From: Qu Wenruo <quwenruo.btrfs@gmx.com>
To: Penglei Jiang <superman.xpt@gmail.com>,
clm@fb.com, josef@toxicpanda.com, dsterba@suse.com
Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] btrfs: fix the resource leak issue in btrfs_iget()
Date: Mon, 21 Apr 2025 20:12:37 +0930 [thread overview]
Message-ID: <9e7babf0-310f-40cd-9935-36ef2cebb63f@gmx.com> (raw)
In-Reply-To: <20250421103252.44509-1-superman.xpt@gmail.com>
在 2025/4/21 20:02, Penglei Jiang 写道:
> When btrfs_iget() returns an error, it does not use iget_failed() to mark
> and release the inode. Now, we add the missing iget_failed() call.
>
> Reported-by: Penglei Jiang <superman.xpt@gmail.com>
> Closes: https://lore.kernel.org/all/20250421102425.44431-1-superman.xpt@gmail.com
IIRC this is not a syzbot report, although it's definitely a C
reproducer from syzbot.
Thus I'm not sure if the closes: tag is correct.
> Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
> ---
> fs/btrfs/inode.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index cc67d1a2d611..61d7f3f94090 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -5681,16 +5681,22 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
> return inode;
>
> path = btrfs_alloc_path();
> - if (!path)
> - return ERR_PTR(-ENOMEM);
> + if (!path) {
> + ret = -ENOMEM;
> + goto bad_inode;
> + }
>
> ret = btrfs_read_locked_inode(inode, path);
On error, btrfs_read_locked_inode() has already called iget_failed() at
out: tag.
> btrfs_free_path(path);
> if (ret)
> - return ERR_PTR(ret);
> + goto bad_inode;
So we will either underflow or use-after-free the inode.
It looks like only the btrfs_alloc_path() failure is missing the handling.
And the error looks like a regression caused by commit 7c855e16ab72
("btrfs: remove conditional path allocation in
btrfs_read_locked_inode()"), please add a fixes: tag for it, which is
more important than the syzbot tag.
Thanks,
Qu
>
> unlock_new_inode(&inode->vfs_inode);
> return inode;
> +
> +bad_inode:
> + iget_failed(&inode->vfs_inode);
> + return ERR_PTR(ret);
> }
>
> static struct btrfs_inode *new_simple_dir(struct inode *dir,
next prev parent reply other threads:[~2025-04-21 10:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-21 10:32 [PATCH] btrfs: fix the resource leak issue in btrfs_iget() Penglei Jiang
2025-04-21 10:42 ` Qu Wenruo [this message]
2025-04-21 15:40 ` [PATCH v2] " Penglei Jiang
2025-04-21 20:12 ` Qu Wenruo
2025-04-22 4:09 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9e7babf0-310f-40cd-9935-36ef2cebb63f@gmx.com \
--to=quwenruo.btrfs@gmx.com \
--cc=clm@fb.com \
--cc=dsterba@suse.com \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=superman.xpt@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox