From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nikolay Borisov <nborisov@suse.com>,
Anand Jain <anand.jain@oracle.com>,
Filipe Manana <fdmanana@suse.com>,
David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 01/36] btrfs: fix a block group ref counter leak after failure to remove block group
Date: Tue, 7 Jul 2020 17:16:53 +0200 [thread overview]
Message-ID: <20200707145749.204764338@linuxfoundation.org> (raw)
In-Reply-To: <20200707145749.130272978@linuxfoundation.org>
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 9fecd13202f520f3f25d5b1c313adb740fe19773 ]
When removing a block group, if we fail to delete the block group's item
from the extent tree, we jump to the 'out' label and end up decrementing
the block group's reference count once only (by 1), resulting in a counter
leak because the block group at that point was already removed from the
block group cache rbtree - so we have to decrement the reference count
twice, once for the rbtree and once for our lookup at the start of the
function.
There is a second bug where if removing the free space tree entries (the
call to remove_block_group_free_space()) fails we end up jumping to the
'out_put_group' label but end up decrementing the reference count only
once, when we should have done it twice, since we have already removed
the block group from the block group cache rbtree. This happens because
the reference count decrement for the rbtree reference happens after
attempting to remove the free space tree entries, which is far away from
the place where we remove the block group from the rbtree.
To make things less error prone, decrement the reference count for the
rbtree immediately after removing the block group from it. This also
eleminates the need for two different exit labels on error, renaming
'out_put_label' to just 'out' and removing the old 'out'.
Fixes: f6033c5e333238 ("btrfs: fix block group leak when removing fails")
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/extent-tree.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 271e70c45d5bd..ec3aa76d19b7f 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -10286,7 +10286,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
path = btrfs_alloc_path();
if (!path) {
ret = -ENOMEM;
- goto out_put_group;
+ goto out;
}
/*
@@ -10323,7 +10323,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
ret = btrfs_orphan_add(trans, BTRFS_I(inode));
if (ret) {
btrfs_add_delayed_iput(inode);
- goto out_put_group;
+ goto out;
}
clear_nlink(inode);
/* One for the block groups ref */
@@ -10346,13 +10346,13 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1);
if (ret < 0)
- goto out_put_group;
+ goto out;
if (ret > 0)
btrfs_release_path(path);
if (ret == 0) {
ret = btrfs_del_item(trans, tree_root, path);
if (ret)
- goto out_put_group;
+ goto out;
btrfs_release_path(path);
}
@@ -10361,6 +10361,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
&fs_info->block_group_cache_tree);
RB_CLEAR_NODE(&block_group->cache_node);
+ /* Once for the block groups rbtree */
+ btrfs_put_block_group(block_group);
+
if (fs_info->first_logical_byte == block_group->key.objectid)
fs_info->first_logical_byte = (u64)-1;
spin_unlock(&fs_info->block_group_cache_lock);
@@ -10494,10 +10497,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
ret = remove_block_group_free_space(trans, block_group);
if (ret)
- goto out_put_group;
-
- /* Once for the block groups rbtree */
- btrfs_put_block_group(block_group);
+ goto out;
ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
if (ret > 0)
@@ -10525,10 +10525,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
free_extent_map(em);
}
-out_put_group:
+out:
/* Once for the lookup reference */
btrfs_put_block_group(block_group);
-out:
btrfs_free_path(path);
return ret;
}
--
2.25.1
next prev parent reply other threads:[~2020-07-07 15:34 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-07 15:16 [PATCH 4.19 00/36] 4.19.132-rc1 review Greg Kroah-Hartman
2020-07-07 15:16 ` Greg Kroah-Hartman [this message]
2020-07-07 15:16 ` [PATCH 4.19 02/36] mm: fix swap cache node allocation mask Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 4.19 03/36] EDAC/amd64: Read back the scrub rate PCI register on F15h Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 4.19 04/36] usbnet: smsc95xx: Fix use-after-free after removal Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 4.19 05/36] mm/slub.c: fix corrupted freechain in deactivate_slab() Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 4.19 06/36] mm/slub: fix stack overruns with SLUB_STATS Greg Kroah-Hartman
2020-07-07 15:16 ` [PATCH 4.19 07/36] usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 08/36] s390/debug: avoid kernel warning on too large number of pages Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 09/36] nvme-multipath: set bdi capabilities once Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 10/36] nvme: fix possible deadlock when I/O is blocked Greg Kroah-Hartman
2020-07-07 18:16 ` Pavel Machek
2020-07-08 2:29 ` Sasha Levin
2020-07-07 15:17 ` [PATCH 4.19 11/36] nvme-multipath: fix deadlock between ana_work and scan_work Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 12/36] kgdb: Avoid suspicious RCU usage warning Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 13/36] crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() Greg Kroah-Hartman
2020-07-07 21:25 ` Pavel Machek
2020-07-07 23:38 ` Herbert Xu
2020-07-07 15:17 ` [PATCH 4.19 14/36] drm/msm/dpu: fix error return code in dpu_encoder_init Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 15/36] cxgb4: use unaligned conversion for fetching timestamp Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 16/36] cxgb4: parse TC-U32 key values and masks natively Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 17/36] cxgb4: use correct type for all-mask IP address comparison Greg Kroah-Hartman
2020-07-07 21:33 ` Pavel Machek
2020-07-08 12:36 ` Rahul Lakkireddy
2020-07-07 15:17 ` [PATCH 4.19 18/36] cxgb4: fix SGE queue dump destination buffer context Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 19/36] hwmon: (max6697) Make sure the OVERT mask is set correctly Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 20/36] hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 21/36] drm: sun4i: hdmi: Remove extra HPD polling Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 22/36] virtio-blk: free vblk-vqs in error path of virtblk_probe() Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 23/36] SMB3: Honor posix flag for multiuser mounts Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 24/36] nvme: fix a crash in nvme_mpath_add_disk Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 25/36] i2c: algo-pca: Add 0x78 as SCL stuck low status for PCA9665 Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 26/36] i2c: mlxcpld: check correct size of maximum RECV_LEN packet Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 27/36] nfsd: apply umask on fs without ACL support Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 28/36] Revert "ALSA: usb-audio: Improve frames size computation" Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 29/36] SMB3: Honor seal flag for multiuser mounts Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 30/36] SMB3: Honor persistent/resilient handle flags " Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 31/36] SMB3: Honor lease disabling " Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 32/36] cifs: Fix the target file was deleted when rename failed Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 33/36] MIPS: Add missing EHB in mtc0 -> mfc0 sequence for DSPen Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 34/36] irqchip/gic: Atomically update affinity Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 35/36] dm zoned: assign max_io_len correctly Greg Kroah-Hartman
2020-07-07 15:17 ` [PATCH 4.19 36/36] efi: Make it possible to disable efivar_ssdt entirely Greg Kroah-Hartman
2020-07-08 5:56 ` [PATCH 4.19 00/36] 4.19.132-rc1 review Naresh Kamboju
2020-07-08 8:41 ` Jon Hunter
2020-07-08 10:41 ` Chris Paterson
2020-07-08 15:15 ` Greg Kroah-Hartman
2020-07-08 15:04 ` Shuah Khan
2020-07-08 17:52 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200707145749.204764338@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anand.jain@oracle.com \
--cc=dsterba@suse.com \
--cc=fdmanana@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nborisov@suse.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).