From: Mingming Cao <cmm@us.ibm.com>

destroy_inode() dereferences inode->i_sb without checking if it is NULL. 
This is inconsistent with its caller: iput() and clear_inode(), both of
which check inode->i_sb before dereferencing it.  Since iput() calls
destroy_inode() after calling file system's .clear_inode method(via
clear_inode()), some file systems might choose to clear the i_sb in the
.clear_inode super block operation.  This results in a crash in
destroy_inode().




 25-akpm/fs/inode.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff -puN fs/inode.c~destroy_inode-oops-fix fs/inode.c
--- 25/fs/inode.c~destroy_inode-oops-fix	Mon Nov 24 11:25:06 2003
+++ 25-akpm/fs/inode.c	Mon Nov 24 11:25:06 2003
@@ -160,7 +160,7 @@ void destroy_inode(struct inode *inode) 
 	if (inode_has_buffers(inode))
 		BUG();
 	security_inode_free(inode);
-	if (inode->i_sb->s_op->destroy_inode)
+	if (inode->i_sb && inode->i_sb->s_op->destroy_inode)
 		inode->i_sb->s_op->destroy_inode(inode);
 	else
 		kmem_cache_free(inode_cachep, (inode));

_