btrfs: fix iteration of extrefs during log replay

At __inode_add_ref() when processing extrefs, if we jump into the next
label we have an undefined value of victim_name.len, since we haven't
initialized it before we did the goto. This results in an invalid memory
access in the next iteration of the loop since victim_name.len was not
initialized to the length of the name of the current extref.

Fix this by initializing victim_name.len with the current extref's name
length.

Fixes: e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs")
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 8b66173d9023b7af4fd2df8569bbcd11b85d7ae3..d514bf531b3becec6ab840d997c234c54394d0e0 100644 (file)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1148,13 +1148,13 @@ again:
                        struct fscrypt_str victim_name;
 
                        extref = (struct btrfs_inode_extref *)(base + cur_offset);
+                       victim_name.len = btrfs_inode_extref_name_len(leaf, extref);
 
                        if (btrfs_inode_extref_parent(leaf, extref) != parent_objectid)
                                goto next;
 
                        ret = read_alloc_one_name(leaf, &extref->name,
-                                btrfs_inode_extref_name_len(leaf, extref),
-                                &victim_name);
+                                                 victim_name.len, &victim_name);
                        if (ret)
                                return ret;