[PATCH] btrfs: fix qgroup extent_changeset leak in page_mkwrite

[PATCH] btrfs: fix qgroup extent_changeset leak in page_mkwrite

[Ahmet Eray Karadag]

syzbot reported a memory leak originating from ulist_prealloc()
called from qgroup_reserve_data() in the btrfs_page_mkwrite()
path. When btrfs_check_data_free_space() succeeds and
btrfs_delalloc_reserve_metadata() later fails, we free the data
reservation via btrfs_free_reserved_data_space(), but we never
free the extent_changeset pointed to by data_reserved.

Add the missing extent_changeset_free(data_reserved) in this
error path, matching the other exit paths in btrfs_page_mkwrite()
and the failure handling in btrfs_check_data_free_space().

Reported-by: syzbot+2f8aa76e6acc9fce6638@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
---
 fs/btrfs/file.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index 7a501e73d880..4b05e72249e2 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1910,6 +1910,8 @@ static vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
 		if (!only_release_metadata)
 			btrfs_free_reserved_data_space(inode, data_reserved,
 						       page_start, reserved_space);
+		extent_changeset_free(data_reserved);
+		data_reserved = NULL;
 		goto out_noreserve;
 	}
 
-- 
2.43.0

Re: [PATCH] btrfs: fix qgroup extent_changeset leak in page_mkwrite

[Qu Wenruo]

在 2025/12/12 15:39, Ahmet Eray Karadag 写道:
> syzbot reported a memory leak originating from ulist_prealloc()
> called from qgroup_reserve_data() in the btrfs_page_mkwrite()
> path. When btrfs_check_data_free_space() succeeds and
> btrfs_delalloc_reserve_metadata() later fails, we free the data
> reservation via btrfs_free_reserved_data_space(), but we never
> free the extent_changeset pointed to by data_reserved.
> 
> Add the missing extent_changeset_free(data_reserved) in this
> error path, matching the other exit paths in btrfs_page_mkwrite()
> and the failure handling in btrfs_check_data_free_space().
> 
> Reported-by: syzbot+2f8aa76e6acc9fce6638@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638
> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>

Already fixed by this patch.

https://lore.kernel.org/linux-btrfs/ab2ab25d0598c04467a62e9e88c9131cec159c48.1765454225.git.fdmanana@suse.com/

And your fix doesn't even have a proper fixes: tag.

> ---
>   fs/btrfs/file.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
> index 7a501e73d880..4b05e72249e2 100644
> --- a/fs/btrfs/file.c
> +++ b/fs/btrfs/file.c
> @@ -1910,6 +1910,8 @@ static vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
>   		if (!only_release_metadata)
>   			btrfs_free_reserved_data_space(inode, data_reserved,
>   						       page_start, reserved_space);
> +		extent_changeset_free(data_reserved);
> +		data_reserved = NULL;
>   		goto out_noreserve;
>   	}
>   

Re: [PATCH] btrfs: fix qgroup extent_changeset leak in page_mkwrite

[David Sterba]

On Fri, Dec 12, 2025 at 08:09:48AM +0300, Ahmet Eray Karadag wrote:
> syzbot reported a memory leak originating from ulist_prealloc()
> called from qgroup_reserve_data() in the btrfs_page_mkwrite()
> path. When btrfs_check_data_free_space() succeeds and
> btrfs_delalloc_reserve_metadata() later fails, we free the data
> reservation via btrfs_free_reserved_data_space(), but we never
> free the extent_changeset pointed to by data_reserved.
> 
> Add the missing extent_changeset_free(data_reserved) in this
> error path, matching the other exit paths in btrfs_page_mkwrite()
> and the failure handling in btrfs_check_data_free_space().
> 
> Reported-by: syzbot+2f8aa76e6acc9fce6638@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638
> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>

Thanks a fix is already available and will be in linux-next. Pull
request with the fix will be sent after rc1.