From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 704BC18EFCE; Wed, 3 Jul 2024 11:00:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720004434; cv=none; b=Z3WxthLWLQfwD2ZARUnynt5/okzrKO166soCjptc7jgI4gUEVw4cPk3dbh6fG81Opr8cjRwcICoMbYGxmTY4hYF1KTlgH375L1dKoaoNbp/C/ml+tVkYYa9aZA//E0YxTYMoVZ3xyzcm7hkFD3E1/nUpKs6zQI7Na5Fh3xoqiGw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720004434; c=relaxed/simple; bh=GLYss6FNn4HHBkyM/BVmvk+xFoOV3CLK7pw7Z5dEy+w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TTJqda7Oiy0Ji3d4yGoG0/44YoSE/8DDm0FZpimKj2S5dfY9HHF3dYtpZHT96wn7rB0LqtZWuK7Bk1wR/x8pHV+OKeNONe581bGpUp+IXaauqOrrdrj2ahzjZUH1OqdOM4sbzYCky4XzIdO06Enf3fYsaA0DAL5lHiil5UvlBbs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=OA/tTV5E; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="OA/tTV5E" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E7181C2BD10; Wed, 3 Jul 2024 11:00:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1720004434; bh=GLYss6FNn4HHBkyM/BVmvk+xFoOV3CLK7pw7Z5dEy+w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OA/tTV5EWxS+n+jr34cTh+AGQvgbxOoHj5FKx4wTAxUq0xCt/pAQB9XEILGrEUGuO afLbzyFdVOYZj5JPqflqPAZgF75WrV36uDQZ7rUaz242P3CCBBlMbsJcu5BxUgFq+c UlIWffgwn34DkzgPDit8phqDiIm6qbCW877QdP5E= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+0fecc032fa134afd49df@syzkaller.appspotmail.com, Josef Bacik , Qu Wenruo , Filipe Manana , David Sterba , Sasha Levin Subject: [PATCH 5.10 040/290] btrfs: fix leak of qgroup extent records after transaction abort Date: Wed, 3 Jul 2024 12:37:01 +0200 Message-ID: <20240703102905.711430741@linuxfoundation.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240703102904.170852981@linuxfoundation.org> References: <20240703102904.170852981@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Filipe Manana [ Upstream commit fb33eb2ef0d88e75564983ef057b44c5b7e4fded ] Qgroup extent records are created when delayed ref heads are created and then released after accounting extents at btrfs_qgroup_account_extents(), called during the transaction commit path. If a transaction is aborted we free the qgroup records by calling btrfs_qgroup_destroy_extent_records() at btrfs_destroy_delayed_refs(), unless we don't have delayed references. We are incorrectly assuming that no delayed references means we don't have qgroup extents records. We can currently have no delayed references because we ran them all during a transaction commit and the transaction was aborted after that due to some error in the commit path. So fix this by ensuring we btrfs_qgroup_destroy_extent_records() at btrfs_destroy_delayed_refs() even if we don't have any delayed references. Reported-by: syzbot+0fecc032fa134afd49df@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/0000000000004e7f980619f91835@google.com/ Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort") CC: stable@vger.kernel.org # 6.1+ Reviewed-by: Josef Bacik Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/disk-io.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 019f0925fa73c..c484c145c5d05 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -4442,19 +4442,11 @@ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, struct btrfs_fs_info *fs_info) { struct rb_node *node; - struct btrfs_delayed_ref_root *delayed_refs; + struct btrfs_delayed_ref_root *delayed_refs = &trans->delayed_refs; struct btrfs_delayed_ref_node *ref; int ret = 0; - delayed_refs = &trans->delayed_refs; - spin_lock(&delayed_refs->lock); - if (atomic_read(&delayed_refs->num_entries) == 0) { - spin_unlock(&delayed_refs->lock); - btrfs_debug(fs_info, "delayed_refs has NO entry"); - return ret; - } - while ((node = rb_first_cached(&delayed_refs->href_root)) != NULL) { struct btrfs_delayed_ref_head *head; struct rb_node *n; -- 2.43.0