Patch "btrfs: fix transaction leak in btrfs_recover_relocation" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 06 May 2020 20:01:35 -0400

This is a note to let you know that I've just added the patch titled

    btrfs: fix transaction leak in btrfs_recover_relocation

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     btrfs-fix-transaction-leak-in-btrfs_recover_relocati.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 205fecfce19ecdf2dc6c836a0868ba80ce961595
Author: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
Date:   Mon Apr 20 13:39:39 2020 +0800

    btrfs: fix transaction leak in btrfs_recover_relocation
    
    commit 1402d17dfd9657be0da8458b2079d03c2d61c86a upstream.
    
    btrfs_recover_relocation() invokes btrfs_join_transaction(), which joins
    a btrfs_trans_handle object into transactions and returns a reference of
    it with increased refcount to "trans".
    
    When btrfs_recover_relocation() returns, "trans" becomes invalid, so the
    refcount should be decreased to keep refcount balanced.
    
    The reference counting issue happens in one exception handling path of
    btrfs_recover_relocation(). When read_fs_root() failed, the refcnt
    increased by btrfs_join_transaction() is not decreased, causing a refcnt
    leak.
    
    Fix this issue by calling btrfs_end_transaction() on this error path
    when read_fs_root() failed.
    
    Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling")
    CC: stable@xxxxxxxxxxxxxxx # 4.4+
    Reviewed-by: Filipe Manana <fdmanana@xxxxxxxx>
    Signed-off-by: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx>
    Signed-off-by: Xin Tan <tanxin.ctf@xxxxxxxxx>
    Signed-off-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 32a09ed540a2c..e890f09e2073b 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -4605,6 +4605,7 @@ int btrfs_recover_relocation(struct btrfs_root *root)
 		if (IS_ERR(fs_root)) {
 			err = PTR_ERR(fs_root);
 			list_add_tail(&reloc_root->root_list, &reloc_roots);
+			btrfs_end_transaction(trans);
 			goto out_unset;
 		}
 






