lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5ba227a9-034c-4e3e-964c-d13f8f3ec2b8@gmx.com>
Date: Fri, 26 Dec 2025 07:19:44 +1030
From: Qu Wenruo <quwenruo.btrfs@....com>
To: Zilin Guan <zilin@....edu.cn>, clm@...com
Cc: dsterba@...e.com, sunk67188@...il.com, dan.carpenter@...aro.org,
 linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org,
 jianhao.xu@....edu.cn
Subject: Re: [PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()



在 2025/12/25 20:57, Zilin Guan 写道:
> btrfs_alloc_dummy_root() allocates a root with a reference count of 1.
> Then btrfs_insert_fs_root() is used to insert the root into the fs_info.
> On success, it increments the reference count. On failure, it does not.
> 
> Currently, if btrfs_insert_fs_root() fails, the error handling path
> jumps to the out label immediately without decrementing the reference
> count of tmp_root, leading to a memory leak.
> 
> Fix this by calling btrfs_put_root() unconditionally after
> btrfs_insert_fs_root(). This correctly handles both cases: on success,
> it drops the local reference, leaving the root with the reference held
> by fs_info; on failure, it drops the sole reference, freeing the root.
> 
> Fixes: 4785e24fa5d23 ("btrfs: don't take an extra root ref at allocation time")
> Signed-off-by: Zilin Guan <zilin@....edu.cn>
> ---
>   fs/btrfs/tests/qgroup-tests.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/btrfs/tests/qgroup-tests.c b/fs/btrfs/tests/qgroup-tests.c
> index e9124605974b..0d51e0abaeac 100644
> --- a/fs/btrfs/tests/qgroup-tests.c
> +++ b/fs/btrfs/tests/qgroup-tests.c
> @@ -517,11 +517,11 @@ int btrfs_test_qgroups(u32 sectorsize, u32 nodesize)
>   	tmp_root->root_key.objectid = BTRFS_FS_TREE_OBJECTID;
>   	root->fs_info->fs_root = tmp_root;
>   	ret = btrfs_insert_fs_root(root->fs_info, tmp_root);
> +	btrfs_put_root(tmp_root);
>   	if (ret) {
>   		test_err("couldn't insert fs root %d", ret);
>   		goto out;

This will lead to double free.

If btrfs_insert_fs_root() failed, btrfs_put_root() will do the cleaning 
and free the root.

Then btrfs_free_dummy_root() will call btrfs_put_root() again on the 
root, cause use-after-free.

So your analyze is completely wrong.

Thanks,
Qu

>   	}
> -	btrfs_put_root(tmp_root);
>   
>   	tmp_root = btrfs_alloc_dummy_root(fs_info);
>   	if (IS_ERR(tmp_root)) {
> @@ -532,11 +532,11 @@ int btrfs_test_qgroups(u32 sectorsize, u32 nodesize)
>   
>   	tmp_root->root_key.objectid = BTRFS_FIRST_FREE_OBJECTID;
>   	ret = btrfs_insert_fs_root(root->fs_info, tmp_root);
> +	btrfs_put_root(tmp_root);
>   	if (ret) {
>   		test_err("couldn't insert fs root %d", ret);
>   		goto out;
>   	}
> -	btrfs_put_root(tmp_root);
>   
>   	test_msg("running qgroup tests");
>   	ret = test_no_shared_qgroup(root, sectorsize, nodesize);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ