erofs: fix incorrect early exits for invalid metabox-enabled images

Crafted EROFS images with metadata compression enabled can trigger
incorrect early returns, leading to folio reference leaks.

However, this does not cause system crashes or other severe issues.

Fixes: 414091322c63 ("erofs: implement metadata compression")
Cc: stable@kernel.org
Reviewed-by: Hongbo Li <lihongbo22@huawei.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

diff --git a/fs/erofs/super.c b/fs/erofs/super.c
index 5136cda5972a986dece863290d20ab103791cb98..b54083128e0f4e0181b8c3499f5623bb8b8d6980 100644 (file)
--- a/fs/erofs/super.c
+++ b/fs/erofs/super.c
@@ -330,12 +330,13 @@ static int erofs_read_superblock(struct super_block *sb)
        }
        sbi->packed_nid = le64_to_cpu(dsb->packed_nid);
        if (erofs_sb_has_metabox(sbi)) {
+               ret = -EFSCORRUPTED;
                if (sbi->sb_size <= offsetof(struct erofs_super_block,
                                             metabox_nid))
-                       return -EFSCORRUPTED;
+                       goto out;
                sbi->metabox_nid = le64_to_cpu(dsb->metabox_nid);
                if (sbi->metabox_nid & BIT_ULL(EROFS_DIRENT_NID_METABOX_BIT))
-                       return -EFSCORRUPTED;   /* self-loop detection */
+                       goto out;               /* self-loop detection */
        }
        sbi->inos = le64_to_cpu(dsb->inos);