xfs: fix bounds check in xfs_defer_agfl_block()

Source kernel commit: 2bed0d82c2f78b91a0a9a5a73da57ee883a0c070

Need to happen before we allocate and then leak the xefi. Found by
coverity via an xfsprogs libxfs scan.

[djwong: This also fixes the type of the @agbno argument.]

Fixes: 7dfee17b13e5 ("xfs: validate block number being freed before adding to xefi")
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>

diff --git a/libxfs/xfs_alloc.c b/libxfs/xfs_alloc.c
index db607f6a891f3cd77009af4bcf8af5fde1b53afe..b074d3fa1b6f7f32966dddb33d02894525a7fcd9 100644 (file)
--- a/libxfs/xfs_alloc.c
+++ b/libxfs/xfs_alloc.c
@@ -2466,25 +2466,26 @@ static int
 xfs_defer_agfl_block(
        struct xfs_trans                *tp,
        xfs_agnumber_t                  agno,
-       xfs_fsblock_t                   agbno,
+       xfs_agblock_t                   agbno,
        struct xfs_owner_info           *oinfo)
 {
        struct xfs_mount                *mp = tp->t_mountp;
        struct xfs_extent_free_item     *xefi;
+       xfs_fsblock_t                   fsbno = XFS_AGB_TO_FSB(mp, agno, agbno);
 
        ASSERT(xfs_extfree_item_cache != NULL);
        ASSERT(oinfo != NULL);
 
+       if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, fsbno)))
+               return -EFSCORRUPTED;
+
        xefi = kmem_cache_zalloc(xfs_extfree_item_cache,
                               GFP_KERNEL | __GFP_NOFAIL);
-       xefi->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno);
+       xefi->xefi_startblock = fsbno;
        xefi->xefi_blockcount = 1;
        xefi->xefi_owner = oinfo->oi_owner;
        xefi->xefi_agresv = XFS_AG_RESV_AGFL;
 
-       if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, xefi->xefi_startblock)))
-               return -EFSCORRUPTED;
-
        trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);
 
        xfs_extent_free_get_group(mp, xefi);