Hi Chenyuan,
Thanks for reporting this bug.
But the fix looks incorrect. It will commit transaction once more in
normal case.
The simplest way is calling ocfs2_commit_trans() in each of the error
handling path before goto bail.
if (status < 0) {
ocfs2_commit_trans(osb, handle);
mlog_errno(status);
goto bail;
}
Thanks,
Joseph
On 9/8/21 2:26 PM, Chenyuan Mi wrote:
> The reference counting issue happens in two exception handling
> paths of ocfs2_replay_truncate_records(). When executing these
> two exception handling paths, the function forgets to decrease
> the refcount of handle increased by ocfs2_start_trans(), causing
> a refcount leak.
>
> Fix this issue by using ocfs2_commit_trans() to decrease the
> refcount of handle in two handling paths.
>
> Signed-off-by: Chenyuan Mi <[email protected]>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
>
> ---
> fs/ocfs2/alloc.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index f1cc8258d34a..b87960cdda0d 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -5941,7 +5941,7 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
> OCFS2_JOURNAL_ACCESS_WRITE);
> if (status < 0) {
> mlog_errno(status);
> - goto bail;
> + goto bail_commit;
> }
>
> tl->tl_used = cpu_to_le16(i);
> @@ -5965,7 +5965,7 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
> num_clusters);
> if (status < 0) {
> mlog_errno(status);
> - goto bail;
> + goto bail_commit;
> }
> }
>
> @@ -5975,6 +5975,8 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
>
> osb->truncated_clusters = 0;
>
> +bail_commit:
> + ocfs2_commit_trans(osb, handle);
> bail:
> return status;
> }
>