fs/btrfs/file.c | 2 ++ 1 file changed, 2 insertions(+)
syzbot reported a memory leak originating from ulist_prealloc()
called from qgroup_reserve_data() in the btrfs_page_mkwrite()
path. When btrfs_check_data_free_space() succeeds and
btrfs_delalloc_reserve_metadata() later fails, we free the data
reservation via btrfs_free_reserved_data_space(), but we never
free the extent_changeset pointed to by data_reserved.
Add the missing extent_changeset_free(data_reserved) in this
error path, matching the other exit paths in btrfs_page_mkwrite()
and the failure handling in btrfs_check_data_free_space().
Reported-by: syzbot+2f8aa76e6acc9fce6638@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638
Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com>
---
fs/btrfs/file.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index 7a501e73d880..4b05e72249e2 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1910,6 +1910,8 @@ static vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
if (!only_release_metadata)
btrfs_free_reserved_data_space(inode, data_reserved,
page_start, reserved_space);
+ extent_changeset_free(data_reserved);
+ data_reserved = NULL;
goto out_noreserve;
}
--
2.43.0On Fri, Dec 12, 2025 at 08:09:48AM +0300, Ahmet Eray Karadag wrote: > syzbot reported a memory leak originating from ulist_prealloc() > called from qgroup_reserve_data() in the btrfs_page_mkwrite() > path. When btrfs_check_data_free_space() succeeds and > btrfs_delalloc_reserve_metadata() later fails, we free the data > reservation via btrfs_free_reserved_data_space(), but we never > free the extent_changeset pointed to by data_reserved. > > Add the missing extent_changeset_free(data_reserved) in this > error path, matching the other exit paths in btrfs_page_mkwrite() > and the failure handling in btrfs_check_data_free_space(). > > Reported-by: syzbot+2f8aa76e6acc9fce6638@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638 > Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com> Thanks a fix is already available and will be in linux-next. Pull request with the fix will be sent after rc1.
在 2025/12/12 15:39, Ahmet Eray Karadag 写道: > syzbot reported a memory leak originating from ulist_prealloc() > called from qgroup_reserve_data() in the btrfs_page_mkwrite() > path. When btrfs_check_data_free_space() succeeds and > btrfs_delalloc_reserve_metadata() later fails, we free the data > reservation via btrfs_free_reserved_data_space(), but we never > free the extent_changeset pointed to by data_reserved. > > Add the missing extent_changeset_free(data_reserved) in this > error path, matching the other exit paths in btrfs_page_mkwrite() > and the failure handling in btrfs_check_data_free_space(). > > Reported-by: syzbot+2f8aa76e6acc9fce6638@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=2f8aa76e6acc9fce6638 > Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com> Already fixed by this patch. https://lore.kernel.org/linux-btrfs/ab2ab25d0598c04467a62e9e88c9131cec159c48.1765454225.git.fdmanana@suse.com/ And your fix doesn't even have a proper fixes: tag. > --- > fs/btrfs/file.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c > index 7a501e73d880..4b05e72249e2 100644 > --- a/fs/btrfs/file.c > +++ b/fs/btrfs/file.c > @@ -1910,6 +1910,8 @@ static vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf) > if (!only_release_metadata) > btrfs_free_reserved_data_space(inode, data_reserved, > page_start, reserved_space); > + extent_changeset_free(data_reserved); > + data_reserved = NULL; > goto out_noreserve; > } >
© 2016 - 2025 Red Hat, Inc.