From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 8 Jun 2021 14:05:14 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.272~38
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=81a935abc0dd738c24b8a54852d46688bf019fb5;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch
---

diff --git a/queue-4.14/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch b/queue-4.14/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch
new file mode 100644
index 00000000000..5468b81b5e8
--- /dev/null
+++ b/queue-4.14/btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch
@@ -0,0 +1,85 @@
+From 011b28acf940eb61c000059dd9e2cfcbf52ed96b Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 19 May 2021 13:13:15 -0400
+Subject: btrfs: fixup error handling in fixup_inode_link_counts
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream.
+
+This function has the following pattern
+
+	while (1) {
+		ret = whatever();
+		if (ret)
+			goto out;
+	}
+	ret = 0
+out:
+	return ret;
+
+However several places in this while loop we simply break; when there's
+a problem, thus clearing the return value, and in one case we do a
+return -EIO, and leak the memory for the path.
+
+Fix this by re-arranging the loop to deal with ret == 1 coming from
+btrfs_search_slot, and then simply delete the
+
+	ret = 0;
+out:
+
+bit so everybody can break if there is an error, which will allow for
+proper error handling to occur.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1558,6 +1558,7 @@ static noinline int fixup_inode_link_cou
+ 			break;
+ 
+ 		if (ret == 1) {
++			ret = 0;
+ 			if (path->slots[0] == 0)
+ 				break;
+ 			path->slots[0]--;
+@@ -1570,17 +1571,19 @@ static noinline int fixup_inode_link_cou
+ 
+ 		ret = btrfs_del_item(trans, root, path);
+ 		if (ret)
+-			goto out;
++			break;
+ 
+ 		btrfs_release_path(path);
+ 		inode = read_one_inode(root, key.offset);
+-		if (!inode)
+-			return -EIO;
++		if (!inode) {
++			ret = -EIO;
++			break;
++		}
+ 
+ 		ret = fixup_inode_link_count(trans, root, inode);
+ 		iput(inode);
+ 		if (ret)
+-			goto out;
++			break;
+ 
+ 		/*
+ 		 * fixup on a directory may create new entries,
+@@ -1589,8 +1592,6 @@ static noinline int fixup_inode_link_cou
+ 		 */
+ 		key.offset = (u64)-1;
+ 	}
+-	ret = 0;
+-out:
+ 	btrfs_release_path(path);
+ 	return ret;
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
index 1019954944a..dc0362dccdb 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -22,3 +22,4 @@ pid-take-a-reference-when-initializing-cad_pid.patch
 ocfs2-fix-data-corruption-by-fallocate.patch
 nfc-fix-null-ptr-dereference-in-llcp_sock_getname-after-failed-connect.patch
 btrfs-fix-error-handling-in-btrfs_del_csums.patch
+btrfs-fixup-error-handling-in-fixup_inode_link_counts.patch