jbd2: fix use-after-free of transaction_t race

 */

void jbd2_journal_wait_updates(journal_t *journal)

{

	transaction_t *commit_transaction = journal->j_running_transaction;

	DEFINE_WAIT(wait);

	if (!commit_transaction)

		return;

	while (1) {

		/*

		 * Note that the running transaction can get freed under us if

		 * this transaction is getting committed in

		 * jbd2_journal_commit_transaction() ->

		 * jbd2_journal_free_transaction(). This can only happen when we

		 * release j_state_lock -> schedule() -> acquire j_state_lock.

		 * Hence we should everytime retrieve new j_running_transaction

		 * value (after j_state_lock release acquire cycle), else it may

		 * lead to use-after-free of old freed transaction.

		 */

		transaction_t *transaction = journal->j_running_transaction;

	spin_lock(&commit_transaction->t_handle_lock);

	while (atomic_read(&commit_transaction->t_updates)) {

		DEFINE_WAIT(wait);

		if (!transaction)

			break;

		spin_lock(&transaction->t_handle_lock);

		prepare_to_wait(&journal->j_wait_updates, &wait,

				TASK_UNINTERRUPTIBLE);

		if (atomic_read(&commit_transaction->t_updates)) {

			spin_unlock(&commit_transaction->t_handle_lock);

		if (!atomic_read(&transaction->t_updates)) {

			spin_unlock(&transaction->t_handle_lock);

			finish_wait(&journal->j_wait_updates, &wait);

			break;

		}

		spin_unlock(&transaction->t_handle_lock);

		write_unlock(&journal->j_state_lock);

		schedule();

			write_lock(&journal->j_state_lock);

			spin_lock(&commit_transaction->t_handle_lock);

		}

		finish_wait(&journal->j_wait_updates, &wait);

		write_lock(&journal->j_state_lock);

	}

	spin_unlock(&commit_transaction->t_handle_lock);

}

/**

 */

void jbd2_journal_lock_updates(journal_t *journal)

{

	DEFINE_WAIT(wait);

	jbd2_might_wait_for_commit(journal);

	write_lock(&journal->j_state_lock);