From: Jia-Ju Bai <baijiaju1990@gmail.com>
Date: Thu, 24 Mar 2022 13:44:54 +0000 (-0700)
Subject: btrfs: fix root ref counts in error handling in btrfs_get_root_ref
X-Git-Tag: v5.17.4~31
X-Git-Url: https://git.fsl.cs.sunysb.edu/?a=commitdiff_plain;h=0850b7bdcea69d330a4a9b9b290af073ff32c63c;p=wrapfs-3.14.y.git

btrfs: fix root ref counts in error handling in btrfs_get_root_ref

commit 168a2f776b9762f4021421008512dd7ab7474df1 upstream.

In btrfs_get_root_ref(), when btrfs_insert_fs_root() fails,
btrfs_put_root() can happen for two reasons:

- the root already exists in the tree, in that case it returns the
  reference obtained in btrfs_lookup_fs_root()

- another error so the cleanup is done in the fail label

Calling btrfs_put_root() unconditionally would lead to double decrement
of the root reference possibly freeing it in the second case.

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Fixes: bc44d7c4b2b1 ("btrfs: push btrfs_grab_fs_root into btrfs_get_fs_root")
CC: stable@vger.kernel.org # 5.10+
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 117afcda5aff..b43f80c3bffd 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1826,9 +1826,10 @@ again:
 
 	ret = btrfs_insert_fs_root(fs_info, root);
 	if (ret) {
-		btrfs_put_root(root);
-		if (ret == -EEXIST)
+		if (ret == -EEXIST) {
+			btrfs_put_root(root);
 			goto again;
+		}
 		goto fail;
 	}
 	return root;