From nobody Mon May 25 01:18:13 2026
Received: from va-1-115.ptr.blmpb.com (va-1-115.ptr.blmpb.com
 [209.127.230.115])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6F6832ED55
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 04:46:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.127.230.115
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779252391; cv=none;
 b=HPw5VmOjvXUR6dJe9dUTeLEQcJaJzhRph5ZQlToiFP0ULRFklmqZpSdPCgbO7ix8TXSrOSSw/rKBeiyPATy/jNK5C/qvtC6Pkf1sUsufQeKVR+7XIQMYyHtaF2o0ESQQolwMr0Ny1BH0hSkiXI7tZq47tvcO5mbY3iQlEfULjzM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779252391; c=relaxed/simple;
	bh=m1JfN+HjLcTxVUfL18HQwGPzPQFXfL/kA9jpcOXbY1M=;
	h=To:Date:Content-Type:From:Subject:Message-Id:Mime-Version:
	 References:In-Reply-To:Cc;
 b=dUKQdtu2NXo+ixWxkGkeSimz0V+6F3cO0s3GmjxSrDxYYZbSi0x5FzmHPK2bNy2LMcI60XMo8dIvan6PIKPS/Wa6Se+4Gp3c7WlkAf9Z+/rIiQku1XXKSyeN0JINr7WsfpluEwv+SPMBRpXUDUCWFMUUW+8XzGDPsFW6/7DEXtg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com;
 spf=pass smtp.mailfrom=bytedance.com;
 dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b=pJmlhcHE; arc=none smtp.client-ip=209.127.230.115
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=bytedance.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com
 header.b="pJmlhcHE"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 s=2212171451; d=bytedance.com; t=1779252377; h=from:subject:
 mime-version:from:date:message-id:subject:to:cc:reply-to:content-type:
 mime-version:in-reply-to:message-id;
 bh=NNXYVdNOk08NyvAM1XrvfKwXcAVxz+xeGBQj1CZCknQ=;
 b=pJmlhcHEJzwV4USceD37bJ6zJRPX4z7a+A7hiDY9ZEUKH2vVz3BgpBf5p9FHyMzSB9NikD
 EjEMEB8dwbnD3DxT+Ky7MxKjPuhTCLJAhK3ysN6chvfNGggSqU5f00IYflx6JhKLuqrNXB
 UZxmIABX6ym6M3gXusga1olVHXI/TJ0lXdLwQoW8wVGN9Bq5Iea0nSESgZTDZxYFI/CJiy
 z52HhhTY6ZwwHL+tUq4XPwWhYtefJI+b34af2+5f2sR/3S/h9eCIaTUzQyze2suGkS3wpF
 5AvVUQIptwe2lyjc6POsDcePYxy8lHS8KBDFmbq95NnmoVEcoDnJVp58Jav8DA==
Content-Transfer-Encoding: quoted-printable
To: "Gao Xiang" <xiang@kernel.org>, "Chao Yu" <chao@kernel.org>
Date: Wed, 20 May 2026 12:46:07 +0800
From: "Jia Zhu" <zhujia.zj@bytedance.com>
Subject: [PATCH v2] erofs: fix metabuf leak in inode xattr initialization
Message-Id: <20260520044607.50992-1-zhujia.zj@bytedance.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-Lms-Return-Path: 
 <lba+26a0d3c97+ea1b89+vger.kernel.org+zhujia.zj@bytedance.com>
References: <20260520034252.40163-1-zhujia.zj@bytedance.com>
X-Original-From: Jia Zhu <zhujia.zj@bytedance.com>
X-Mailer: git-send-email 2.39.5 (Apple Git-154)
In-Reply-To: <20260520034252.40163-1-zhujia.zj@bytedance.com>
Cc: <linux-erofs@lists.ozlabs.org>, <linux-kernel@vger.kernel.org>,
	"Yue Hu" <zbestahu@gmail.com>, "Jeffle Xu" <jefflexu@linux.alibaba.com>,
	"Sandeep Dhavale" <dhavale@google.com>,
	"Hongbo Li" <lihongbo22@huawei.com>, "Chunhai Guo" <guochunhai@vivo.com>,
	"Amir Goldstein" <amir73il@gmail.com>,
	"Gao Xiang" <hsiangkao@linux.alibaba.com>,
	"Jia Zhu" <zhujia.zj@bytedance.com>
Content-Type: text/plain; charset="utf-8"

commit bb88e8da0025 ("erofs: use meta buffers for xattr operations")
converted xattr operations to use on-stack erofs_buf instances.
erofs_init_inode_xattrs() uses such a metabuf while reading the inline
xattr header and shared xattr id array.

Some error paths after erofs_read_metabuf() leave through out_unlock
without dropping the metabuf, so the folio reference can leak.

Consolidate the cleanup at out_unlock. erofs_put_metabuf() is a
no-op if no folio has been acquired, and this keeps all paths after
taking EROFS_I_BL_XATTR_BIT covered by a single cleanup site.

Fixes: bb88e8da0025 ("erofs: use meta buffers for xattr operations")

Signed-off-by: Jia Zhu <zhujia.zj@bytedance.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
 fs/erofs/xattr.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/fs/erofs/xattr.c b/fs/erofs/xattr.c
index 41e311019a251..df7ea019526d7 100644
--- a/fs/erofs/xattr.c
+++ b/fs/erofs/xattr.c
@@ -89,13 +89,11 @@ static int erofs_init_inode_xattrs(struct inode *inode)
 	    vi->xattr_isize - sizeof(struct erofs_xattr_ibody_header)) {
 		erofs_err(sb, "invalid h_shared_count %u @ nid %llu",
 			  vi->xattr_shared_count, vi->nid);
-		erofs_put_metabuf(&buf);
 		ret =3D -EFSCORRUPTED;
 		goto out_unlock;
 	}
 	vi->xattr_shared_xattrs =3D kmalloc_objs(uint, vi->xattr_shared_count);
 	if (!vi->xattr_shared_xattrs) {
-		erofs_put_metabuf(&buf);
 		ret =3D -ENOMEM;
 		goto out_unlock;
 	}
@@ -112,12 +110,12 @@ static int erofs_init_inode_xattrs(struct inode *inod=
e)
 		}
 		vi->xattr_shared_xattrs[i] =3D le32_to_cpu(*xattr_id);
 	}
-	erofs_put_metabuf(&buf);
=20
 	/* paired with smp_mb() at the beginning of the function. */
 	smp_mb();
 	set_bit(EROFS_I_EA_INITED_BIT, &vi->flags);
 out_unlock:
+	erofs_put_metabuf(&buf);
 	clear_and_wake_up_bit(EROFS_I_BL_XATTR_BIT, &vi->flags);
 	return ret;
 }
--=20
2.39.5 (Apple Git-154)