1. Patchew
  2. linux
  3. View series

[PATCH] btrfs: fix the resource leak issue in btrfs_iget()

Penglei Jiang posted 1 patch 9 months, 3 weeks ago
There is a newer version of this series
fs/btrfs/inode.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
[PATCH] btrfs: fix the resource leak issue in btrfs_iget()
Posted by Penglei Jiang 9 months, 3 weeks ago 
When btrfs_iget() returns an error, it does not use iget_failed() to mark
and release the inode. Now, we add the missing iget_failed() call.

Reported-by: Penglei Jiang <superman.xpt@gmail.com>
Closes: https://lore.kernel.org/all/20250421102425.44431-1-superman.xpt@gmail.com
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
---
 fs/btrfs/inode.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index cc67d1a2d611..61d7f3f94090 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -5681,16 +5681,22 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
 		return inode;
 
 	path = btrfs_alloc_path();
-	if (!path)
-		return ERR_PTR(-ENOMEM);
+	if (!path) {
+		ret = -ENOMEM;
+		goto bad_inode;
+	}
 
 	ret = btrfs_read_locked_inode(inode, path);
 	btrfs_free_path(path);
 	if (ret)
-		return ERR_PTR(ret);
+		goto bad_inode;
 
 	unlock_new_inode(&inode->vfs_inode);
 	return inode;
+
+bad_inode:
+	iget_failed(&inode->vfs_inode);
+	return ERR_PTR(ret);
 }
 
 static struct btrfs_inode *new_simple_dir(struct inode *dir,
-- 
2.17.1
Re: [PATCH] btrfs: fix the resource leak issue in btrfs_iget()
Posted by Qu Wenruo 9 months, 3 weeks ago 

在 2025/4/21 20:02, Penglei Jiang 写道:
> When btrfs_iget() returns an error, it does not use iget_failed() to mark
> and release the inode. Now, we add the missing iget_failed() call.
> 
> Reported-by: Penglei Jiang <superman.xpt@gmail.com>
> Closes: https://lore.kernel.org/all/20250421102425.44431-1-superman.xpt@gmail.com

IIRC this is not a syzbot report, although it's definitely a C 
reproducer from syzbot.

Thus I'm not sure if the closes: tag is correct.

> Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
> ---
>   fs/btrfs/inode.c | 12 +++++++++---
>   1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index cc67d1a2d611..61d7f3f94090 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -5681,16 +5681,22 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
>   		return inode;
>   
>   	path = btrfs_alloc_path();
> -	if (!path)
> -		return ERR_PTR(-ENOMEM);
> +	if (!path) {
> +		ret = -ENOMEM;
> +		goto bad_inode;
> +	}
>   
>   	ret = btrfs_read_locked_inode(inode, path);

On error, btrfs_read_locked_inode() has already called iget_failed() at 
out: tag.

>   	btrfs_free_path(path);
>   	if (ret)
> -		return ERR_PTR(ret);
> +		goto bad_inode;

So we will either underflow or use-after-free the inode.

It looks like only the btrfs_alloc_path() failure is missing the handling.

And the error looks like a regression caused by commit 7c855e16ab72 
("btrfs: remove conditional path allocation in 
btrfs_read_locked_inode()"), please add a fixes: tag for it, which is 
more important than the syzbot tag.

Thanks,
Qu

>   
>   	unlock_new_inode(&inode->vfs_inode);
>   	return inode;
> +
> +bad_inode:
> +	iget_failed(&inode->vfs_inode);
> +	return ERR_PTR(ret);
>   }
>   
>   static struct btrfs_inode *new_simple_dir(struct inode *dir,
[PATCH v2] btrfs: fix the resource leak issue in btrfs_iget()
Posted by Penglei Jiang 9 months, 3 weeks ago 
When btrfs_iget() returns an error, it does not use iget_failed() to mark
and release the inode. Now, we add the missing iget_failed() call.

Fixes: 7c855e16ab72 ("btrfs: remove conditional path allocation in btrfs_read_locked_inode()")
Reported-by: Penglei Jiang <superman.xpt@gmail.com>
Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
---
V1 -> V2: Fixed the issue with multiple calls to btrfs_iget()

 fs/btrfs/inode.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index cc67d1a2d611..1cbf92ca748d 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -5681,8 +5681,10 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
 		return inode;
 
 	path = btrfs_alloc_path();
-	if (!path)
+	if (!path) {
+		iget_failed(&inode->vfs_inode);
 		return ERR_PTR(-ENOMEM);
+	}
 
 	ret = btrfs_read_locked_inode(inode, path);
 	btrfs_free_path(path);
-- 
2.17.1
Re: [PATCH v2] btrfs: fix the resource leak issue in btrfs_iget()
Posted by Qu Wenruo 9 months, 3 weeks ago 

在 2025/4/22 01:10, Penglei Jiang 写道:
> When btrfs_iget() returns an error, it does not use iget_failed() to mark
> and release the inode. Now, we add the missing iget_failed() call.
> 
> Fixes: 7c855e16ab72 ("btrfs: remove conditional path allocation in btrfs_read_locked_inode()")
> Reported-by: Penglei Jiang <superman.xpt@gmail.com>
> Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>

Now pushed to for-next branch, with some updates on the commit message.

https://github.com/btrfs/linux/commit/cfcd9ed0108925c8071e27e6d5a300adb74c1839

Appreciate your bug report and fix. It would be even better if plan to 
continue your contribution to btrfs.

Thanks,
Qu

> ---
> V1 -> V2: Fixed the issue with multiple calls to btrfs_iget()
> 
>   fs/btrfs/inode.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index cc67d1a2d611..1cbf92ca748d 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -5681,8 +5681,10 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
>   		return inode;
>   
>   	path = btrfs_alloc_path();
> -	if (!path)
> +	if (!path) {
> +		iget_failed(&inode->vfs_inode);
>   		return ERR_PTR(-ENOMEM);
> +	}
>   
>   	ret = btrfs_read_locked_inode(inode, path);
>   	btrfs_free_path(path);
Re: [PATCH v2] btrfs: fix the resource leak issue in btrfs_iget()
Posted by Qu Wenruo 9 months, 3 weeks ago 

在 2025/4/22 01:10, Penglei Jiang 写道:
> When btrfs_iget() returns an error, it does not use iget_failed() to mark
> and release the inode. Now, we add the missing iget_failed() call.
> 
> Fixes: 7c855e16ab72 ("btrfs: remove conditional path allocation in btrfs_read_locked_inode()")
> Reported-by: Penglei Jiang <superman.xpt@gmail.com>
> Signed-off-by: Penglei Jiang <superman.xpt@gmail.com>
> ---
> V1 -> V2: Fixed the issue with multiple calls to btrfs_iget()

Looks good to me.

Reviewed-by: Qu Wenruo <wqu@suse.com>

Thanks,
Qu

> 
>   fs/btrfs/inode.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index cc67d1a2d611..1cbf92ca748d 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -5681,8 +5681,10 @@ struct btrfs_inode *btrfs_iget(u64 ino, struct btrfs_root *root)
>   		return inode;
>   
>   	path = btrfs_alloc_path();
> -	if (!path)
> +	if (!path) {
> +		iget_failed(&inode->vfs_inode);
>   		return ERR_PTR(-ENOMEM);
> +	}
>   
>   	ret = btrfs_read_locked_inode(inode, path);
>   	btrfs_free_path(path);

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.