btrfs: free pages on error in btrfs_uring_read_extent()

In this function the 'pages' object is never freed in the hopes that it is
picked up by btrfs_uring_read_finished() whenever that executes in the
future. But that's just the happy path. Along the way previous
allocations might have gone wrong, or we might not get -EIOCBQUEUED from
btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a
cleanup section that frees all memory allocated by this function without
assuming any deferred execution, and this also needs to happen for the
'pages' allocation.

Fixes: 34310c442e17 ("btrfs: add io_uring command for encoded reads (ENCODED_READ ioctl)")
Signed-off-by: Miquel Sabaté Solà <mssola@mssola.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index f1b56be6f8f46e0df27c37880c92e73703d7b417..dadf9bf30f08c74f1ea5c021c1489488cfaec1ab 100644 (file)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -4651,7 +4651,7 @@ static int btrfs_uring_read_extent(struct kiocb *iocb, struct iov_iter *iter,
 {
        struct btrfs_inode *inode = BTRFS_I(file_inode(iocb->ki_filp));
        struct extent_io_tree *io_tree = &inode->io_tree;
-       struct page **pages;
+       struct page **pages = NULL;
        struct btrfs_uring_priv *priv = NULL;
        unsigned long nr_pages;
        int ret;
@@ -4709,6 +4709,11 @@ out_fail:
        btrfs_unlock_extent(io_tree, start, lockend, &cached_state);
        btrfs_inode_unlock(inode, BTRFS_ILOCK_SHARED);
        kfree(priv);
+       for (int i = 0; i < nr_pages; i++) {
+               if (pages[i])
+                       __free_page(pages[i]);
+       }
+       kfree(pages);
        return ret;
 }