From Jens Axboe <jens.axboe@oracle.com>
Fri, 20 Jul 2007 13:18:12 +0000 (15:18 +0200)

splice: fix bad unlock_page() in error case

If add_to_page_cache_lru() fails, the page will not be locked. But
splice jumps to an error path that does a page release and unlock,
causing a BUG() in unlock_page().

Fix this by adding one more label that just releases the page. This bug
was actually triggered on EL5 by gurudas pai <gurudas.pai@oracle.com>
using fio.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

---
--- linux-2.6.18.i686/fs/splice.c.orig	2007-07-23 14:03:42.000000000 +0800
+++ linux-2.6.18.i686/fs/splice.c	2007-07-23 16:18:31.000000000 +0800
@@ -614,8 +612,8 @@
 			 */
 			ret = add_to_page_cache_lru(page, mapping, index,
 						    gfp_mask);
-			if (unlikely(ret))
-				goto out;
+			if (unlikely(ret)) 
+				goto out_release;
 		}
 
 		/*
@@ -696,8 +695,9 @@
 		goto find_page;
 	}
 out:
-	page_cache_release(page);
 	unlock_page(page);
+out_release:
+	page_cache_release(page);
 out_ret:
 	return ret;
 }
