Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3086362ybt; Mon, 29 Jun 2020 15:01:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxb2/zOCiLvYr1Lv2H7F8HgHGA/IoVHsv12wc6XQ0e6kP50S5TfG1tVGt9np2oy1On2JUxl X-Received: by 2002:a50:bf4c:: with SMTP id g12mr20138991edk.203.1593468063498; Mon, 29 Jun 2020 15:01:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593468063; cv=none; d=google.com; s=arc-20160816; b=ctqP7ALNgvujcCZyEkU2uasKZq4VDURI5rUsmtt2W6NfaEXYIYDva4fqhHmRMjPvbc mxQ2NsWZTQgR0tYKAIvKdoiucPN6N8mgUZMXdKJIuGkPQV0tYPCMolQyBG0qh68UUa77 VzgYnTfJfIMkd6dpxkdyL94jL4rhUtR0AAzrVGpic3iIQO+AFChVzNTLHfLZ7kZBapLU oi416yxm+8CRpVixg2ihS+3N5R4spLNlJnzeEYX0njljIq8qP2AApe+N50Xbvf060n9h r26IYDpcZogAH8xfeavPYkPq/zrexcdDALAijyiq5qLZALDV+ZtSsYmmuZjGzn+6YqZS 6oBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=6bWewiQZe4rf5d1AiDdK/REs2abfUB29jxLF0F8/lik=; b=NdHbBdJ/IJ4+8nfLEZSW/A8GJpmPldT1bzE55eBjD2pB4o05e5FmgpacDOoIyPDqRD 90qvZO/4ZMqOKTcGy8/W/G5sU+zgY4L/UbomZlgdojHrUEZcwt1fjgHzHpzflUy52fbs 2uht0KHSolbvnKBYs5A1d2BCBRGE+RxgokUX9yoJxaABIf9KaMjKsSOJ0rwdVMXY6SEY /KwWNLtHRPaLikVYPwjed/9jG5/azYG7Tt13tpsHf5gF96obc0OnuD6211fzXmLtSg8E btqd+EINaYidyQbmgtmrZ+rX0dDX7jOGMmnR2zLX065F9pS/L/CywEqc0inK0rAdrZ0j b1tg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FjH4xuyt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f16si466465edq.307.2020.06.29.15.00.39; Mon, 29 Jun 2020 15:01:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=FjH4xuyt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404582AbgF2V7S (ORCPT + 99 others); Mon, 29 Jun 2020 17:59:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:56794 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726427AbgF2Sf1 (ORCPT ); Mon, 29 Jun 2020 14:35:27 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 737C2241A2; Mon, 29 Jun 2020 15:19:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593443956; bh=kM7M2oW2pF7mF5sfHW5VKQ3niclpBBbtT+B91pvlGlw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FjH4xuytt6uHUaA08bFSU6BsoX8qiq/wPtrRP9vBT1p7XmOvWp5xLXsNc7P/txTMo V9vAbA07rr4Gr6YuAJlyWsaazEC/O3EnSSSD1d3CsGafysbd29glduWkZcyVg6fA2N OU6hEJhFv/fRfhP0VZ0hA61UdKbRMgk0es+ddl2Y= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Filipe Manana , Nikolay Borisov , Anand Jain , David Sterba , Sasha Levin Subject: [PATCH 5.7 058/265] btrfs: fix a block group ref counter leak after failure to remove block group Date: Mon, 29 Jun 2020 11:14:51 -0400 Message-Id: <20200629151818.2493727-59-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200629151818.2493727-1-sashal@kernel.org> References: <20200629151818.2493727-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.7.7-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.7.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.7.7-rc1 X-KernelTest-Deadline: 2020-07-01T15:14+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Filipe Manana [ Upstream commit 9fecd13202f520f3f25d5b1c313adb740fe19773 ] When removing a block group, if we fail to delete the block group's item from the extent tree, we jump to the 'out' label and end up decrementing the block group's reference count once only (by 1), resulting in a counter leak because the block group at that point was already removed from the block group cache rbtree - so we have to decrement the reference count twice, once for the rbtree and once for our lookup at the start of the function. There is a second bug where if removing the free space tree entries (the call to remove_block_group_free_space()) fails we end up jumping to the 'out_put_group' label but end up decrementing the reference count only once, when we should have done it twice, since we have already removed the block group from the block group cache rbtree. This happens because the reference count decrement for the rbtree reference happens after attempting to remove the free space tree entries, which is far away from the place where we remove the block group from the rbtree. To make things less error prone, decrement the reference count for the rbtree immediately after removing the block group from it. This also eleminates the need for two different exit labels on error, renaming 'out_put_label' to just 'out' and removing the old 'out'. Fixes: f6033c5e333238 ("btrfs: fix block group leak when removing fails") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Nikolay Borisov Reviewed-by: Anand Jain Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/block-group.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/fs/btrfs/block-group.c b/fs/btrfs/block-group.c index 233c5663f2332..0c17f18b47940 100644 --- a/fs/btrfs/block-group.c +++ b/fs/btrfs/block-group.c @@ -916,7 +916,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, path = btrfs_alloc_path(); if (!path) { ret = -ENOMEM; - goto out_put_group; + goto out; } /* @@ -954,7 +954,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, ret = btrfs_orphan_add(trans, BTRFS_I(inode)); if (ret) { btrfs_add_delayed_iput(inode); - goto out_put_group; + goto out; } clear_nlink(inode); /* One for the block groups ref */ @@ -977,13 +977,13 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, ret = btrfs_search_slot(trans, tree_root, &key, path, -1, 1); if (ret < 0) - goto out_put_group; + goto out; if (ret > 0) btrfs_release_path(path); if (ret == 0) { ret = btrfs_del_item(trans, tree_root, path); if (ret) - goto out_put_group; + goto out; btrfs_release_path(path); } @@ -992,6 +992,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, &fs_info->block_group_cache_tree); RB_CLEAR_NODE(&block_group->cache_node); + /* Once for the block groups rbtree */ + btrfs_put_block_group(block_group); + if (fs_info->first_logical_byte == block_group->start) fs_info->first_logical_byte = (u64)-1; spin_unlock(&fs_info->block_group_cache_lock); @@ -1102,10 +1105,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, ret = remove_block_group_free_space(trans, block_group); if (ret) - goto out_put_group; - - /* Once for the block groups rbtree */ - btrfs_put_block_group(block_group); + goto out; ret = btrfs_search_slot(trans, root, &key, path, -1, 1); if (ret > 0) @@ -1128,10 +1128,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, free_extent_map(em); } -out_put_group: +out: /* Once for the lookup reference */ btrfs_put_block_group(block_group); -out: if (remove_rsv) btrfs_delayed_refs_rsv_release(fs_info, 1); btrfs_free_path(path); -- 2.25.1