diff options
author | Xiyu Yang <xiyuyang19@fudan.edu.cn> | 2020-04-23 07:09:27 +0200 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2020-06-04 05:16:49 +0200 |
commit | 3bbd0ef26098d241dc59ee77ba14b7dab0df0786 (patch) | |
tree | c814fdd1ca7e627a43f182703f949a741014d8a7 | |
parent | ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max (diff) | |
download | linux-3bbd0ef26098d241dc59ee77ba14b7dab0df0786.tar.xz linux-3bbd0ef26098d241dc59ee77ba14b7dab0df0786.zip |
ext4: fix buffer_head refcnt leak when ext4_iget() fails
ext4_orphan_get() invokes ext4_read_inode_bitmap(), which returns a
reference of the specified buffer_head object to "bitmap_bh" with
increased refcnt.
When ext4_orphan_get() returns, local variable "bitmap_bh" becomes
invalid, so the refcount should be decreased to keep refcount balanced.
The reference counting issue happens in one exception handling path of
ext4_orphan_get(). When ext4_iget() fails, the function forgets to
decrease the refcnt increased by ext4_read_inode_bitmap(), causing a
refcnt leak.
Fix this issue by calling brelse() when ext4_iget() fails.
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/1587618568-13418-1-git-send-email-xiyuyang19@fudan.edu.cn
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | fs/ext4/ialloc.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c index 4b8c9a9bdf0c..011bcb8c4770 100644 --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -1246,6 +1246,7 @@ struct inode *ext4_orphan_get(struct super_block *sb, unsigned long ino) ext4_error_err(sb, -err, "couldn't read orphan inode %lu (err %d)", ino, err); + brelse(bitmap_bh); return inode; } |