releases/5.10.43/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 011b28acf940eb61c000059dd9e2cfcbf52ed96b Mon Sep 17 00:00:00 2001
 From: Josef Bacik <josef@toxicpanda.com>
 Date: Wed, 19 May 2021 13:13:15 -0400
 Subject: btrfs: fixup error handling in fixup_inode_link_counts

 From: Josef Bacik <josef@toxicpanda.com>

 commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream.

 This function has the following pattern

 	while (1) {
 		ret = whatever();
 		if (ret)
 			goto out;
 	}
 	ret = 0
 out:
 	return ret;

 However several places in this while loop we simply break; when there's
 a problem, thus clearing the return value, and in one case we do a
 return -EIO, and leak the memory for the path.

 Fix this by re-arranging the loop to deal with ret == 1 coming from
 btrfs_search_slot, and then simply delete the

 	ret = 0;
 out:

 bit so everybody can break if there is an error, which will allow for
 proper error handling to occur.

 CC: stable@vger.kernel.org # 4.4+
 Signed-off-by: Josef Bacik <josef@toxicpanda.com>
 Reviewed-by: David Sterba <dsterba@suse.com>
 Signed-off-by: David Sterba <dsterba@suse.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  fs/btrfs/tree-log.c |   13 +++++++------
  1 file changed, 7 insertions(+), 6 deletions(-)

 --- a/fs/btrfs/tree-log.c
 +++ b/fs/btrfs/tree-log.c
 @@ -1752,6 +1752,7 @@ static noinline int fixup_inode_link_cou
  			break;

  		if (ret == 1) {
 +			ret = 0;
  			if (path->slots[0] == 0)
  				break;
  			path->slots[0]--;
 @@ -1764,17 +1765,19 @@ static noinline int fixup_inode_link_cou

  		ret = btrfs_del_item(trans, root, path);
  		if (ret)
 -			goto out;
 +			break;

  		btrfs_release_path(path);
  		inode = read_one_inode(root, key.offset);
 -		if (!inode)
 -			return -EIO;
 +		if (!inode) {
 +			ret = -EIO;
 +			break;
 +		}

  		ret = fixup_inode_link_count(trans, root, inode);
  		iput(inode);
  		if (ret)
 -			goto out;
 +			break;

  		/*
  		 * fixup on a directory may create new entries,
 @@ -1783,8 +1786,6 @@ static noinline int fixup_inode_link_cou
  		 */
  		key.offset = (u64)-1;
  	}
 -	ret = 0;
 -out:
  	btrfs_release_path(path);
  	return ret;
  }
	From 011b28acf940eb61c000059dd9e2cfcbf52ed96b Mon Sep 17 00:00:00 2001
	From: Josef Bacik <josef@toxicpanda.com>
	Date: Wed, 19 May 2021 13:13:15 -0400
	Subject: btrfs: fixup error handling in fixup_inode_link_counts

	From: Josef Bacik <josef@toxicpanda.com>

	commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream.

	This function has the following pattern

	while (1) {
	ret = whatever();
	if (ret)
	goto out;
	}
	ret = 0
	out:
	return ret;

	However several places in this while loop we simply break; when there's
	a problem, thus clearing the return value, and in one case we do a
	return -EIO, and leak the memory for the path.

	Fix this by re-arranging the loop to deal with ret == 1 coming from
	btrfs_search_slot, and then simply delete the

	ret = 0;
	out:

	bit so everybody can break if there is an error, which will allow for
	proper error handling to occur.

	CC: stable@vger.kernel.org # 4.4+
	Signed-off-by: Josef Bacik <josef@toxicpanda.com>
	Reviewed-by: David Sterba <dsterba@suse.com>
	Signed-off-by: David Sterba <dsterba@suse.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	fs/btrfs/tree-log.c \| 13 +++++++------
	1 file changed, 7 insertions(+), 6 deletions(-)

	--- a/fs/btrfs/tree-log.c
	+++ b/fs/btrfs/tree-log.c
	@@ -1752,6 +1752,7 @@ static noinline int fixup_inode_link_cou
	break;

	if (ret == 1) {
	+ ret = 0;
	if (path->slots[0] == 0)
	break;
	path->slots[0]--;
	@@ -1764,17 +1765,19 @@ static noinline int fixup_inode_link_cou

	ret = btrfs_del_item(trans, root, path);
	if (ret)
	- goto out;
	+ break;

	btrfs_release_path(path);
	inode = read_one_inode(root, key.offset);
	- if (!inode)
	- return -EIO;
	+ if (!inode) {
	+ ret = -EIO;
	+ break;
	+ }

	ret = fixup_inode_link_count(trans, root, inode);
	iput(inode);
	if (ret)
	- goto out;
	+ break;

	/*
	* fixup on a directory may create new entries,
	@@ -1783,8 +1786,6 @@ static noinline int fixup_inode_link_cou
	*/
	key.offset = (u64)-1;
	}
	- ret = 0;
	-out:
	btrfs_release_path(path);
	return ret;
	}