>Fixes a memory leak issue in f2fs_move_inline_dirents() where >the ifolio is not properly released in certain error paths.
>Problem Analysis: >- In f2fs_try_convert_inline_dir(), ifolio is acquired via >f2fs_get_inode_folio() >- When do_convert_inline_dir() fails, the caller expects ifolio to be released >- However, in f2fs_move_inline_dirents(), two specific error paths don't >release ifolio Add some additional information. When do_convert_inline_dir() fails in f2fs_try_convert_inline_dir(), the ifolio obtained via f2fs_get_inode_folio() is not properly released, leading to a memory leak. The issue occurs in the following call path: f2fs_try_convert_inline_dir() ├── f2fs_get_inode_folio() // acquires ifolio ├── do_convert_inline_dir() │ ├── f2fs_move_inline_dirents() // The issue is in this function. │ │ └── Error paths may not release ifolio └── Only releases ifolio on success: if (!err) f2fs_folio_put(ifolio, true) Specifically, in f2fs_move_inline_dirents(): - If f2fs_reserve_block() fails, the function jumps to 'out' label - The 'out' label only releases the newly allocated 'folio' but not 'ifolio' - This leaves ifolio unreleased when f2fs_reserve_block() fails In contrast, f2fs_move_rehashed_dirents() properly handles ifolio release in its error recovery path, but the inconsistency creates a leak risk. _______________________________________________ Linux-f2fs-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
