Re: [PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()

From: Qu Wenruo
Date: Thu Dec 25 2025 - 15:50:14 EST

Next message: Qu Wenruo: "Re: [PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()"
Previous message: Gladyshev Ilya: "Re: [RFC PATCH 2/3] rust: introduce WMI abstractions"
In reply to: Zilin Guan: "[PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()"
Next in thread: Qu Wenruo: "Re: [PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

在 2025/12/25 20:57, Zilin Guan 写道:

btrfs_alloc_dummy_root() allocates a root with a reference count of 1.
Then btrfs_insert_fs_root() is used to insert the root into the fs_info.
On success, it increments the reference count. On failure, it does not.

Currently, if btrfs_insert_fs_root() fails, the error handling path
jumps to the out label immediately without decrementing the reference
count of tmp_root, leading to a memory leak.

Fix this by calling btrfs_put_root() unconditionally after
btrfs_insert_fs_root(). This correctly handles both cases: on success,
it drops the local reference, leaving the root with the reference held
by fs_info; on failure, it drops the sole reference, freeing the root.

Fixes: 4785e24fa5d23 ("btrfs: don't take an extra root ref at allocation time")
Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
---
fs/btrfs/tests/qgroup-tests.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/tests/qgroup-tests.c b/fs/btrfs/tests/qgroup-tests.c
index e9124605974b..0d51e0abaeac 100644
--- a/fs/btrfs/tests/qgroup-tests.c
+++ b/fs/btrfs/tests/qgroup-tests.c
@@ -517,11 +517,11 @@ int btrfs_test_qgroups(u32 sectorsize, u32 nodesize)
tmp_root->root_key.objectid = BTRFS_FS_TREE_OBJECTID;
root->fs_info->fs_root = tmp_root;
ret = btrfs_insert_fs_root(root->fs_info, tmp_root);
+ btrfs_put_root(tmp_root);
if (ret) {
test_err("couldn't insert fs root %d", ret);
goto out;

This will lead to double free.

If btrfs_insert_fs_root() failed, btrfs_put_root() will do the cleaning and free the root.

Then btrfs_free_dummy_root() will call btrfs_put_root() again on the root, cause use-after-free.

So your analyze is completely wrong.

Thanks,
Qu

}
- btrfs_put_root(tmp_root);
tmp_root = btrfs_alloc_dummy_root(fs_info);
if (IS_ERR(tmp_root)) {
@@ -532,11 +532,11 @@ int btrfs_test_qgroups(u32 sectorsize, u32 nodesize)
tmp_root->root_key.objectid = BTRFS_FIRST_FREE_OBJECTID;
ret = btrfs_insert_fs_root(root->fs_info, tmp_root);
+ btrfs_put_root(tmp_root);
if (ret) {
test_err("couldn't insert fs root %d", ret);
goto out;
}
- btrfs_put_root(tmp_root);
test_msg("running qgroup tests");
ret = test_no_shared_qgroup(root, sectorsize, nodesize);

Next message: Qu Wenruo: "Re: [PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()"
Previous message: Gladyshev Ilya: "Re: [RFC PATCH 2/3] rust: introduce WMI abstractions"
In reply to: Zilin Guan: "[PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()"
Next in thread: Qu Wenruo: "Re: [PATCH] btrfs: tests: Fix memory leak in btrfs_test_qgroups()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]