btrfs: fix extent_state leak in btrfs_lock_and_flush_ordered_range
authorNaohiro Aota <naohiro.aota@wdc.com>
Fri, 26 Jul 2019 07:47:05 +0000 (16:47 +0900)
committerDavid Sterba <dsterba@suse.com>
Fri, 26 Jul 2019 10:21:22 +0000 (12:21 +0200)
btrfs_lock_and_flush_ordered_range() loads given "*cached_state" into
cachedp, which, in general, is NULL. Then, lock_extent_bits() updates
"cachedp", but it never goes backs to the caller. Thus the caller still
see its "cached_state" to be NULL and never free the state allocated
under btrfs_lock_and_flush_ordered_range(). As a result, we will
see massive state leak with e.g. fstests btrfs/005. Fix this bug by
properly handling the pointers.

Fixes: bd80d94efb83 ("btrfs: Always use a cached extent_state in btrfs_lock_and_flush_ordered_range")
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
fs/btrfs/ordered-data.c

index 1744ba8b275497b5a6cb5d65432ee4b4e645564d..ae7f64a8facb8758822f5cbd05f0bd0094de361a 100644 (file)
@@ -985,13 +985,14 @@ void btrfs_lock_and_flush_ordered_range(struct extent_io_tree *tree,
                                        struct extent_state **cached_state)
 {
        struct btrfs_ordered_extent *ordered;
-       struct extent_state *cachedp = NULL;
+       struct extent_state *cache = NULL;
+       struct extent_state **cachedp = &cache;
 
        if (cached_state)
-               cachedp = *cached_state;
+               cachedp = cached_state;
 
        while (1) {
-               lock_extent_bits(tree, start, end, &cachedp);
+               lock_extent_bits(tree, start, end, cachedp);
                ordered = btrfs_lookup_ordered_range(inode, start,
                                                     end - start + 1);
                if (!ordered) {
@@ -1001,10 +1002,10 @@ void btrfs_lock_and_flush_ordered_range(struct extent_io_tree *tree,
                         * aren't exposing it outside of this function
                         */
                        if (!cached_state)
-                               refcount_dec(&cachedp->refs);
+                               refcount_dec(&cache->refs);
                        break;
                }
-               unlock_extent_cached(tree, start, end, &cachedp);
+               unlock_extent_cached(tree, start, end, cachedp);
                btrfs_start_ordered_extent(&inode->vfs_inode, ordered, 1);
                btrfs_put_ordered_extent(ordered);
        }