh_state(bh);

				 /* needs a brelse */

				journal_remove_journal_head(bh);

		if (try_to_free)

			release_buffer_page(bh);

			} else

				jbd_unlock_bh_state(bh);

		}

		else

			__brelse(bh);

		cond_resched_lock(&journal->j_list_lock);

	}

	spin_unlock(&journal->j_list_lock);

 * When a buffer has its BH_JBD bit set it is immune from being released by

 * core kernel code, mainly via ->b_count.

 *

 * A journal_head may be detached from its buffer_head when the journal_head's

 * b_transaction, b_cp_transaction and b_next_transaction pointers are NULL.

 * Various places in JBD call journal_remove_journal_head() to indicate that the

 * journal_head can be dropped if needed.

 * A journal_head is detached from its buffer_head when the journal_head's

 * b_jcount reaches zero. Running transaction (b_transaction) and checkpoint

 * transaction (b_cp_transaction) hold their references to b_jcount.

 *

 * Various places in the kernel want to attach a journal_head to a buffer_head

 * _before_ attaching the journal_head to a transaction.  To protect the

 *	(Attach a journal_head if needed.  Increments b_jcount)

 *	struct journal_head *jh = journal_add_journal_head(bh);

 *	...

 *      (Get another reference for transaction)

 *      journal_grab_journal_head(bh);

 *      jh->b_transaction = xxx;

 *      (Put original reference)

 *      journal_put_journal_head(jh);

 *

 * Now, the journal_head's b_jcount is zero, but it is safe from being released

 * because it has a non-zero b_transaction.

 */

/*

 * Give a buffer_head a journal_head.

 *

 * Doesn't need the journal lock.

 * May sleep.

 */

struct journal_head *journal_add_journal_head(struct buffer_head *bh)

	struct journal_head *jh = bh2jh(bh);

	J_ASSERT_JH(jh, jh->b_jcount >= 0);

	get_bh(bh);

	if (jh->b_jcount == 0) {

		if (jh->b_transaction == NULL &&

				jh->b_next_transaction == NULL &&

				jh->b_cp_transaction == NULL) {

	J_ASSERT_JH(jh, jh->b_transaction == NULL);

	J_ASSERT_JH(jh, jh->b_next_transaction == NULL);

	J_ASSERT_JH(jh, jh->b_cp_transaction == NULL);

	J_ASSERT_JH(jh, jh->b_jlist == BJ_None);

	J_ASSERT_BH(bh, buffer_jbd(bh));

	J_ASSERT_BH(bh, jh2bh(jh) == bh);

	BUFFER_TRACE(bh, "remove journal_head");

	if (jh->b_frozen_data) {

				printk(KERN_WARNING "%s: freeing "

						"b_frozen_data\n",

						__func__);

		printk(KERN_WARNING "%s: freeing b_frozen_data\n", __func__);

		jbd_free(jh->b_frozen_data, bh->b_size);

	}

	if (jh->b_committed_data) {

				printk(KERN_WARNING "%s: freeing "

						"b_committed_data\n",

						__func__);

		printk(KERN_WARNING "%s: freeing b_committed_data\n", __func__);

		jbd_free(jh->b_committed_data, bh->b_size);

	}

	bh->b_private = NULL;

	jh->b_bh = NULL;	/* debug, really */

	clear_buffer_jbd(bh);

			__brelse(bh);

	journal_free_journal_head(jh);

		} else {

			BUFFER_TRACE(bh, "journal_head was locked");

		}

	}

}

/*

 * journal_remove_journal_head(): if the buffer isn't attached to a transaction

 * and has a zero b_jcount then remove and release its journal_head.   If we did

 * see that the buffer is not used by any transaction we also "logically"

 * decrement ->b_count.

 *

 * We in fact take an additional increment on ->b_count as a convenience,

 * because the caller usually wants to do additional things with the bh

 * after calling here.

 * The caller of journal_remove_journal_head() *must* run __brelse(bh) at some

 * time.  Once the caller has run __brelse(), the buffer is eligible for

 * reaping by try_to_free_buffers().

 */

void journal_remove_journal_head(struct buffer_head *bh)

{

	jbd_lock_bh_journal_head(bh);

	__journal_remove_journal_head(bh);

	jbd_unlock_bh_journal_head(bh);

}

/*

 * Drop a reference on the passed journal_head.  If it fell to zero then try to

 * Drop a reference on the passed journal_head.  If it fell to zero then

 * release the journal_head from the buffer_head.

 */

void journal_put_journal_head(struct journal_head *jh)

	jbd_lock_bh_journal_head(bh);

	J_ASSERT_JH(jh, jh->b_jcount > 0);

	--jh->b_jcount;

	if (!jh->b_jcount && !jh->b_transaction) {

	if (!jh->b_jcount) {

		__journal_remove_journal_head(bh);

		jbd_unlock_bh_journal_head(bh);

		__brelse(bh);

	}

	} else

		jbd_unlock_bh_journal_head(bh);

}

	if (!jh->b_transaction) {

		JBUFFER_TRACE(jh, "no transaction");

		J_ASSERT_JH(jh, !jh->b_next_transaction);

		jh->b_transaction = transaction;

		JBUFFER_TRACE(jh, "file as BJ_Reserved");

		spin_lock(&journal->j_list_lock);

		__journal_file_buffer(jh, transaction, BJ_Reserved);

		 * committed and so it's safe to clear the dirty bit.

		 */

		clear_buffer_dirty(jh2bh(jh));

		jh->b_transaction = transaction;

		/* first access by this transaction */

		jh->b_modified = 0;

				ret = -EIO;

				goto no_journal;

			}

			if (jh->b_transaction != NULL) {

			/* We might have slept so buffer could be refiled now */

			if (jh->b_transaction != NULL &&

			    jh->b_transaction != handle->h_transaction) {

				JBUFFER_TRACE(jh, "unfile from commit");

				__journal_temp_unlink_buffer(jh);

				/* It still points to the committing

		if (jh->b_jlist != BJ_SyncData && jh->b_jlist != BJ_Locked) {

			JBUFFER_TRACE(jh, "not on correct data list: unfile");

			J_ASSERT_JH(jh, jh->b_jlist != BJ_Shadow);

			__journal_temp_unlink_buffer(jh);

			jh->b_transaction = handle->h_transaction;

			JBUFFER_TRACE(jh, "file as data");

			__journal_file_buffer(jh, handle->h_transaction,

						BJ_SyncData);

			__journal_file_buffer(jh, transaction, BJ_Forget);

		} else {

			__journal_unfile_buffer(jh);

			journal_remove_journal_head(bh);

			__brelse(bh);

			if (!buffer_jbd(bh)) {

				spin_unlock(&journal->j_list_lock);

				jbd_unlock_bh_state(bh);

		mark_buffer_dirty(bh);	/* Expose it to the VM */

}

/*

 * Remove buffer from all transactions.

 *

 * Called with bh_state lock and j_list_lock

 *

 * jh and bh may be already freed when this function returns.

 */

void __journal_unfile_buffer(struct journal_head *jh)

{

	__journal_temp_unlink_buffer(jh);

	jh->b_transaction = NULL;

	journal_put_journal_head(jh);

}

void journal_unfile_buffer(journal_t *journal, struct journal_head *jh)

{

	jbd_lock_bh_state(jh2bh(jh));

	struct buffer_head *bh = jh2bh(jh);

	/* Get reference so that buffer cannot be freed before we unlock it */

	get_bh(bh);

	jbd_lock_bh_state(bh);

	spin_lock(&journal->j_list_lock);

	__journal_unfile_buffer(jh);

	spin_unlock(&journal->j_list_lock);

	jbd_unlock_bh_state(jh2bh(jh));

	jbd_unlock_bh_state(bh);

	__brelse(bh);

}

/*

			/* A written-back ordered data buffer */

			JBUFFER_TRACE(jh, "release data");

			__journal_unfile_buffer(jh);

			journal_remove_journal_head(bh);

			__brelse(bh);

		}

	} else if (jh->b_cp_transaction != NULL && jh->b_transaction == NULL) {

		/* written-back checkpointed metadata buffer */

		if (jh->b_jlist == BJ_None) {

			JBUFFER_TRACE(jh, "remove from checkpoint list");

			__journal_remove_checkpoint(jh);

			journal_remove_journal_head(bh);

			__brelse(bh);

		}

	}

	spin_unlock(&journal->j_list_lock);

		/*

		 * We take our own ref against the journal_head here to avoid

		 * having to add tons of locking around each instance of

		 * journal_remove_journal_head() and journal_put_journal_head().

		 * journal_put_journal_head().

		 */

		jh = journal_grab_journal_head(bh);

		if (!jh)

	int may_free = 1;

	struct buffer_head *bh = jh2bh(jh);

	__journal_unfile_buffer(jh);

	if (jh->b_cp_transaction) {

		JBUFFER_TRACE(jh, "on running+cp transaction");

		__journal_temp_unlink_buffer(jh);

		/*

		 * We don't want to write the buffer anymore, clear the

		 * bit so that we don't confuse checks in

		may_free = 0;

	} else {

		JBUFFER_TRACE(jh, "on running transaction");

		journal_remove_journal_head(bh);

		__brelse(bh);

		__journal_unfile_buffer(jh);

	}

	return may_free;

}

	if (jh->b_transaction)

		__journal_temp_unlink_buffer(jh);

	else

		journal_grab_journal_head(bh);

	jh->b_transaction = transaction;

	switch (jlist) {

 * already started to be used by a subsequent transaction, refile the

 * buffer on that transaction's metadata list.

 *

 * Called under journal->j_list_lock

 *

 * Called under j_list_lock

 * Called under jbd_lock_bh_state(jh2bh(jh))

 *

 * jh and bh may be already free when this function returns

 */

void __journal_refile_buffer(struct journal_head *jh)

{

	was_dirty = test_clear_buffer_jbddirty(bh);

	__journal_temp_unlink_buffer(jh);

	/*

	 * We set b_transaction here because b_next_transaction will inherit

	 * our jh reference and thus __journal_file_buffer() must not take a

	 * new one.

	 */

	jh->b_transaction = jh->b_next_transaction;

	jh->b_next_transaction = NULL;

	if (buffer_freed(bh))

}

/*

 * For the unlocked version of this call, also make sure that any

 * hanging journal_head is cleaned up if necessary.

 * __journal_refile_buffer() with necessary locking added. We take our bh

 * reference so that we can safely unlock bh.

 *

 * __journal_refile_buffer is usually called as part of a single locked

 * operation on a buffer_head, in which the caller is probably going to

 * be hooking the journal_head onto other lists.  In that case it is up

 * to the caller to remove the journal_head if necessary.  For the

 * unlocked journal_refile_buffer call, the caller isn't going to be

 * doing anything else to the buffer so we need to do the cleanup

 * ourselves to avoid a jh leak.

 *

 * *** The journal_head may be freed by this call! ***

 * The jh and bh may be freed by this call.

 */

void journal_refile_buffer(journal_t *journal, struct journal_head *jh)

{

	struct buffer_head *bh = jh2bh(jh);

	/* Get reference so that buffer cannot be freed before we unlock it */

	get_bh(bh);

	jbd_lock_bh_state(bh);

	spin_lock(&journal->j_list_lock);

	__journal_refile_buffer(jh);

	jbd_unlock_bh_state(bh);

	journal_remove_journal_head(bh);

	spin_unlock(&journal->j_list_lock);

	__brelse(bh);

}

 */

struct journal_head *journal_add_journal_head(struct buffer_head *bh);

struct journal_head *journal_grab_journal_head(struct buffer_head *bh);

void journal_remove_journal_head(struct buffer_head *bh);

void journal_put_journal_head(struct journal_head *jh);

/*