[PATCH] btrfs: fix double free in create_space_info() error path

[PATCH] btrfs: fix double free in create_space_info() error path

[Guangshuo Li]

When kobject_init_and_add() fails, btrfs_sysfs_add_space_info_type()
calls kobject_put(&space_info->kobj).

The kobject release callback space_info_release() frees space_info,
but the current error path in create_space_info() then calls
kfree(space_info) again, causing a double free.

Keep the direct kfree(space_info) for the earlier failure path, but
after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
the kobject release callback handle the cleanup.

Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 fs/btrfs/space-info.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
index 3f08e450f796..d7176eb2fcbf 100644
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -311,7 +311,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
 
 	ret = btrfs_sysfs_add_space_info_type(space_info);
 	if (ret)
-		goto out_free;
+		return ret;
 
 	list_add(&space_info->list, &info->space_info);
 	if (flags & BTRFS_BLOCK_GROUP_DATA)
-- 
2.43.0

Re: [PATCH] btrfs: fix double free in create_space_info() error path

[Qu Wenruo]

在 2026/4/1 13:43, Guangshuo Li 写道:
> When kobject_init_and_add() fails, btrfs_sysfs_add_space_info_type()
> calls kobject_put(&space_info->kobj).
> 
> The kobject release callback space_info_release() frees space_info,
> but the current error path in create_space_info() then calls
> kfree(space_info) again, causing a double free.

Can you give an example call chain of where such space_info_release() is 
triggered?

> 
> Keep the direct kfree(space_info) for the earlier failure path, but
> after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
> the kobject release callback handle the cleanup.
> 
> Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> ---
>   fs/btrfs/space-info.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
> index 3f08e450f796..d7176eb2fcbf 100644
> --- a/fs/btrfs/space-info.c
> +++ b/fs/btrfs/space-info.c
> @@ -311,7 +311,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
>   
>   	ret = btrfs_sysfs_add_space_info_type(space_info);
>   	if (ret)
> -		goto out_free;
> +		return ret;
>   
>   	list_add(&space_info->list, &info->space_info);
>   	if (flags & BTRFS_BLOCK_GROUP_DATA)

Re: [PATCH] btrfs: fix double free in create_space_info() error path

[Guangshuo Li]

Hi Qu,

Thanks for looking at this.

I checked this on my tree at:

`v6.19-rc8-214-ge7aa57247700`

My understanding of the failure path is as follows.

In `create_space_info()`:

```c
ret = btrfs_sysfs_add_space_info_type(space_info);
if (ret)
goto out_free;
...
out_free:
kfree(space_info);
return ret;
```

And in `btrfs_sysfs_add_space_info_type()`:

```c
ret = kobject_init_and_add(&space_info->kobj, &space_info_ktype,
   space_info->fs_info->space_info_kobj, "%s",
   alloc_name(space_info));
if (ret) {
kobject_put(&space_info->kobj);
return ret;
}
```

The `kobj_type` has:

```c
.release = space_info_release,
```

and:

```c
static void space_info_release(struct kobject *kobj)
{
struct btrfs_space_info *sinfo = to_space_info(kobj);
kfree(sinfo);
}
```

So the call chain I had in mind is:

`create_space_info()`
-> `btrfs_sysfs_add_space_info_type()`
-> `kobject_init_and_add()`
-> failure
-> `kobject_put(&space_info->kobj)`
-> `space_info_release()`
-> `kfree(space_info)`

and then control returns to `create_space_info()`:

`btrfs_sysfs_add_space_info_type()` returns error
-> `goto out_free`
-> `kfree(space_info)`

So my concern was that after `kobject_init_and_add()` has been called,
the cleanup is already handed to `kobject_put()` /
`space_info_release()`, and the later `kfree(space_info)` in
`create_space_info()` becomes a second free.

If my understanding of the `kobject_init_and_add()` failure path here
is incorrect, please let me know. I may be missing something.

Thanks,
Guangshuo

Qu Wenruo <wqu@suse.com> 于2026年4月1日周三 12:34写道：
>
>
>
> 在 2026/4/1 13:43, Guangshuo Li 写道:
> > When kobject_init_and_add() fails, btrfs_sysfs_add_space_info_type()
> > calls kobject_put(&space_info->kobj).
> >
> > The kobject release callback space_info_release() frees space_info,
> > but the current error path in create_space_info() then calls
> > kfree(space_info) again, causing a double free.
>
> Can you give an example call chain of where such space_info_release() is
> triggered?
>
> >
> > Keep the direct kfree(space_info) for the earlier failure path, but
> > after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
> > the kobject release callback handle the cleanup.
> >
> > Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> > ---
> >   fs/btrfs/space-info.c | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
> > index 3f08e450f796..d7176eb2fcbf 100644
> > --- a/fs/btrfs/space-info.c
> > +++ b/fs/btrfs/space-info.c
> > @@ -311,7 +311,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
> >
> >       ret = btrfs_sysfs_add_space_info_type(space_info);
> >       if (ret)
> > -             goto out_free;
> > +             return ret;
> >
> >       list_add(&space_info->list, &info->space_info);
> >       if (flags & BTRFS_BLOCK_GROUP_DATA)
>

Re: [PATCH] btrfs: fix double free in create_space_info() error path

[Qu Wenruo]

> 
> So the call chain I had in mind is:
> 
> `create_space_info()`
> -> `btrfs_sysfs_add_space_info_type()`
> -> `kobject_init_and_add()`
> -> failure
> -> `kobject_put(&space_info->kobj)`
> -> `space_info_release()`
> -> `kfree(space_info)`
> 
> and then control returns to `create_space_info()`:
> 
> `btrfs_sysfs_add_space_info_type()` returns error
> -> `goto out_free`
> -> `kfree(space_info)`

Please add those two parts into the changelog.

Otherwise the current one fix is good to me, for this particular call site.

> 
> So my concern was that after `kobject_init_and_add()` has been called,
> the cleanup is already handed to `kobject_put()` /
> `space_info_release()`, and the later `kfree(space_info)` in
> `create_space_info()` becomes a second free.
> 
> If my understanding of the `kobject_init_and_add()` failure path here
> is incorrect, please let me know. I may be missing something.

Furthermore, there is a similar bug in create_space_info_sub_group() and 
all other locations.

Personally speaking, I do not like the idea of releasing the space_info 
through the callback at all.

It breaks the common scheme where who allocates the memory should free 
it, now we have different handling before and after 
kobject_init_and_add(), which is causing all kinds of problems.

But I'm afraid that's the way we have to go.

Thanks,
Qu

> 
> Thanks,
> Guangshuo
> 
> Qu Wenruo <wqu@suse.com> 于2026年4月1日周三 12:34写道：
>>
>>
>>
>> 在 2026/4/1 13:43, Guangshuo Li 写道:
>>> When kobject_init_and_add() fails, btrfs_sysfs_add_space_info_type()
>>> calls kobject_put(&space_info->kobj).
>>>
>>> The kobject release callback space_info_release() frees space_info,
>>> but the current error path in create_space_info() then calls
>>> kfree(space_info) again, causing a double free.
>>
>> Can you give an example call chain of where such space_info_release() is
>> triggered?
>>
>>>
>>> Keep the direct kfree(space_info) for the earlier failure path, but
>>> after btrfs_sysfs_add_space_info_type() has called kobject_put(), let
>>> the kobject release callback handle the cleanup.
>>>
>>> Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths")
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
>>> ---
>>>    fs/btrfs/space-info.c | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
>>> index 3f08e450f796..d7176eb2fcbf 100644
>>> --- a/fs/btrfs/space-info.c
>>> +++ b/fs/btrfs/space-info.c
>>> @@ -311,7 +311,7 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
>>>
>>>        ret = btrfs_sysfs_add_space_info_type(space_info);
>>>        if (ret)
>>> -             goto out_free;
>>> +             return ret;
>>>
>>>        list_add(&space_info->list, &info->space_info);
>>>        if (flags & BTRFS_BLOCK_GROUP_DATA)
>>