xfs: fix iunlock calls in xrep_adoption_trans_alloc

If the transaction allocation in xrep_adoption_trans_alloc fails, we
should drop only the locks that we took.  In this case this is
ILOCK_EXCL of both the orphanage and the file being repaired.  Dropping
any IOLOCK here is incorrect.

Found by fuzzing u3.sfdir3.list[1].name = zeroes in xfs/1546.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>

diff --git a/fs/xfs/scrub/orphanage.c b/fs/xfs/scrub/orphanage.c
index b1c6c60ee1da64eccc91d15ee5f8e2997c8fd9c1..2b142e6de8f3f3e1cae87093f35cc6bc47f61e94 100644 (file)
--- a/fs/xfs/scrub/orphanage.c
+++ b/fs/xfs/scrub/orphanage.c
@@ -382,7 +382,7 @@ xrep_adoption_trans_alloc(
 out_cancel:
        xchk_trans_cancel(sc);
        xrep_orphanage_iunlock(sc, XFS_ILOCK_EXCL);
-       xrep_orphanage_iunlock(sc, XFS_IOLOCK_EXCL);
+       xchk_iunlock(sc, XFS_ILOCK_EXCL);
        return error;
 }