From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C7D2EC33CB2 for ; Tue, 28 Jan 2020 23:19:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 992022173E for ; Tue, 28 Jan 2020 23:19:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=osandov-com.20150623.gappssmtp.com header.i=@osandov-com.20150623.gappssmtp.com header.b="k7VP/rub" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726446AbgA1XTS (ORCPT ); Tue, 28 Jan 2020 18:19:18 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:33947 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726293AbgA1XTR (ORCPT ); Tue, 28 Jan 2020 18:19:17 -0500 Received: by mail-pg1-f196.google.com with SMTP id r11so7835588pgf.1 for ; Tue, 28 Jan 2020 15:19:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osandov-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=reRZ27o860Jv4T3ywX/rAzqX7TYE/u2uK3SOSUVyejw=; b=k7VP/rublHHD1ZcKcCqFqjLNukGtmMxMUSabaKVQ1Fwz1AluQTI3ayFYmv2MkoF8sF KTnrpMybeItuOdPPq8QNM8hAZKGcMERONy66EiZ6sgIOlU9Ht/eHzyoRCcVxAmGrKtoH eXdXweTv2a9FwCljg7C9XtUIIPlFp9yUk9fVNEFGe2b+FIL+/MbH+dtov51wmF2oTTXn LOYUvY97j74rE084/4VDRjjc23mXQnX89NTJ9rSPvixJX9iPq7+pCFshPzOIAwqV4361 nVL8ac5ons437JDTQda5WWraX7VZTjVK06CyTy1JZeArXIv8ruU8X6qcNALUObs/XedA 7LVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=reRZ27o860Jv4T3ywX/rAzqX7TYE/u2uK3SOSUVyejw=; b=YBozDTX2fezS6eU+mqOc5NPdmJBCoLezwRLKloU89Y5tjsjucqgHhDeB1Zf7TkIy+j qY+Mk6wuaw8DFbgjImiFtnLO5JNXl7lly1j21KW3zwYQV7KPNw/+bXV1K4TL/JtGMIAP wCR343hZovhRTIxRQ1xMcSSHBLaSnKErvbVy7nl/fDEjWXpeWpjU+KB0r6Y7ClmowLBO CHbjJfNpeXLzFZFf6tyxnoiCWNjzUICqZh5wj4RMO4LL0wtAED0WSQsfR1oIgMfqsjsV bbxbeR9k3ojn91LJ2VohbDsiL30AYIE3VmEuXd/qUPus6rAJ2RjwL06n7x/IkoSqcQOO 0dEA== X-Gm-Message-State: APjAAAVs0GSGYqsww1jITZyHz/8C98e4Q6YFuL87lybCor0atV0tXk1K QCUMZYaW0YmJ5S+6xSjdMzui2Y0aIGc= X-Google-Smtp-Source: APXvYqyLrtk0AAf0tz/DjYLGdjS0KGKKZ1P60pGJXzi0fJBMwOkOU2/a7LcF5zo8zm0wSPvnVAwbtw== X-Received: by 2002:a63:e609:: with SMTP id g9mr9889417pgh.75.1580253556349; Tue, 28 Jan 2020 15:19:16 -0800 (PST) Received: from vader.thefacebook.com ([2620:10d:c090:200::43a7]) by smtp.gmail.com with ESMTPSA id p24sm156353pgk.19.2020.01.28.15.19.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Jan 2020 15:19:15 -0800 (PST) From: Omar Sandoval To: linux-fsdevel@vger.kernel.org, Al Viro Cc: kernel-team@fb.com Subject: [RFC PATCH v4 3/4] Btrfs: fix inode reference count leak in btrfs_link() error path Date: Tue, 28 Jan 2020 15:19:02 -0800 Message-Id: <885829e37b0cdf75e26f4605e34110a7b23fe162.1580251857.git.osandov@fb.com> X-Mailer: git-send-email 2.25.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Omar Sandoval If btrfs_update_inode() or btrfs_orphan_del() fails in btrfs_link(), then we don't drop the reference we got with ihold(). This results in the "VFS: Busy inodes after unmount" crash. The reference is needed for the new dentry, so get it right before we instantiate the dentry. Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") [Although d_instantiate() was moved further from ihold() before that, in commit 08c422c27f85 ("Btrfs: call d_instantiate after all ops are setup")] Signed-off-by: Omar Sandoval --- fs/btrfs/inode.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index bc7709c4f6eb..8c9a114f48f6 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -6801,7 +6801,6 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, inc_nlink(inode); inode_inc_iversion(inode); inode->i_ctime = current_time(inode); - ihold(inode); set_bit(BTRFS_INODE_COPY_EVERYTHING, &BTRFS_I(inode)->runtime_flags); err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode), @@ -6825,6 +6824,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, if (err) goto fail; } + ihold(inode); d_instantiate(dentry, inode); ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent, true, NULL); @@ -6837,10 +6837,8 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, fail: if (trans) btrfs_end_transaction(trans); - if (drop_inode) { + if (drop_inode) inode_dec_link_count(inode); - iput(inode); - } btrfs_btree_balance_dirty(fs_info); return err; } -- 2.25.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38309C35246 for ; Wed, 29 Jan 2020 08:58:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0A993207FD for ; Wed, 29 Jan 2020 08:58:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=osandov-com.20150623.gappssmtp.com header.i=@osandov-com.20150623.gappssmtp.com header.b="e3gWiJ2L" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726618AbgA2I6x (ORCPT ); Wed, 29 Jan 2020 03:58:53 -0500 Received: from mail-pg1-f193.google.com ([209.85.215.193]:38676 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726604AbgA2I6v (ORCPT ); Wed, 29 Jan 2020 03:58:51 -0500 Received: by mail-pg1-f193.google.com with SMTP id a33so8498784pgm.5 for ; Wed, 29 Jan 2020 00:58:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osandov-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=reRZ27o860Jv4T3ywX/rAzqX7TYE/u2uK3SOSUVyejw=; b=e3gWiJ2LWpZU0w65uPMol9V/3tTRPOo3YHr7X0gh9BUnZ0a8WNiuj54YrgBIABRPDp 7nJNfU3JBzkoHtZMuq12dl8y/DifisJpBnqDf7rCGrqecqO4eGe6EaoheG4cJCOeVNYh cmgaoeaErviSStu8trxn9jCb2GWx3UWfHBGP00fQhRbSATh05pEo0TY4zp/Lsnyn496H hAM1fjQg3+Gz/gdVr3Gy3gBtnedSFtqZrcfgjWiFThe0zK58Lpi1KLK3vTYyfTbMsEXC Ut3TtbuMRn0UuRbxJGoY4ixDK4xRNVgBDbkjNSMXYuyx40dRzACvo6FQOP6Ccg1DV62B BQ3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=reRZ27o860Jv4T3ywX/rAzqX7TYE/u2uK3SOSUVyejw=; b=ngTnFvSeSsSwPc7E1YTibUEYlkR3eOUjotPZoXl5al/40gh/amibbFQUmqDCytC6w1 mKcz5vI2fs2avIFLzEYWbAowEbt5UhN5zr3bQgYq1zQ/YJcwuMNBReoCHt3M53obl4OQ 4NfgOwYwhiH6poO8PFPKsuyjG/rqzynWSiTgZP3Wc2zorJ1hH77OzSLqZ68othfCG2uS Tdt9ilWsTq1ulGLSx8QQqhCvxpOYCw5fHQ2gIcGZ7RaIYhCKNFliCjOjCmqmLvJ1kSPC nvf7c9zv/j2q43aSWpsER5CpzkgSKp8doXVUZo61CccRO9PXDeUfGss6Qn5w/swtNj4x w2Bw== X-Gm-Message-State: APjAAAWNokkvpVoFEK6klhqJU75s6ZTzV7MouAUb32Ab45SWXRmG1JxS /TiLnC8yGutv0AcLYVK+iXFWgRwA5gU= X-Google-Smtp-Source: APXvYqySrkrEow/ydQXLctB5z0jkLcdnlvdfudAWHqB5KZWJfySgHEoAy9nDfAd4zDudLTtYV/uOCg== X-Received: by 2002:aa7:8d8f:: with SMTP id i15mr8191344pfr.220.1580288330902; Wed, 29 Jan 2020 00:58:50 -0800 (PST) Received: from vader.hsd1.wa.comcast.net ([2601:602:8b80:8e0:e6a7:a0ff:fe0b:c9a8]) by smtp.gmail.com with ESMTPSA id s131sm1935932pfs.135.2020.01.29.00.58.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Jan 2020 00:58:50 -0800 (PST) From: Omar Sandoval To: linux-fsdevel@vger.kernel.org, Al Viro Cc: kernel-team@fb.com, linux-api@vger.kernel.org, David Howells , Amir Goldstein , Xi Wang Subject: [RFC PATCH v4 3/4] Btrfs: fix inode reference count leak in btrfs_link() error path Date: Wed, 29 Jan 2020 00:58:33 -0800 Message-Id: <885829e37b0cdf75e26f4605e34110a7b23fe162.1580251857.git.osandov@fb.com> X-Mailer: git-send-email 2.25.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Message-ID: <20200129085833.S2QQvJ-b5mRjBwIoL7FF7WG1gPztAMIk3BTKADrg9fA@z> From: Omar Sandoval If btrfs_update_inode() or btrfs_orphan_del() fails in btrfs_link(), then we don't drop the reference we got with ihold(). This results in the "VFS: Busy inodes after unmount" crash. The reference is needed for the new dentry, so get it right before we instantiate the dentry. Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling") [Although d_instantiate() was moved further from ihold() before that, in commit 08c422c27f85 ("Btrfs: call d_instantiate after all ops are setup")] Signed-off-by: Omar Sandoval --- fs/btrfs/inode.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index bc7709c4f6eb..8c9a114f48f6 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -6801,7 +6801,6 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, inc_nlink(inode); inode_inc_iversion(inode); inode->i_ctime = current_time(inode); - ihold(inode); set_bit(BTRFS_INODE_COPY_EVERYTHING, &BTRFS_I(inode)->runtime_flags); err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode), @@ -6825,6 +6824,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, if (err) goto fail; } + ihold(inode); d_instantiate(dentry, inode); ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent, true, NULL); @@ -6837,10 +6837,8 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir, fail: if (trans) btrfs_end_transaction(trans); - if (drop_inode) { + if (drop_inode) inode_dec_link_count(inode); - iput(inode); - } btrfs_btree_balance_dirty(fs_info); return err; } -- 2.25.0