lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9e7babf0-310f-40cd-9935-36ef2cebb63f@gmx.com>
Date: Mon, 21 Apr 2025 20:12:37 +0930
From: Qu Wenruo <quwenruo.btrfs@....com>
To: Penglei Jiang <superman.xpt@...il.com>, clm@...com, josef@...icpanda.com,
 dsterba@...e.com
Cc: linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] btrfs: fix the resource leak issue in btrfs_iget()



在 2025/4/21 20:02, Penglei Jiang 写道:
> When btrfs_iget() returns an error, it does not use iget_failed() to mark
> and release the inode. Now, we add the missing iget_failed() call.
> 
> Reported-by: Penglei Jiang <superman.xpt@...il.com>
> Closes: https://lore.kernel.org/all/20250421102425.44431-1-superman.xpt@gmail.com

IIRC this is not a syzbot report, although it's definitely a C 
reproducer from syzbot.

Thus I'm not sure if the closes: tag is correct.

> Signed-off-by: Penglei Jiang <superman.xpt@...il.com>
> ---
>   fs/btrfs/inode.c | 12 +++++++++---
>   1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index cc67d1a2d611..61d7f3f94090 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -5681,16 +5681,22 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
>   		return inode;
>   
>   	path = btrfs_alloc_path();
> -	if (!path)
> -		return ERR_PTR(-ENOMEM);
> +	if (!path) {
> +		ret = -ENOMEM;
> +		goto bad_inode;
> +	}
>   
>   	ret = btrfs_read_locked_inode(inode, path);

On error, btrfs_read_locked_inode() has already called iget_failed() at 
out: tag.

>   	btrfs_free_path(path);
>   	if (ret)
> -		return ERR_PTR(ret);
> +		goto bad_inode;

So we will either underflow or use-after-free the inode.

It looks like only the btrfs_alloc_path() failure is missing the handling.

And the error looks like a regression caused by commit 7c855e16ab72 
("btrfs: remove conditional path allocation in 
btrfs_read_locked_inode()"), please add a fixes: tag for it, which is 
more important than the syzbot tag.

Thanks,
Qu

>   
>   	unlock_new_inode(&inode->vfs_inode);
>   	return inode;
> +
> +bad_inode:
> +	iget_failed(&inode->vfs_inode);
> +	return ERR_PTR(ret);
>   }
>   
>   static struct btrfs_inode *new_simple_dir(struct inode *dir,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ