From: Darrick J. Wong <darrick.wong@oracle.com>
Date: Thu, 9 Nov 2017 17:35:30 +0000 (-0600)
Subject: xfs_repair: always release btree buffers when refcountbt checks fail
X-Git-Tag: v4.14.0-rc1~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8743fab4a9b870fd6449c0724008ad3f94e954d7;p=thirdparty%2Fxfsprogs-dev.git

xfs_repair: always release btree buffers when refcountbt checks fail

During phase 4 of repair, we compare the refcount records we've computed
against what's in the refcount btree.  If the btree is corrupt the
libxfs refcount calls will fail, but on our way out of the function we
don't make sure to clear all the btree cursor's buffer pointers.  This
leads to a repair deadlock in xfs/372 when fuzzing ptrs[1] to -1U
because we forgot to release a buffer.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---

diff --git a/repair/rmap.c b/repair/rmap.c
index 01d6f0fc0..d51590b6a 100644
--- a/repair/rmap.c
+++ b/repair/rmap.c
@@ -1359,7 +1359,8 @@ next_loop:
 
 err:
 	if (bt_cur)
-		libxfs_btree_del_cursor(bt_cur, XFS_BTREE_NOERROR);
+		libxfs_btree_del_cursor(bt_cur, error ? XFS_BTREE_ERROR :
+							XFS_BTREE_NOERROR);
 	if (agbp)
 		libxfs_putbuf(agbp);
 	free_slab_cursor(&rl_cur);