If add_qgroup_item() fails, we jump to the out label without freeing the
preallocated qgroup structure. This causes a memory leak and triggers
the ASSERT(prealloc == NULL) assertion.

Fix this by freeing prealloc and setting it to NULL before jumping to
the out label when add_qgroup_item() fails.

Reported-by: syzbot+803e4cb8245b52928347@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=803e4cb8245b52928347
Fixes: 8d54518b5e52 ("btrfs: qgroup: pre-allocate btrfs_qgroup to reduce GFP_ATOMIC usage")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/btrfs/qgroup.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 9e2b53e90dcb..4dbf6d2d2aaa 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -1671,8 +1671,11 @@ int btrfs_create_qgroup(struct btrfs_trans_handle *trans, u64 qgroupid)
 	}
 
 	ret = add_qgroup_item(trans, quota_root, qgroupid);
-	if (ret)
+	if (ret) {
+		kfree(prealloc);
+		prealloc = NULL;
 		goto out;
+	}
 
 	spin_lock(&fs_info->qgroup_lock);
 	qgroup = add_qgroup_rb(fs_info, prealloc, qgroupid);
-- 
2.43.0

On Fri, Dec 12, 2025 at 06:22:24AM +0530, Deepanshu Kartikey wrote:
> If add_qgroup_item() fails, we jump to the out label without freeing the
> preallocated qgroup structure. This causes a memory leak and triggers
> the ASSERT(prealloc == NULL) assertion.
> 
> Fix this by freeing prealloc and setting it to NULL before jumping to
> the out label when add_qgroup_item() fails.
> 
> Reported-by: syzbot+803e4cb8245b52928347@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=803e4cb8245b52928347
> Fixes: 8d54518b5e52 ("btrfs: qgroup: pre-allocate btrfs_qgroup to reduce GFP_ATOMIC usage")
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>

Thanks for the fix, this has been fixed in a different way by commit
https://github.com/btrfs/linux/commit/b95d1588dd2395d0fa1cd3ecf368b2dcec5445ff
and there were more problems than the one you fixed.

You're probably using master branch where this code is still broken so
the fix is present only in the development for-next branch. It's been in
linux-next.git though so you may want to check there first before
sending fixes.

在 2025/12/12 13:33, David Sterba 写道:
> On Fri, Dec 12, 2025 at 06:22:24AM +0530, Deepanshu Kartikey wrote:
>> If add_qgroup_item() fails, we jump to the out label without freeing the
>> preallocated qgroup structure. This causes a memory leak and triggers
>> the ASSERT(prealloc == NULL) assertion.
>>
>> Fix this by freeing prealloc and setting it to NULL before jumping to
>> the out label when add_qgroup_item() fails.
>>
>> Reported-by: syzbot+803e4cb8245b52928347@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=803e4cb8245b52928347
>> Fixes: 8d54518b5e52 ("btrfs: qgroup: pre-allocate btrfs_qgroup to reduce GFP_ATOMIC usage")

And that's the wrong commit, at that commit things are still correct and 
no leakage.

>> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> 
> Thanks for the fix, this has been fixed in a different way by commit
> https://github.com/btrfs/linux/commit/b95d1588dd2395d0fa1cd3ecf368b2dcec5445ff
> and there were more problems than the one you fixed.
> 
> You're probably using master branch where this code is still broken so
> the fix is present only in the development for-next branch. It's been in
> linux-next.git though so you may want to check there first before
> sending fixes.