From nobody Mon May 25 01:18:13 2026
Received: from va-2-112.ptr.blmpb.com (va-2-112.ptr.blmpb.com
 [209.127.231.112])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7C2C36EAAD
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 03:43:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.127.231.112
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779248610; cv=none;
 b=g8CzlP8cvgV17QmMnPrye9Kkup9UBhFj/SB/mNcR72U9vMWGeHbJNaUWwREEDSSlN2c3vA6G4RPAglgYTSN8lSO5vFLmmDns0bmhXKN/VBo06kx2yVo0pK47Cn8f7h/IXPuy4CMXozNGrDjgb1nYKMg8IOENqNIRNhOU5vBVXLU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779248610; c=relaxed/simple;
	bh=akEeQZhh2Ov/pVwR3dvsvygShRmkGMK2CyTLzU2vltk=;
	h=Mime-Version:From:Cc:Subject:To:Date:Content-Type:Message-Id;
 b=gcCaTfoipZLf2GV3gYIxieeCErlTwN7Vf6VRcmPM+XxsBOqGRLrwnyP0wGqJMJriMdrOxg24nZ9OdwKpn1GtpdJ23oyDA54IhxaXLdoTrI/fGg8f7QYD365VXdZmDYF84TAsrlNpR9AZka2i9Q0xHKZDjGm2TQk3xOTffDQeJNo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com;
 spf=pass smtp.mailfrom=bytedance.com;
 dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b=ScQEfIxr; arc=none smtp.client-ip=209.127.231.112
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b="ScQEfIxr"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 s=2212171451; d=bytedance.com; t=1779248581; h=from:subject:
 mime-version:from:date:message-id:subject:to:cc:reply-to:content-type:
 mime-version:in-reply-to:message-id;
 bh=5n10d+29Mu0a/Szos0qxYnUsPnUlkjOlTKvqdnQDFh0=;
 b=ScQEfIxrVRTZyPZHPVhboXb197QrzXm1h0xITQpvZ4HbrVXTnV4aaCdoqQfVyROn/a02me
 NbGFLgIP74ffEDRhCATDLSJCoRUtT6P61jOyZPj9q2F78kehJ/FxGTzbtJnKnq9Dtx388b
 joXjJURwBlO5DdSM2wGcMhvuJg0PZaiC5w75FEdAhfnVLpsqd4MIDPhlHaaRTIQaBESf4m
 kt8qgN9mTCUMZs/ZeZPX4EGvJ5lhbzXkTzZtCfr9TUI3zCULuEQvVAd3nADSs+vyJ3hOpw
 ezcKSiKnLv/NROe69vKQTBzT2gJITQVBfazLoYu46Yc4QJedTfK14I+CbHpxtA==
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Original-From: Jia Zhu <zhujia.zj@bytedance.com>
Content-Transfer-Encoding: quoted-printable
From: "Jia Zhu" <zhujia.zj@bytedance.com>
Cc: <linux-erofs@lists.ozlabs.org>, <linux-kernel@vger.kernel.org>,
	"Yue Hu" <zbestahu@gmail.com>, "Jeffle Xu" <jefflexu@linux.alibaba.com>,
	"Sandeep Dhavale" <dhavale@google.com>,
	"Hongbo Li" <lihongbo22@huawei.com>, "Chunhai Guo" <guochunhai@vivo.com>,
	"Amir Goldstein" <amir73il@gmail.com>,
	"Gao Xiang" <hsiangkao@linux.alibaba.com>,
	"Jia Zhu" <zhujia.zj@bytedance.com>
Subject: [PATCH] erofs: fix metabuf leak in shared xattr initialization
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
To: "Gao Xiang" <xiang@kernel.org>, "Chao Yu" <chao@kernel.org>
X-Lms-Return-Path: 
 <lba+26a0d2dc3+423f49+vger.kernel.org+zhujia.zj@bytedance.com>
Date: Wed, 20 May 2026 11:42:52 +0800
Message-Id: <20260520034252.40163-1-zhujia.zj@bytedance.com>
Content-Type: text/plain; charset="utf-8"

erofs_init_inode_xattrs() uses a local metabuf while reading the inline
xattr header and the shared xattr id array.

It currently drops that metabuf from some error paths and from the success
path, but the erofs_bread() failure while reading the shared xattr id array
goes straight to out_unlock.

This became observable when file-backed metadata reads started calling
rw_verify_area() before reusing or dropping the current metabuf.  Before
that, the read_mapping_folio() failure path already dropped the old metabuf
before returning an error.

Consolidate the local metabuf cleanup at out_unlock. erofs_put_metabuf()
is a no-op if no page has been acquired, and this keeps all paths after
taking EROFS_I_BL_XATTR_BIT covered by one cleanup site.

Fixes: 307210c262a2 ("erofs: verify metadata accesses for file-backed mount=
s")
Signed-off-by: Jia Zhu <zhujia.zj@bytedance.com>
---
 fs/erofs/xattr.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index 41e311019a251..df7ea019526d7 100644
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -89,13 +89,11 @@ static int erofs_init_inode_xattrs(struct inode *inode)
 	    vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
 		erofs_err(sb, "invalid h_shared_count %u @ nid %llu",
 			  vi->xattr_shared_count, vi->nid);
-		erofs_put_metabuf(&buf);
 		ret =3D -EFSCORRUPTED;
 		goto out_unlock;
 	}
 	vi->xattr_shared_xattrs =3D kmalloc_objs(uint, vi->xattr_shared_count);
 	if (!vi->xattr_shared_xattrs) {
-		erofs_put_metabuf(&buf);
 		ret =3D -ENOMEM;
 		goto out_unlock;
 	}
@@ -112,12 +110,12 @@ static int erofs_init_inode_xattrs(struct inode *inod=
e)
 		}
 		vi->xattr_shared_xattrs[i] =3D le32_to_cpu(*xattr_id);
 	}
-	erofs_put_metabuf(&buf);
=20
 	/* paired with smp_mb() at the beginning of the function. */
 	smp_mb();
 	set_bit(EROFS_I_EA_INITED_BIT, &vi->flags);
 out_unlock:
+	erofs_put_metabuf(&buf);
 	clear_and_wake_up_bit(EROFS_I_BL_XATTR_BIT, &vi->flags);
 	return ret;
 }
--=20
2.39.5 (Apple Git-154)