From: Qu Wenruo <wqu@suse.com>
To: Guangshuo Li <lgs201920130244@gmail.com>,
Chris Mason <clm@fb.com>, David Sterba <dsterba@suse.com>,
Naohiro Aota <naohiro.aota@wdc.com>,
Johannes Thumshirn <johannes.thumshirn@wdc.com>,
linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Subject: Re: [PATCH] btrfs: fix double free in create_space_info_sub_group() error path
Date: Thu, 2 Apr 2026 08:41:47 +1030 [thread overview]
Message-ID: <4e0a7845-a9c0-48f6-9bb8-102411ff0a11@suse.com> (raw)
In-Reply-To: <20260401110219.1517804-1-lgs201920130244@gmail.com>
在 2026/4/1 21:32, Guangshuo Li 写道:
> When kobject_init_and_add() fails, the call chain is:
>
> create_space_info_sub_group()
> -> btrfs_sysfs_add_space_info_type()
> -> kobject_init_and_add()
> -> failure
> -> kobject_put(&sub_group->kobj)
> -> space_info_release()
> -> kfree(sub_group)
>
> Then control returns to create_space_info_sub_group(), where:
>
> btrfs_sysfs_add_space_info_type() returns error
> -> kfree(sub_group)
>
> Thus, sub_group is freed twice.
>
> Keep parent->sub_group[index] = NULL for the failure path, but after
> btrfs_sysfs_add_space_info_type() has called kobject_put(), let the
> kobject release callback handle the cleanup.
>
> Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
> ---
> fs/btrfs/space-info.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
> index d7176eb2fcbf..f5d0f587b755 100644
> --- a/fs/btrfs/space-info.c
> +++ b/fs/btrfs/space-info.c
> @@ -277,7 +277,6 @@ static int create_space_info_sub_group(struct btrfs_space_info *parent, u64 flag
>
> ret = btrfs_sysfs_add_space_info_type(sub_group);
> if (ret) {
> - kfree(sub_group);
> parent->sub_group[index] = NULL;
> }
For single line operation inside a if branch, we do not need the
brackets anymore.
I'll remove them during merge so you don't need to resend the patch.
Thanks,
Qu
> return ret;
prev parent reply other threads:[~2026-04-01 22:11 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-01 11:02 [PATCH] btrfs: fix double free in create_space_info_sub_group() error path Guangshuo Li
2026-04-01 22:11 ` Qu Wenruo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4e0a7845-a9c0-48f6-9bb8-102411ff0a11@suse.com \
--to=wqu@suse.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=johannes.thumshirn@wdc.com \
--cc=lgs201920130244@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=naohiro.aota@wdc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox