xfs: validate block number being freed before adding to xefi

		if (err2 != -ENOSPC)

			goto resv_err;

		__xfs_free_extent_later(*tpp, args.fsbno, delta, NULL, true);

		err2 = __xfs_free_extent_later(*tpp, args.fsbno, delta, NULL,

				true);

		if (err2)

			goto resv_err;

		/*

		 * Roll the transaction before trying to re-init the per-ag

 * the real allocation can proceed. Deferring the free disconnects freeing up

 * the AGFL slot from freeing the block.

 */

STATIC void

static int

xfs_defer_agfl_block(

	struct xfs_trans		*tp,

	xfs_agnumber_t			agno,

	xefi->xefi_blockcount = 1;

	xefi->xefi_owner = oinfo->oi_owner;

	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbno(mp, xefi->xefi_startblock)))

		return -EFSCORRUPTED;

	trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);

	xfs_extent_free_get_group(mp, xefi);

	xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_AGFL_FREE, &xefi->xefi_list);

	return 0;

}

/*

 * Add the extent to the list of extents to be free at transaction end.

 * The list is maintained sorted (by block number).

 */

void

int

__xfs_free_extent_later(

	struct xfs_trans		*tp,

	xfs_fsblock_t			bno,

#endif

	ASSERT(xfs_extfree_item_cache != NULL);

	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, bno, len)))

		return -EFSCORRUPTED;

	xefi = kmem_cache_zalloc(xfs_extfree_item_cache,

			       GFP_KERNEL | __GFP_NOFAIL);

	xefi->xefi_startblock = bno;

	xfs_extent_free_get_group(mp, xefi);

	xfs_defer_add(tp, XFS_DEFER_OPS_TYPE_FREE, &xefi->xefi_list);

	return 0;

}

#ifdef DEBUG

			goto out_agbp_relse;

		/* defer agfl frees */

		xfs_defer_agfl_block(tp, args->agno, bno, &targs.oinfo);

		error = xfs_defer_agfl_block(tp, args->agno, bno, &targs.oinfo);

		if (error)

			goto out_agbp_relse;

	}

	targs.tp = tp;

	return bp->b_addr;

}

void __xfs_free_extent_later(struct xfs_trans *tp, xfs_fsblock_t bno,

int __xfs_free_extent_later(struct xfs_trans *tp, xfs_fsblock_t bno,

		xfs_filblks_t len, const struct xfs_owner_info *oinfo,

		bool skip_discard);

#define XFS_EFI_ATTR_FORK	(1U << 1) /* freeing attr fork block */

#define XFS_EFI_BMBT_BLOCK	(1U << 2) /* freeing bmap btree block */

static inline void

static inline int

xfs_free_extent_later(

	struct xfs_trans		*tp,

	xfs_fsblock_t			bno,

	xfs_filblks_t			len,

	const struct xfs_owner_info	*oinfo)

{

	__xfs_free_extent_later(tp, bno, len, oinfo, false);

	return __xfs_free_extent_later(tp, bno, len, oinfo, false);

}

	cblock = XFS_BUF_TO_BLOCK(cbp);

	if ((error = xfs_btree_check_block(cur, cblock, 0, cbp)))

		return error;

	xfs_rmap_ino_bmbt_owner(&oinfo, ip->i_ino, whichfork);

	xfs_free_extent_later(cur->bc_tp, cbno, 1, &oinfo);

	error = xfs_free_extent_later(cur->bc_tp, cbno, 1, &oinfo);

	if (error)

		return error;

	ip->i_nblocks--;

	xfs_trans_mod_dquot_byino(tp, ip, XFS_TRANS_DQ_BCOUNT, -1L);

	xfs_trans_binval(tp, cbp);

		if (xfs_is_reflink_inode(ip) && whichfork == XFS_DATA_FORK) {

			xfs_refcount_decrease_extent(tp, del);

		} else {

			__xfs_free_extent_later(tp, del->br_startblock,

			error = __xfs_free_extent_later(tp, del->br_startblock,

					del->br_blockcount, NULL,

					(bflags & XFS_BMAPI_NODISCARD) ||

					del->br_state == XFS_EXT_UNWRITTEN);

			if (error)

				goto done;

		}

	}

	struct xfs_trans	*tp = cur->bc_tp;

	xfs_fsblock_t		fsbno = XFS_DADDR_TO_FSB(mp, xfs_buf_daddr(bp));

	struct xfs_owner_info	oinfo;

	int			error;

	xfs_rmap_ino_bmbt_owner(&oinfo, ip->i_ino, cur->bc_ino.whichfork);

	xfs_free_extent_later(cur->bc_tp, fsbno, 1, &oinfo);

	ip->i_nblocks--;

	error = xfs_free_extent_later(cur->bc_tp, fsbno, 1, &oinfo);

	if (error)

		return error;

	ip->i_nblocks--;

	xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);

	xfs_trans_mod_dquot_byino(tp, ip, XFS_TRANS_DQ_BCOUNT, -1L);

	return 0;