[PATCH] splice: fix double page unlock

If add_to_page_cache_lru() fails, the page will not be locked. But
splice jumps to an error path that does a page release and unlock,
causing a BUG() in unlock_page().

Fix this by adding one more label that just releases the page. This bug
was actually triggered on EL5 by gurudas pai <gurudas.pai@oracle.com>
using fio.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/fs/splice.c b/fs/splice.c
index 2fca6ebf4cc2d17ceb05ccb6cbe7f93ab3571a87..b6572170280fbcdea88a3e45fa44c4d5f12f31ac 100644 (file)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -614,7 +614,7 @@ find_page:
                        ret = add_to_page_cache_lru(page, mapping, index,
                                                    GFP_KERNEL);
                        if (unlikely(ret))
-                               goto out;
+                               goto out_release;
                }
 
                /*
@@ -695,8 +695,9 @@ find_page:
                goto find_page;
        }
 out:
-       page_cache_release(page);
        unlock_page(page);
+out_release:
+       page_cache_release(page);
 out_ret:
        return ret;
 }