rpms/kernel/F-10 ext4.git-19815ad26f2d60e3ce390fca4d18ad729c9f5f42.patch, NONE, 1.1.2.1 ext4.git-4987213505bf23fae20412b31adeff36b41687da.patch, NONE, 1.1.2.1 ext4.git-765ba56963fc62e060678a4c2e788ca46722bf6a.patch, NONE, 1.1.2.1 ext4.git-b700ed3dc05f63c2cb0b39a31d1e21086f021643.patch, NONE, 1.1.2.1 ext4.git-b88c4d940fbea96d7cbd5483ad91dab6a2aff834.patch, NONE, 1.1.2.1 ext4.git-b9eab5ac8eeff5be74ceed5cda3ab590399d89ef.patch, NONE, 1.1.2.1 ext4.git-ed858e512ee4f761edce33b7c97fcd39a6804c29.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.33, 1.1206.2.34

[Chuck Ebbert]

Author: cebbert

Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11662

Modified Files:
      Tag: private-fedora-10-2_6_27
	kernel.spec 
Added Files:
      Tag: private-fedora-10-2_6_27
	ext4.git-19815ad26f2d60e3ce390fca4d18ad729c9f5f42.patch 
	ext4.git-4987213505bf23fae20412b31adeff36b41687da.patch 
	ext4.git-765ba56963fc62e060678a4c2e788ca46722bf6a.patch 
	ext4.git-b700ed3dc05f63c2cb0b39a31d1e21086f021643.patch 
	ext4.git-b88c4d940fbea96d7cbd5483ad91dab6a2aff834.patch 
	ext4.git-b9eab5ac8eeff5be74ceed5cda3ab590399d89ef.patch 
	ext4.git-ed858e512ee4f761edce33b7c97fcd39a6804c29.patch 
Log Message:
Add ext4 stable patch queue from:
  http://git.kernel.org/?p=linux/kernel/git/tytso/ext4.git;a=shortlog;h=for-stable-2.6.27

ext4.git-19815ad26f2d60e3ce390fca4d18ad729c9f5f42.patch:

--- NEW FILE ext4.git-19815ad26f2d60e3ce390fca4d18ad729c9f5f42.patch ---
From: Jan Kara <jack at suse.cz>
Date: Tue, 10 Feb 2009 16:15:34 +0000 (-0500)
Subject: jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=19815ad26f2d60e3ce390fca4d18ad729c9f5f42

jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate()

If we race with commit code setting i_transaction to NULL, we could
possibly dereference it.  Proper locking requires the journal pointer
(to access journal->j_list_lock), which we don't have.  So we have to
change the prototype of the function so that filesystem passes us the
journal pointer.  Also add a more detailed comment about why the
function jbd2_journal_begin_ordered_truncate() does what it does and
how it should be used.

Thanks to Dan Carpenter <error27 at gmail.com> for pointing to the
suspitious code.

Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
Acked-by: Joel Becker <joel.becker at oracle.com>
CC: linux-ext4 at vger.kernel.org
CC: ocfs2-devel at oss.oracle.com
CC: mfasheh at suse.de
CC: Dan Carpenter <error27 at gmail.com>
(cherry picked from commit 7f5aa215088b817add9c71914b83650bdd49f8a9)
---

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 6e7f085..7b063d4 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -46,8 +46,10 @@
 static inline int ext4_begin_ordered_truncate(struct inode *inode,
 					      loff_t new_size)
 {
-	return jbd2_journal_begin_ordered_truncate(&EXT4_I(inode)->jinode,
-						   new_size);
+	return jbd2_journal_begin_ordered_truncate(
+					EXT4_SB(inode->i_sb)->s_journal,
+					&EXT4_I(inode)->jinode,
+					new_size);
 }
 
 static void ext4_invalidatepage(struct page *page, unsigned long offset);
diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
index e5d5405..92d77c9 100644
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -2049,26 +2049,46 @@ done:
 }
 
 /*
- * This function must be called when inode is journaled in ordered mode
- * before truncation happens. It starts writeout of truncated part in
- * case it is in the committing transaction so that we stand to ordered
- * mode consistency guarantees.
+ * File truncate and transaction commit interact with each other in a
+ * non-trivial way.  If a transaction writing data block A is
+ * committing, we cannot discard the data by truncate until we have
+ * written them.  Otherwise if we crashed after the transaction with
+ * write has committed but before the transaction with truncate has
+ * committed, we could see stale data in block A.  This function is a
+ * helper to solve this problem.  It starts writeout of the truncated
+ * part in case it is in the committing transaction.
+ *
+ * Filesystem code must call this function when inode is journaled in
+ * ordered mode before truncation happens and after the inode has been
+ * placed on orphan list with the new inode size. The second condition
+ * avoids the race that someone writes new data and we start
+ * committing the transaction after this function has been called but
+ * before a transaction for truncate is started (and furthermore it
+ * allows us to optimize the case where the addition to orphan list
+ * happens in the same transaction as write --- we don't have to write
+ * any data in such case).
  */
-int jbd2_journal_begin_ordered_truncate(struct jbd2_inode *inode,
+int jbd2_journal_begin_ordered_truncate(journal_t *journal,
+					struct jbd2_inode *jinode,
 					loff_t new_size)
 {
-	journal_t *journal;
-	transaction_t *commit_trans;
+	transaction_t *inode_trans, *commit_trans;
 	int ret = 0;
 
-	if (!inode->i_transaction && !inode->i_next_transaction)
+	/* This is a quick check to avoid locking if not necessary */
+	if (!jinode->i_transaction)
 		goto out;
-	journal = inode->i_transaction->t_journal;
+	/* Locks are here just to force reading of recent values, it is
+	 * enough that the transaction was not committing before we started
+	 * a transaction adding the inode to orphan list */
 	spin_lock(&journal->j_state_lock);
 	commit_trans = journal->j_committing_transaction;
 	spin_unlock(&journal->j_state_lock);
-	if (inode->i_transaction == commit_trans) {
-		ret = filemap_fdatawrite_range(inode->i_vfs_inode->i_mapping,
+	spin_lock(&journal->j_list_lock);
+	inode_trans = jinode->i_transaction;
+	spin_unlock(&journal->j_list_lock);
+	if (inode_trans == commit_trans) {
+		ret = filemap_fdatawrite_range(jinode->i_vfs_inode->i_mapping,
 			new_size, LLONG_MAX);
 		if (ret)
 			jbd2_journal_abort(journal, ret);
diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
index 2178ebf..d4de187 100644
--- a/fs/ocfs2/journal.h
+++ b/fs/ocfs2/journal.h
@@ -415,4 +415,17 @@ static inline int ocfs2_calc_tree_trunc_credits(struct super_block *sb,
 	return credits;
 }
 
+static inline int ocfs2_jbd2_file_inode(handle_t *handle, struct inode *inode)
+{
+	return jbd2_journal_file_inode(handle, &OCFS2_I(inode)->ip_jinode);
+}
+
+static inline int ocfs2_begin_ordered_truncate(struct inode *inode,
+					       loff_t new_size)
+{
+	return jbd2_journal_begin_ordered_truncate(
+				OCFS2_SB(inode->i_sb)->journal->j_journal,
+				&OCFS2_I(inode)->ip_jinode,
+				new_size);
+}
 #endif /* OCFS2_JOURNAL_H */
diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
index 0e1bd70..df4137e 100644
--- a/include/linux/jbd2.h
+++ b/include/linux/jbd2.h
@@ -1075,7 +1075,8 @@ extern int	   jbd2_journal_clear_err  (journal_t *);
 extern int	   jbd2_journal_bmap(journal_t *, unsigned long, unsigned long long *);
 extern int	   jbd2_journal_force_commit(journal_t *);
 extern int	   jbd2_journal_file_inode(handle_t *handle, struct jbd2_inode *inode);
-extern int	   jbd2_journal_begin_ordered_truncate(struct jbd2_inode *inode, loff_t new_size);
+extern int	   jbd2_journal_begin_ordered_truncate(journal_t *journal,
+				struct jbd2_inode *inode, loff_t new_size);
 extern void	   jbd2_journal_init_jbd_inode(struct jbd2_inode *jinode, struct inode *inode);
 extern void	   jbd2_journal_release_jbd_inode(journal_t *journal, struct jbd2_inode *jinode);
 

ext4.git-4987213505bf23fae20412b31adeff36b41687da.patch:

--- NEW FILE ext4.git-4987213505bf23fae20412b31adeff36b41687da.patch ---
From: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date: Tue, 10 Feb 2009 16:14:34 +0000 (-0500)
Subject: ext4: Fix lockdep warning
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=4987213505bf23fae20412b31adeff36b41687da

ext4: Fix lockdep warning

We should not call ext4_mb_add_n_trim while holding alloc_semp.

    =============================================
    [ INFO: possible recursive locking detected ]
    2.6.29-rc4-git1-dirty #124
    ---------------------------------------------
    ffsb/3116 is trying to acquire lock:
     (&meta_group_info[i]->alloc_sem){----}, at: [<ffffffff8035a6e8>]
     ext4_mb_load_buddy+0xd2/0x343

    but task is already holding lock:
     (&meta_group_info[i]->alloc_sem){----}, at: [<ffffffff8035a6e8>]
     ext4_mb_load_buddy+0xd2/0x343

http://bugzilla.kernel.org/show_bug.cgi?id=12672

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
(cherry picked from commit ba4439165f0f0d25b2fe065cf0c1ff8130b802eb)
---

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index dbf6c0e..adb23f9 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -4569,23 +4569,26 @@ static int ext4_mb_release_context(struct ext4_allocation_context *ac)
 			pa->pa_free -= ac->ac_b_ex.fe_len;
 			pa->pa_len -= ac->ac_b_ex.fe_len;
 			spin_unlock(&pa->pa_lock);
-			/*
-			 * We want to add the pa to the right bucket.
-			 * Remove it from the list and while adding
-			 * make sure the list to which we are adding
-			 * doesn't grow big.
-			 */
-			if (likely(pa->pa_free)) {
-				spin_lock(pa->pa_obj_lock);
-				list_del_rcu(&pa->pa_inode_list);
-				spin_unlock(pa->pa_obj_lock);
-				ext4_mb_add_n_trim(ac);
-			}
 		}
-		ext4_mb_put_pa(ac, ac->ac_sb, pa);
 	}
 	if (ac->alloc_semp)
 		up_read(ac->alloc_semp);
+	if (pa) {
+		/*
+		 * We want to add the pa to the right bucket.
+		 * Remove it from the list and while adding
+		 * make sure the list to which we are adding
+		 * doesn't grow big.  We need to release
+		 * alloc_semp before calling ext4_mb_add_n_trim()
+		 */
+		if (pa->pa_linear && likely(pa->pa_free)) {
+			spin_lock(pa->pa_obj_lock);
+			list_del_rcu(&pa->pa_inode_list);
+			spin_unlock(pa->pa_obj_lock);
+			ext4_mb_add_n_trim(ac);
+		}
+		ext4_mb_put_pa(ac, ac->ac_sb, pa);
+	}
 	if (ac->ac_bitmap_page)
 		page_cache_release(ac->ac_bitmap_page);
 	if (ac->ac_buddy_page)

ext4.git-765ba56963fc62e060678a4c2e788ca46722bf6a.patch:

--- NEW FILE ext4.git-765ba56963fc62e060678a4c2e788ca46722bf6a.patch ---
From: Jan Kara <jack at suse.cz>
Date: Tue, 10 Feb 2009 16:27:46 +0000 (-0500)
Subject: jbd2: Fix return value of jbd2_journal_start_commit()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=765ba56963fc62e060678a4c2e788ca46722bf6a

jbd2: Fix return value of jbd2_journal_start_commit()

The function jbd2_journal_start_commit() returns 1 if either a
transaction is committing or the function has queued a transaction
commit. But it returns 0 if we raced with somebody queueing the
transaction commit as well. This resulted in ext4_sync_fs() not
functioning correctly (description from Arthur Jones):

   In the case of a data=ordered umount with pending long symlinks
   which are delayed due to a long list of other I/O on the backing
   block device, this causes the buffer associated with the long
   symlinks to not be moved to the inode dirty list in the second
   phase of fsync_super.  Then, before they can be dirtied again,
   kjournald exits, seeing the UMOUNT flag and the dirty pages are
   never written to the backing block device, causing long symlink
   corruption and exposing new or previously freed block data to
   userspace.

This can be reproduced with a script created by Eric Sandeen
<sandeen at redhat.com>:

        #!/bin/bash

        umount /mnt/test2
        mount /dev/sdb4 /mnt/test2
        rm -f /mnt/test2/*
        dd if=/dev/zero of=/mnt/test2/bigfile bs=1M count=512
        touch /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename
        ln -s /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename
        /mnt/test2/link
        umount /mnt/test2
        mount /dev/sdb4 /mnt/test2
        ls /mnt/test2/

This patch fixes jbd2_journal_start_commit() to always return 1 when
there's a transaction committing or queued for commit.

Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
CC: Eric Sandeen <sandeen at redhat.com>
CC: linux-ext4 at vger.kernel.org
(cherry picked from commit c88ccea3143975294f5a52097546bcbb75975f52)
---

diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 52d2bee..ecb2603 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -430,7 +430,7 @@ int __jbd2_log_space_left(journal_t *journal)
 }
 
 /*
- * Called under j_state_lock.  Returns true if a transaction was started.
+ * Called under j_state_lock.  Returns true if a transaction commit was started.
  */
 int __jbd2_log_start_commit(journal_t *journal, tid_t target)
 {
@@ -498,7 +498,8 @@ int jbd2_journal_force_commit_nested(journal_t *journal)
 
 /*
  * Start a commit of the current running transaction (if any).  Returns true
- * if a transaction was started, and fills its tid in at *ptid
+ * if a transaction is going to be committed (or is currently already
+ * committing), and fills its tid in at *ptid
  */
 int jbd2_journal_start_commit(journal_t *journal, tid_t *ptid)
 {
@@ -508,15 +509,19 @@ int jbd2_journal_start_commit(journal_t *journal, tid_t *ptid)
 	if (journal->j_running_transaction) {
 		tid_t tid = journal->j_running_transaction->t_tid;
 
-		ret = __jbd2_log_start_commit(journal, tid);
-		if (ret && ptid)
+		__jbd2_log_start_commit(journal, tid);
+		/* There's a running transaction and we've just made sure
+		 * it's commit has been scheduled. */
+		if (ptid)
 			*ptid = tid;
-	} else if (journal->j_committing_transaction && ptid) {
+		ret = 1;
+	} else if (journal->j_committing_transaction) {
 		/*
 		 * If ext3_write_super() recently started a commit, then we
 		 * have to wait for completion of that transaction
 		 */
-		*ptid = journal->j_committing_transaction->t_tid;
+		if (ptid)
+			*ptid = journal->j_committing_transaction->t_tid;
 		ret = 1;
 	}
 	spin_unlock(&journal->j_state_lock);

ext4.git-b700ed3dc05f63c2cb0b39a31d1e21086f021643.patch:

--- NEW FILE ext4.git-b700ed3dc05f63c2cb0b39a31d1e21086f021643.patch ---
From: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Date: Sat, 14 Feb 2009 15:31:16 +0000 (-0500)
Subject: ext4: Initialize preallocation list_head's properly
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=b700ed3dc05f63c2cb0b39a31d1e21086f021643

ext4: Initialize preallocation list_head's properly

When creating a new ext4_prealloc_space structure, we have to
initialize its list_head pointers before we add them to any prealloc
lists.  Otherwise, with list debug enabled, we will get list
corruption warnings.

Signed-off-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
(cherry picked from commit d794bf8e0936dce45104565cd48c571061f4c1e3)
---

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index adb23f9..39d7cc1 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3802,6 +3802,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
 	pa->pa_free = pa->pa_len;
 	atomic_set(&pa->pa_count, 1);
 	spin_lock_init(&pa->pa_lock);
+	INIT_LIST_HEAD(&pa->pa_inode_list);
+	INIT_LIST_HEAD(&pa->pa_group_list);
 	pa->pa_deleted = 0;
 	pa->pa_linear = 0;
 
@@ -3860,6 +3862,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
 	atomic_set(&pa->pa_count, 1);
 	spin_lock_init(&pa->pa_lock);
 	INIT_LIST_HEAD(&pa->pa_inode_list);
+	INIT_LIST_HEAD(&pa->pa_group_list);
 	pa->pa_deleted = 0;
 	pa->pa_linear = 1;
 

ext4.git-b88c4d940fbea96d7cbd5483ad91dab6a2aff834.patch:

--- NEW FILE ext4.git-b88c4d940fbea96d7cbd5483ad91dab6a2aff834.patch ---
From: Wei Yongjun <yjwei at cn.fujitsu.com>
Date: Tue, 10 Feb 2009 14:53:42 +0000 (-0500)
Subject: ext4: Fix to read empty directory blocks correctly in 64k
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=b88c4d940fbea96d7cbd5483ad91dab6a2aff834

ext4: Fix to read empty directory blocks correctly in 64k

The rec_len field in the directory entry is 16 bits, so there was a
problem representing rec_len for filesystems with a 64k block size in
the case where the directory entry takes the entire 64k block.
Unfortunately, there were two schemes that were proposed; one where
all zeros meant 65536 and one where all ones (65535) meant 65536.
E2fsprogs used 0, whereas the kernel used 65535.  Oops.  Fortunately
this case happens extremely rarely, with the most common case being
the lost+found directory, created by mke2fs.

So we will be liberal in what we accept, and accept both encodings,
but we will continue to encode 65536 as 65535.  This will require a
change in e2fsprogs, but with fortunately ext4 filesystems normally
have the dir_index feature enabled, which precludes having a
completely empty directory block.

Signed-off-by: Wei Yongjun <yjwei at cn.fujitsu.com>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
(cherry picked from commit 7be2baaa0322c59ba888aa5260a8c130666acd41)
---

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 85f58af..f613d57 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -860,7 +860,7 @@ static inline unsigned ext4_rec_len_from_disk(__le16 dlen)
 {
 	unsigned len = le16_to_cpu(dlen);
 
-	if (len == EXT4_MAX_REC_LEN)
+	if (len == EXT4_MAX_REC_LEN || len == 0)
 		return 1 << 16;
 	return len;
 }

ext4.git-b9eab5ac8eeff5be74ceed5cda3ab590399d89ef.patch:

--- NEW FILE ext4.git-b9eab5ac8eeff5be74ceed5cda3ab590399d89ef.patch ---
From: Jan Kara <jack at suse.cz>
Date: Sun, 22 Feb 2009 01:37:47 +0000 (-0500)
Subject: Revert "ext4: wait on all pending commits in ext4_sync_fs()"
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=b9eab5ac8eeff5be74ceed5cda3ab590399d89ef

Revert "ext4: wait on all pending commits in ext4_sync_fs()"

This undoes commit 14ce0cb411c88681ab8f3a4c9caa7f42e97a3184.

Since jbd2_journal_start_commit() is now fixed to return 1 when we
started a transaction commit, there's some transaction waiting to be
committed or there's a transaction already committing, we don't
need to call ext4_force_commit() in ext4_sync_fs(). Furthermore
ext4_force_commit() can unnecessarily create sync transaction which is
expensive so it's worthwhile to remove it when we can.

http://bugzilla.kernel.org/show_bug.cgi?id=12224

Signed-off-by: Jan Kara <jack at suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
Cc: Eric Sandeen <sandeen at redhat.com>
Cc: linux-ext4 at vger.kernel.org
(cherry picked from commit 9eddacf9e9c03578ef2c07c9534423e823d677f8)
---

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 5e4491d..db2642a 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2950,14 +2950,14 @@ static void ext4_write_super(struct super_block *sb)
 
 static int ext4_sync_fs(struct super_block *sb, int wait)
 {
-	int ret = 0;
+	tid_t target;
 
 	sb->s_dirt = 0;
-	if (wait)
-		ret = ext4_force_commit(sb);
-	else
-		jbd2_journal_start_commit(EXT4_SB(sb)->s_journal, NULL);
-	return ret;
+	if (jbd2_journal_start_commit(EXT4_SB(sb)->s_journal, &target)) {
+		if (wait)
+			jbd2_log_wait_commit(EXT4_SB(sb)->s_journal, target);
+	}
+	return 0;
 }
 
 /*

ext4.git-ed858e512ee4f761edce33b7c97fcd39a6804c29.patch:

--- NEW FILE ext4.git-ed858e512ee4f761edce33b7c97fcd39a6804c29.patch ---
From: Dan Carpenter <error27 at gmail.com>
Date: Mon, 16 Feb 2009 01:02:19 +0000 (-0500)
Subject: ext4: Fix NULL dereference in ext4_ext_migrate()'s error handling
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftytso%2Fext4.git;a=commitdiff_plain;h=ed858e512ee4f761edce33b7c97fcd39a6804c29

ext4: Fix NULL dereference in ext4_ext_migrate()'s error handling

This was found through a code checker (http://repo.or.cz/w/smatch.git/).
It looks like you might be able to trigger the error by trying to migrate
a readonly file system.

Signed-off-by: Dan Carpenter <error27 at gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
(cherry picked from commit 090542641de833c6f756895fc2f139f046e298f9)
---

diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
index f2a9cf4..9aa0fbe 100644
--- a/fs/ext4/migrate.c
+++ b/fs/ext4/migrate.c
@@ -480,7 +480,7 @@ int ext4_ext_migrate(struct inode *inode)
 					+ 1);
 	if (IS_ERR(handle)) {
 		retval = PTR_ERR(handle);
-		goto err_out;
+		return retval;
 	}
 	tmp_inode = ext4_new_inode(handle,
 				inode->i_sb->s_root->d_inode,
@@ -488,8 +488,7 @@ int ext4_ext_migrate(struct inode *inode)
 	if (IS_ERR(tmp_inode)) {
 		retval = -ENOMEM;
 		ext4_journal_stop(handle);
-		tmp_inode = NULL;
-		goto err_out;
+		return retval;
 	}
 	i_size_write(tmp_inode, i_size_read(inode));
 	/*
@@ -617,8 +616,7 @@ err_out:
 
 	ext4_journal_stop(handle);
 
-	if (tmp_inode)
-		iput(tmp_inode);
+	iput(tmp_inode);
 
 	return retval;
 }


Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.33
retrieving revision 1.1206.2.34
diff -u -r1.1206.2.33 -r1.1206.2.34
--- kernel.spec	22 Feb 2009 18:11:39 -0000	1.1206.2.33
+++ kernel.spec	23 Feb 2009 13:45:16 -0000	1.1206.2.34
@@ -746,6 +746,15 @@
 Patch2901: linux-2.6.27.9-ext4-cap-check-delay.patch
 Patch2904: linux-2.6-ext4-ENOSPC-debug.patch
 
+# next round of ext4 patches for -stable
+Patch2910: ext4.git-765ba56963fc62e060678a4c2e788ca46722bf6a.patch
+Patch2911: ext4.git-b9eab5ac8eeff5be74ceed5cda3ab590399d89ef.patch
+Patch2912: ext4.git-19815ad26f2d60e3ce390fca4d18ad729c9f5f42.patch
+Patch2913: ext4.git-b88c4d940fbea96d7cbd5483ad91dab6a2aff834.patch
+Patch2914: ext4.git-4987213505bf23fae20412b31adeff36b41687da.patch
+Patch2915: ext4.git-b700ed3dc05f63c2cb0b39a31d1e21086f021643.patch
+Patch2916: ext4.git-ed858e512ee4f761edce33b7c97fcd39a6804c29.patch
+
 # Add better support for DMI-based autoloading
 Patch3110: linux-2.6-dmi-autoload.patch
 
@@ -1169,6 +1178,14 @@
 ApplyPatch linux-2.6.27.9-ext4-cap-check-delay.patch
 ApplyPatch linux-2.6-ext4-ENOSPC-debug.patch
 
+ApplyPatch ext4.git-765ba56963fc62e060678a4c2e788ca46722bf6a.patch
+ApplyPatch ext4.git-b9eab5ac8eeff5be74ceed5cda3ab590399d89ef.patch
+ApplyPatch ext4.git-19815ad26f2d60e3ce390fca4d18ad729c9f5f42.patch
+ApplyPatch ext4.git-b88c4d940fbea96d7cbd5483ad91dab6a2aff834.patch
+ApplyPatch ext4.git-4987213505bf23fae20412b31adeff36b41687da.patch
+ApplyPatch ext4.git-b700ed3dc05f63c2cb0b39a31d1e21086f021643.patch
+ApplyPatch ext4.git-ed858e512ee4f761edce33b7c97fcd39a6804c29.patch
+
 # xfs
 
 # USB
@@ -1941,7 +1958,11 @@
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
-* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com>
+* Mon Feb 23 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.19-170.2.34
+- Add ext4 stable patch queue from:
+  http://git.kernel.org/?p=linux/kernel/git/tytso/ext4.git;a=shortlog;h=for-stable-2.6.27
+
+* Sun Feb 22 2009 Kyle McMartin <kyle at redhat.com> 2.6.27.19-170.2.33
 - Add patch from Paul Moore to fix setsockopt when netlabel is in use (ie:
    when selinux is enabled.) resolves bz#486225.