From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-btrfs-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:61573 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751130AbaIVUjk (ORCPT <rfc822;linux-btrfs@vger.kernel.org>);
	Mon, 22 Sep 2014 16:39:40 -0400
Message-ID: <54208907.1030001@redhat.com>
Date: Mon, 22 Sep 2014 15:39:35 -0500
From: Eric Sandeen <sandeen@redhat.com>
MIME-Version: 1.0
To: Wang Shilong <wangshilong1991@gmail.com>, linux-btrfs@vger.kernel.org
CC: Chris Murphy <lists@colorremedies.com>
Subject: Re: [PATCH] Btrfs-progs: super-recover: fix double free fs_devices
 memory
References: <5419BE1E.2020607@redhat.com> <1411030872-2235-1-git-send-email-wangshilong1991@gmail.com>
In-Reply-To: <1411030872-2235-1-git-send-email-wangshilong1991@gmail.com>
Content-Type: text/plain; charset=windows-1252
Sender: linux-btrfs-owner@vger.kernel.org
List-ID: <linux-btrfs.vger.kernel.org>

On 9/18/14 4:01 AM, Wang Shilong wrote:
> super-recover collects btrfs devices infomation using existed
> functions scan_one_devices().
> 
> Problem is fs_devices is freed twice in close_ctree() and
> free_recover_superblock() for super correction path.
> 
> Fix this problem by checking whether fs_devices memory
> have been freed before we free it.
> 
> Cc: Eric Sandeen <sandeen@redhat.com>
> Cc: Chris Murphy <lists@colorremedies.com>
> Signed-off-by: Wang Shilong <wangshilong1991@gmail.com>

That does seem to fix the testcase.  Thanks!

Acked-by: Eric Sandeen <sandeen@redhat.com>

> ---
>  super-recover.c | 13 +++----------
>  1 file changed, 3 insertions(+), 10 deletions(-)
> 
> diff --git a/super-recover.c b/super-recover.c
> index 767de4b..419b86a 100644
> --- a/super-recover.c
> +++ b/super-recover.c
> @@ -69,21 +69,11 @@ void init_recover_superblock(struct btrfs_recover_superblock *recover)
>  static
>  void free_recover_superblock(struct btrfs_recover_superblock *recover)
>  {
> -	struct btrfs_device *device;
>  	struct super_block_record *record;
>  
>  	if (!recover->fs_devices)
>  		return;
>  
> -	while (!list_empty(&recover->fs_devices->devices)) {
> -		device = list_entry(recover->fs_devices->devices.next,
> -				struct btrfs_device, dev_list);
> -		list_del_init(&device->dev_list);
> -		free(device->name);
> -		free(device);
> -	}
> -	free(recover->fs_devices);
> -
>  	while (!list_empty(&recover->good_supers)) {
>  		record = list_entry(recover->good_supers.next,
>  				struct super_block_record, list);
> @@ -341,6 +331,9 @@ int btrfs_recover_superblocks(const char *dname,
>  no_recover:
>  	recover_err_str(ret);
>  	free_recover_superblock(&recover);
> +	/* check if we have freed fs_deivces in close_ctree() */
> +	if (!root)
> +		btrfs_close_devices(recover.fs_devices);
>  	return ret;
>  }
>  
>