xfs_repair: always release btree buffers when refcountbt checks fail

During phase 4 of repair, we compare the refcount records we've computed
against what's in the refcount btree.  If the btree is corrupt the
libxfs refcount calls will fail, but on our way out of the function we
don't make sure to clear all the btree cursor's buffer pointers.  This
leads to a repair deadlock in xfs/372 when fuzzing ptrs[1] to -1U
because we forgot to release a buffer.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>

diff --git a/repair/rmap.c b/repair/rmap.c
index 01d6f0fc07f9b2c3a649236338a0680596001058..d51590b6a5bb5d99f04a3f0042ddda6ee25df5fc 100644 (file)
--- a/repair/rmap.c
+++ b/repair/rmap.c
@@ -1359,7 +1359,8 @@ next_loop:
 
 err:
        if (bt_cur)
-               libxfs_btree_del_cursor(bt_cur, XFS_BTREE_NOERROR);
+               libxfs_btree_del_cursor(bt_cur, error ? XFS_BTREE_ERROR :
+                                                       XFS_BTREE_NOERROR);
        if (agbp)
                libxfs_putbuf(agbp);
        free_slab_cursor(&rl_cur);