btrfs: fix transaction leak in btrfs_recover_relocation

sherlly · kdave · commit 1402d17dfd96 · 2020-04-23T17:24:56.000+02:00
btrfs_recover_relocation() invokes btrfs_join_transaction(), which joins a btrfs_trans_handle object into transactions and returns a reference of it with increased refcount to "trans". When btrfs_recover_relocation() returns, "trans" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of btrfs_recover_relocation(). When read_fs_root() failed, the refcnt increased by btrfs_join_transaction() is not decreased, causing a refcnt leak. Fix this issue by calling btrfs_end_transaction() on this error path when read_fs_root() failed. Fixes: 79787ea ("btrfs: replace many BUG_ONs with proper error handling") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Signed-off-by: David Sterba <dsterba@suse.com>
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
@@ -4559,6 +4559,7 @@ int btrfs_recover_relocation(struct btrfs_root *root)
 		if (IS_ERR(fs_root)) {
 			err = PTR_ERR(fs_root);
 			list_add_tail(&reloc_root->root_list, &reloc_roots);
+			btrfs_end_transaction(trans);
 			goto out_unset;
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -4559,6 +4559,7 @@ int btrfs_recover_relocation(struct btrfs_root *root)`
`4559`	`4559`	`if (IS_ERR(fs_root)) {`
`4560`	`4560`	`err = PTR_ERR(fs_root);`
`4561`	`4561`	`list_add_tail(&reloc_root->root_list, &reloc_roots);`
	`4562`	`+ btrfs_end_transaction(trans);`
`4562`	`4563`	`goto out_unset;`
`4563`	`4564`	`}`
`4564`	`4565`