4.14-stable patches

added patches:
	btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch

diff --git a/queue-4.14/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch b/queue-4.14/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch
new file mode 100644 (file)
index 0000000..5468b81
--- /dev/null
+++ b/queue-4.14/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch
@@ -0,0 +1,85 @@
+From 011b28acf940eb61c000059dd9e2cfcbf52ed96b Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 19 May 2021 13:13:15 -0400
+Subject: btrfs: fixup error handling in fixup_inode_link_counts
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream.
+
+This function has the following pattern
+
+       while (1) {
+               ret = whatever();
+               if (ret)
+                       goto out;
+       }
+       ret = 0
+out:
+       return ret;
+
+However several places in this while loop we simply break; when there's
+a problem, thus clearing the return value, and in one case we do a
+return -EIO, and leak the memory for the path.
+
+Fix this by re-arranging the loop to deal with ret == 1 coming from
+btrfs_search_slot, and then simply delete the
+
+       ret = 0;
+out:
+
+bit so everybody can break if there is an error, which will allow for
+proper error handling to occur.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1558,6 +1558,7 @@ static noinline int fixup_inode_link_cou
+                       break;
+ 
+               if (ret == 1) {
++                      ret = 0;
+                       if (path->slots[0] == 0)
+                               break;
+                       path->slots[0]--;
+@@ -1570,17 +1571,19 @@ static noinline int fixup_inode_link_cou
+ 
+               ret = btrfs_del_item(trans, root, path);
+               if (ret)
+-                      goto out;
++                      break;
+ 
+               btrfs_release_path(path);
+               inode = read_one_inode(root, key.offset);
+-              if (!inode)
+-                      return -EIO;
++              if (!inode) {
++                      ret = -EIO;
++                      break;
++              }
+ 
+               ret = fixup_inode_link_count(trans, root, inode);
+               iput(inode);
+               if (ret)
+-                      goto out;
++                      break;
+ 
+               /*
+                * fixup on a directory may create new entries,
+@@ -1589,8 +1592,6 @@ static noinline int fixup_inode_link_cou
+                */
+               key.offset = (u64)-1;
+       }
+-      ret = 0;
+-out:
+       btrfs_release_path(path);
+       return ret;
+ }

diff --git a/queue-4.14/series b/queue-4.14/series
index 1019954944acd95721806ccf00d016b5eea24430..dc0362dccdb7f41195ff756458a1067db10d5ee6 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -22,3 +22,4 @@ pid-take-a-reference-when-initializing-cad_pid.patch
 ocfs2-fix-data-corruption-by-fallocate.patch
 nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch
 btrfs-fix-error-handling-in-btrfs_del_csums.patch
+btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch