From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:15387 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750937AbcF3IID (ORCPT ); Thu, 30 Jun 2016 04:08:03 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.11/8.16.0.11) with SMTP id u5U6Xl9F057729 for ; Thu, 30 Jun 2016 02:37:47 -0400 Received: from e23smtp06.au.ibm.com (e23smtp06.au.ibm.com [202.81.31.148]) by mx0b-001b2d01.pphosted.com with ESMTP id 23uvaf9wqv-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 30 Jun 2016 02:37:46 -0400 Received: from localhost by e23smtp06.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 30 Jun 2016 16:37:43 +1000 Received: from d23relay10.au.ibm.com (d23relay10.au.ibm.com [9.190.26.77]) by d23dlp03.au.ibm.com (Postfix) with ESMTP id BA4F73578058 for ; Thu, 30 Jun 2016 16:37:40 +1000 (EST) Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay10.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u5U6be9e28246034 for ; Thu, 30 Jun 2016 16:37:40 +1000 Received: from d23av01.au.ibm.com (localhost [127.0.0.1]) by d23av01.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u5U6beeD015131 for ; Thu, 30 Jun 2016 16:37:40 +1000 From: Chandan Rajendra To: Liu Bo Cc: linux-btrfs@vger.kernel.org Subject: Re: [PATCH] Btrfs: fix double free of fs root Date: Thu, 30 Jun 2016 12:07:38 +0530 In-Reply-To: <1467146678-29046-1-git-send-email-bo.li.liu@oracle.com> References: <1467146678-29046-1-git-send-email-bo.li.liu@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Message-Id: <112869240.CXvaV4uli8@localhost.localdomain> Sender: linux-btrfs-owner@vger.kernel.org List-ID: On Tuesday, June 28, 2016 01:44:38 PM Liu Bo wrote: > I got this warning while mounting a btrfs image, > > [ 3020.509606] ------------[ cut here ]------------ > [ 3020.510107] WARNING: CPU: 3 PID: 5581 at lib/idr.c:1051 ida_remove+0xca/0x190 > [ 3020.510853] ida_remove called for id=42 which is not allocated. > [ 3020.511466] Modules linked in: > [ 3020.511802] CPU: 3 PID: 5581 Comm: mount Not tainted 4.7.0-rc5+ #274 > [ 3020.512438] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 > [ 3020.513385] 0000000000000286 0000000021295d86 ffff88006c66b8f0 ffffffff8182ba5a > [ 3020.514153] 0000000000000000 0000000000000009 ffff88006c66b930 ffffffff810e0ed7 > [ 3020.514928] 0000041b00000000 ffffffff8289a8c0 ffff88007f437880 0000000000000000 > [ 3020.515717] Call Trace: > [ 3020.515965] [] dump_stack+0xc9/0x13f > [ 3020.516487] [] __warn+0x147/0x160 > [ 3020.517005] [] warn_slowpath_fmt+0x5f/0x80 > [ 3020.517572] [] ida_remove+0xca/0x190 > [ 3020.518075] [] free_anon_bdev+0x2c/0x60 > [ 3020.518609] [] free_fs_root+0x13f/0x160 > [ 3020.519138] [] btrfs_get_fs_root+0x379/0x3d0 > [ 3020.519710] [] ? __mutex_unlock_slowpath+0x155/0x2c0 > [ 3020.520366] [] open_ctree+0x2e91/0x3200 > [ 3020.520965] [] btrfs_mount+0x1322/0x15b0 > [ 3020.521536] [] ? kmemleak_alloc_percpu+0x44/0x170 > [ 3020.522167] [] ? lockdep_init_map+0x61/0x210 > [ 3020.522780] [] mount_fs+0x49/0x2c0 > [ 3020.523305] [] vfs_kern_mount+0xac/0x1b0 > [ 3020.523872] [] btrfs_mount+0x421/0x15b0 > [ 3020.524402] [] ? kmemleak_alloc_percpu+0x44/0x170 > [ 3020.525045] [] ? lockdep_init_map+0x61/0x210 > [ 3020.525657] [] ? lockdep_init_map+0x61/0x210 > [ 3020.526289] [] mount_fs+0x49/0x2c0 > [ 3020.526803] [] vfs_kern_mount+0xac/0x1b0 > [ 3020.527365] [] do_mount+0x41a/0x1770 > [ 3020.527899] [] ? strndup_user+0x6d/0xc0 > [ 3020.528447] [] ? memdup_user+0x78/0xb0 > [ 3020.528987] [] SyS_mount+0x150/0x160 > [ 3020.529493] [] entry_SYSCALL_64_fastpath+0x1f/0xbd > > It turns out that we free fs root twice, btrfs_init_fs_root() calls > free_anon_bdev(root->anon_dev) and later then btrfs_get_fs_root() cals > free_fs_root which does another free_anon_bdev() and it ends up with the > above warning. > > Instead of reset root->anon_dev to 0 after free_anon_bdev(), we can let > btrfs_init_fs_root() return directly since its callers have already done > the free job by calling free_fs_root(). Looks good to me. Thanks for fixing this. Reviewed-by: Chandan Rajendra -- chandan