From 8743fab4a9b870fd6449c0724008ad3f94e954d7 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <darrick.wong@oracle.com>
Date: Thu, 9 Nov 2017 11:35:30 -0600
Subject: [PATCH] xfs_repair: always release btree buffers when refcountbt
 checks fail

During phase 4 of repair, we compare the refcount records we've computed
against what's in the refcount btree.  If the btree is corrupt the
libxfs refcount calls will fail, but on our way out of the function we
don't make sure to clear all the btree cursor's buffer pointers.  This
leads to a repair deadlock in xfs/372 when fuzzing ptrs[1] to -1U
because we forgot to release a buffer.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@sandeen.net>
---
 repair/rmap.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/repair/rmap.c b/repair/rmap.c
index 01d6f0fc0..d51590b6a 100644
--- a/repair/rmap.c
+++ b/repair/rmap.c
@@ -1359,7 +1359,8 @@ next_loop:
 
 err:
 	if (bt_cur)
-		libxfs_btree_del_cursor(bt_cur, XFS_BTREE_NOERROR);
+		libxfs_btree_del_cursor(bt_cur, error ? XFS_BTREE_ERROR :
+							XFS_BTREE_NOERROR);
 	if (agbp)
 		libxfs_putbuf(agbp);
 	free_slab_cursor(&rl_cur);
-- 
2.47.2