From nobody Wed Apr 1 20:46:28 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E450C255F52 for ; Wed, 1 Apr 2026 11:02:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041353; cv=none; b=XJcGL+/DXocWAkHPik/2hOxLOmkx2DaQzb8cCtcXwGGTKczkTlspLlorEp6KMt5x4AhoBpa7l98EIaucpCw1+QsEbeCs+VETvZVOyWw+GFHWX10dyuxA8IRDMyl2m3vKsJ94bLxYQHTk2xVbXTHGUak3lqmAiQX6DeJGVEKf7rY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041353; c=relaxed/simple; bh=SbqRNhVI3Sgg9eZpNawZvYKHn4MdY9ZbL6RY8LFSIjw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=cgkaSfGUzF8N1B4jR/I91TIJDfN6uDrBWQ4idGRcAXXSWpVSzayFGuzbXvWC6z+hOH8qgut+q2htzp9e+s9kKUzDp8VUvTRH418mbPq2WZlbQF6V+Q6Cz+HQZEIBvNdFe7B/HymVoedZ/Hu6jGykUeWjQNtiIdP6DWIoOkUd8uY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=n5V5aRTm; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="n5V5aRTm" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-35d971fbcddso530854a91.1 for ; Wed, 01 Apr 2026 04:02:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775041351; x=1775646151; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=HirRrF/8RjBfg411Yn+GABwevBrUwvnGEoVcLWmnLPc=; b=n5V5aRTmgjSYRFS/JeajMKCd6eVvqsLLjjalILqW2n0U18iqBWgZHt7RU23L2RP0jd 1g+AG9MtgVT4AG5U4p+mqtXpR/dCvNSl50YJjuSCq6eApt89SnTQV6zqwkqPfh8pS+R/ WQQCCt3j8fSjrD4tRuUcxBe1goOS8PJotNXyJY98J1GE66kZUb7FCBHKMhAN7rs2ijtd tzcu3X17j1hhiQr2moYaTY742SuL9WSH5C7UmXQlFhxL/tTESRsuysVAbgJMezGecOQM s9fFun3mn0Wu3Q2Lrd4cGGAcG4btaQHvi3Wa1qVRhcDBn5LRgJX0iijtjUXPmxJ8374S ZtXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775041351; x=1775646151; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=HirRrF/8RjBfg411Yn+GABwevBrUwvnGEoVcLWmnLPc=; b=mnCRMKtkM6+5yieplbvuJu/Ima1+kumccnW7m+tQ7TRJau2Amk0N2IZxhpoWn8P7k/ fkhw//qTAsCQqs3qokBTgAwls2WXxMLgFROpGiEHL6ryL6iV4f62+HmlCDpmgX7m+NaS xpKrj/DzwIRO31Ojz3gQfAhgOD4gJHJ2UDlLQL7g9yw1Ic23SxGAnZ66ekN6c6pEqWH+ 2zcoP/L9/4xP06tGBGpCKEe1plYcCWzvSO/iBCL4xAlh1vDRD7q94wRt0dYG5j6mGZrf 79+2YgTsLqflc2/rtv0qao47aGfRncNWh+5s/0G5/W2ccDlkJoOOvPqSjMGGgvhfb1vY Itfw== X-Forwarded-Encrypted: i=1; AJvYcCVrRnRhl75EK1Phd+KZKIrmDEq6pPGkDuVfaI+WxS8uv4CRBOsSOt79qkDWmF9WC31Fqb3cFmBuCVkf9cs=@vger.kernel.org X-Gm-Message-State: AOJu0YysaIHUqsjpYF2X/zLKcCTCF9sSsnso3fjS6TgaBYf2wZka/YPF G+UeICQ2gT4N4AvLlf3T2QX2K0UuH1gtlrjdaGWEAsgrFjptwkQUbmda X-Gm-Gg: ATEYQzz2uhO6RJETM66HIoqvgIdceE0vqXSxRDGmDZom5oWpSdZ3kQGDs0fYf2cUwiE qaEBBSUxYy90ixGQTN6AVUE/x/kv1c+CPGAPJH1TtWI7h0l+WGXCysD2/CBj65wB3KXWYtT9yLj e6j1yI1xcyYyY6jd+zwOs3hf/Y4Z9gSCRMz6xgD/DwTk9xuYQoIqQCDxqwH1OH8pSNHA+for3Xj OkB8ub+gx/OUsnXpweGcjqlmP91gwLbxoRqEVezrMfSEVVHgt017zT0HHiW1S6sLSChak0IzUZ+ uAakuHfKZsLXiufv0w0G3rK5oxAeq08H5Kt2UBMXyR9pfGd7w+up8uKXNltf6MmKk/xCEDNZjB5 ON+PpSY7drLje27dZAsXumc+Flg2pm0EvKSlVsQcOAialAScTHbPmkIO+eXStDyayXMzg/Dry0x FBEGXntQYMXYFbdUU= X-Received: by 2002:a17:90b:1d03:b0:35b:9d0c:a2f3 with SMTP id 98e67ed59e1d1-35dc7027dbemr2379083a91.15.1775041351018; Wed, 01 Apr 2026 04:02:31 -0700 (PDT) Received: from lgs.. ([199.182.234.55]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35dbe977031sm4604626a91.17.2026.04.01.04.02.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Apr 2026 04:02:30 -0700 (PDT) From: Guangshuo Li To: Chris Mason , David Sterba , Naohiro Aota , Johannes Thumshirn , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Guangshuo Li , stable@vger.kernel.org Subject: [PATCH] btrfs: fix double free in create_space_info_sub_group() error path Date: Wed, 1 Apr 2026 19:02:19 +0800 Message-ID: <20260401110219.1517804-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] =3D NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup. Fixes: f92ee31e031c ("btrfs: introduce btrfs_space_info sub-group") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li --- fs/btrfs/space-info.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c index d7176eb2fcbf..f5d0f587b755 100644 --- a/fs/btrfs/space-info.c +++ b/fs/btrfs/space-info.c @@ -277,7 +277,6 @@ static int create_space_info_sub_group(struct btrfs_spa= ce_info *parent, u64 flag =20 ret =3D btrfs_sysfs_add_space_info_type(sub_group); if (ret) { - kfree(sub_group); parent->sub_group[index] =3D NULL; } return ret; --=20 2.43.0