From patchwork Tue Jun 28 20:44:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liu Bo X-Patchwork-Id: 9204003 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5F8826074E for ; Tue, 28 Jun 2016 20:46:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 52C8028613 for ; Tue, 28 Jun 2016 20:46:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4798B2861B; Tue, 28 Jun 2016 20:46:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 940A628613 for ; Tue, 28 Jun 2016 20:46:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752482AbcF1UqT (ORCPT ); Tue, 28 Jun 2016 16:46:19 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:28765 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752238AbcF1UqQ (ORCPT ); Tue, 28 Jun 2016 16:46:16 -0400 Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u5SKjmpf026341 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Jun 2016 20:45:48 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.13.8) with ESMTP id u5SKfXVE029278 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 Jun 2016 20:45:47 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u5SKfWwE001098; Tue, 28 Jun 2016 20:41:33 GMT Received: from localhost.us.oracle.com (/10.211.47.181) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 28 Jun 2016 13:41:32 -0700 From: Liu Bo To: linux-btrfs@vger.kernel.org Cc: Chandan Rajendra Subject: [PATCH] Btrfs: fix double free of fs root Date: Tue, 28 Jun 2016 13:44:38 -0700 Message-Id: <1467146678-29046-1-git-send-email-bo.li.liu@oracle.com> X-Mailer: git-send-email 2.5.5 X-Source-IP: userv0022.oracle.com [156.151.31.74] Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I got this warning while mounting a btrfs image, [ 3020.509606] ------------[ cut here ]------------ [ 3020.510107] WARNING: CPU: 3 PID: 5581 at lib/idr.c:1051 ida_remove+0xca/0x190 [ 3020.510853] ida_remove called for id=42 which is not allocated. [ 3020.511466] Modules linked in: [ 3020.511802] CPU: 3 PID: 5581 Comm: mount Not tainted 4.7.0-rc5+ #274 [ 3020.512438] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014 [ 3020.513385] 0000000000000286 0000000021295d86 ffff88006c66b8f0 ffffffff8182ba5a [ 3020.514153] 0000000000000000 0000000000000009 ffff88006c66b930 ffffffff810e0ed7 [ 3020.514928] 0000041b00000000 ffffffff8289a8c0 ffff88007f437880 0000000000000000 [ 3020.515717] Call Trace: [ 3020.515965] [] dump_stack+0xc9/0x13f [ 3020.516487] [] __warn+0x147/0x160 [ 3020.517005] [] warn_slowpath_fmt+0x5f/0x80 [ 3020.517572] [] ida_remove+0xca/0x190 [ 3020.518075] [] free_anon_bdev+0x2c/0x60 [ 3020.518609] [] free_fs_root+0x13f/0x160 [ 3020.519138] [] btrfs_get_fs_root+0x379/0x3d0 [ 3020.519710] [] ? __mutex_unlock_slowpath+0x155/0x2c0 [ 3020.520366] [] open_ctree+0x2e91/0x3200 [ 3020.520965] [] btrfs_mount+0x1322/0x15b0 [ 3020.521536] [] ? kmemleak_alloc_percpu+0x44/0x170 [ 3020.522167] [] ? lockdep_init_map+0x61/0x210 [ 3020.522780] [] mount_fs+0x49/0x2c0 [ 3020.523305] [] vfs_kern_mount+0xac/0x1b0 [ 3020.523872] [] btrfs_mount+0x421/0x15b0 [ 3020.524402] [] ? kmemleak_alloc_percpu+0x44/0x170 [ 3020.525045] [] ? lockdep_init_map+0x61/0x210 [ 3020.525657] [] ? lockdep_init_map+0x61/0x210 [ 3020.526289] [] mount_fs+0x49/0x2c0 [ 3020.526803] [] vfs_kern_mount+0xac/0x1b0 [ 3020.527365] [] do_mount+0x41a/0x1770 [ 3020.527899] [] ? strndup_user+0x6d/0xc0 [ 3020.528447] [] ? memdup_user+0x78/0xb0 [ 3020.528987] [] SyS_mount+0x150/0x160 [ 3020.529493] [] entry_SYSCALL_64_fastpath+0x1f/0xbd It turns out that we free fs root twice, btrfs_init_fs_root() calls free_anon_bdev(root->anon_dev) and later then btrfs_get_fs_root() cals free_fs_root which does another free_anon_bdev() and it ends up with the above warning. Instead of reset root->anon_dev to 0 after free_anon_bdev(), we can let btrfs_init_fs_root() return directly since its callers have already done the free job by calling free_fs_root(). Signed-off-by: Liu Bo Reviewed-by: Chandan Rajendra Reviewed-by: David Sterba --- fs/btrfs/disk-io.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 60ce119..6c88c63 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -1600,14 +1600,14 @@ int btrfs_init_fs_root(struct btrfs_root *root) ret = get_anon_bdev(&root->anon_dev); if (ret) - goto free_writers; + goto fail; mutex_lock(&root->objectid_mutex); ret = btrfs_find_highest_objectid(root, &root->highest_objectid); if (ret) { mutex_unlock(&root->objectid_mutex); - goto free_root_dev; + goto fail; } ASSERT(root->highest_objectid <= BTRFS_LAST_FREE_OBJECTID); @@ -1615,14 +1615,8 @@ int btrfs_init_fs_root(struct btrfs_root *root) mutex_unlock(&root->objectid_mutex); return 0; - -free_root_dev: - free_anon_bdev(root->anon_dev); -free_writers: - btrfs_free_subvolume_writers(root->subv_writers); fail: - kfree(root->free_ino_ctl); - kfree(root->free_ino_pinned); + /* the caller is responsible to call free_fs_root */ return ret; }