MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2026-01-27 12:47:24 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
f260c6aff0
linux-yocto/fs/btrfs
History
Shardul Bankar f260c6aff0 btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation 
When btrfs_add_qgroup_relation() is called with invalid qgroup levels
(src >= dst), the function returns -EINVAL directly without freeing the
preallocated qgroup_list structure passed by the caller. This causes a
memory leak because the caller unconditionally sets the pointer to NULL
after the call, preventing any cleanup.

The issue occurs because the level validation check happens before the
mutex is acquired and before any error handling path that would free
the prealloc pointer. On this early return, the cleanup code at the
'out' label (which includes kfree(prealloc)) is never reached.

In btrfs_ioctl_qgroup_assign(), the code pattern is:

    prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);
    ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc);
    prealloc = NULL;  // Always set to NULL regardless of return value
    ...
    kfree(prealloc);  // This becomes kfree(NULL), does nothing

When the level check fails, 'prealloc' is never freed by either the
callee or the caller, resulting in a 64-byte memory leak per failed
operation. This can be triggered repeatedly by an unprivileged user
with access to a writable btrfs mount, potentially exhausting kernel
memory.

Fix this by freeing prealloc before the early return, ensuring prealloc
is always freed on all error paths.

Fixes: 4addc1ffd6 ("btrfs: qgroup: preallocate memory before adding a relation")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2025-10-30 19:16:06 +01:00
..
tests btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
accessors.c btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
accessors.h btrfs: accessors: delete token versions of set/get helpers 2025-07-22 00:05:00 +02:00
acl.c
acl.h
async-thread.c btrfs: use list_first_entry() everywhere 2025-05-15 14:30:47 +02:00
async-thread.h
backref.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
backref.h btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
bio.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
bio.h btrfs: try to search for data csums in commit root 2025-09-22 10:54:31 +02:00
block-group.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
block-group.h btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
block-rsv.c btrfs: add block reserve for treelog 2025-05-15 14:30:53 +02:00
block-rsv.h btrfs: add block reserve for treelog 2025-05-15 14:30:53 +02:00
btrfs_inode.h btrfs: cache max and min order inside btrfs_fs_info 2025-09-23 08:49:17 +02:00
compression.c btrfs: prepare compression folio alloc/free for bs > ps cases 2025-09-23 08:49:24 +02:00
compression.h btrfs: prepare compression folio alloc/free for bs > ps cases 2025-09-23 08:49:24 +02:00
ctree.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
ctree.h btrfs: split btrfs_is_fstree() into multiple if statements for readability 2025-07-21 23:58:04 +02:00
defrag.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
defrag.h
delalloc-space.c btrfs: add block reserve for treelog 2025-05-15 14:30:53 +02:00
delalloc-space.h btrfs: pass struct btrfs_inode to btrfs_free_reserved_data_space_noquota() 2025-05-15 14:30:52 +02:00
delayed-inode.c btrfs: fix delayed_node ref_tracker use after free 2025-10-22 09:40:04 +02:00
delayed-inode.h btrfs: fix delayed_node ref_tracker use after free 2025-10-22 09:40:04 +02:00
delayed-ref.c btrfs: annotate btrfs_is_testing() as unlikely and make it return bool 2025-09-23 08:49:24 +02:00
delayed-ref.h btrfs: move ref-verify under CONFIG_BTRFS_DEBUG 2025-09-22 10:54:32 +02:00
dev-replace.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
dev-replace.h btrfs: trivial conversion to return bool instead of int 2025-05-15 14:30:49 +02:00
dir-item.c btrfs: rename inode number parameter passed to btrfs_check_dir_item_collision() 2025-07-22 00:05:00 +02:00
dir-item.h btrfs: rename inode number parameter passed to btrfs_check_dir_item_collision() 2025-07-22 00:05:00 +02:00
direct-io.c btrfs: enable experimental bs > ps support 2025-09-23 08:49:25 +02:00
direct-io.h
discard.c btrfs: use verbose assert at peek_discard_list() 2025-05-15 14:30:55 +02:00
discard.h
disk-io.c btrfs: fix PAGE_SIZE format specifier in open_ctree() 2025-10-01 16:27:28 +02:00
disk-io.h btrfs: convert several int parameters to bool 2025-09-22 10:54:32 +02:00
export.c btrfs: avoid potential out-of-bounds in btrfs_encode_fh() 2025-09-26 08:48:30 +02:00
export.h
extent_io.c btrfs: ensure no dirty metadata is written back for an fs with errors 2025-10-30 19:16:01 +01:00
extent_io.h btrfs: prepare compression folio alloc/free for bs > ps cases 2025-09-23 08:49:24 +02:00
extent_map.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
extent_map.h btrfs: rename remaining exported extent map functions 2025-05-15 14:30:45 +02:00
extent-io-tree.c btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
extent-io-tree.h btrfs: convert several int parameters to bool 2025-09-22 10:54:32 +02:00
extent-tree.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
extent-tree.h btrfs: convert several int parameters to bool 2025-09-22 10:54:32 +02:00
fiemap.c btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
fiemap.h
file-item.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
file-item.h btrfs: change return type of btrfs_alloc_dummy_sum() to int 2025-05-15 14:30:49 +02:00
file.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
file.h
free-space-cache.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
free-space-cache.h
free-space-tree.c btrfs: do not assert we found block group item when creating free space tree 2025-10-13 22:33:22 +02:00
free-space-tree.h btrfs: add btrfs prefix to free space tree exported functions 2025-07-21 23:58:02 +02:00
fs.c btrfs: enable experimental bs > ps support 2025-09-23 08:49:25 +02:00
fs.h btrfs: prepare compression folio alloc/free for bs > ps cases 2025-09-23 08:49:24 +02:00
inode-item.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
inode-item.h btrfs: remove unused parameters from btrfs_lookup_inode_extref() 2025-07-21 23:58:03 +02:00
inode.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
ioctl.c btrfs: fix memory leak on duplicated memory in the qgroup assign ioctl 2025-10-13 22:29:27 +02:00
ioctl.h tree-wide: s/struct fileattr/struct file_kattr/g 2025-07-04 16:14:39 +02:00
Kconfig btrfs: implement ref_tracker for delayed_nodes 2025-09-22 10:54:32 +02:00
locking.c btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
locking.h btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
lru_cache.c
lru_cache.h
lzo.c btrfs: add unlikely annotations to branches leading to EUCLEAN 2025-09-23 08:49:26 +02:00
Makefile btrfs: move ref-verify under CONFIG_BTRFS_DEBUG 2025-09-22 10:54:32 +02:00
messages.c btrfs: dump detailed info and specific messages on log replay failures 2025-09-23 08:49:21 +02:00
messages.h btrfs: remove duplicate inclusion of linux/types.h 2025-09-22 10:54:31 +02:00
misc.h btrfs: introduce btrfs_bio_for_each_block_all() helper 2025-09-23 08:49:17 +02:00
ordered-data.c btrfs: use folio_end() where appropriate 2025-07-21 23:58:01 +02:00
ordered-data.h
orphan.c
orphan.h
print-tree.c btrfs: print-tree: print key types as human readable strings 2025-09-23 08:49:23 +02:00
print-tree.h
props.c
props.h
qgroup.c btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation 2025-10-30 19:16:06 +01:00
qgroup.h
raid-stripe-tree.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
raid-stripe-tree.h
raid56.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
raid56.h btrfs: prepare scrub to support bs > ps cases 2025-09-23 08:49:25 +02:00
ref-verify.c btrfs: ref-verify: fix IS_ERR() vs NULL check in btrfs_build_ref_tree() 2025-10-22 09:40:07 +02:00
ref-verify.h btrfs: move ref-verify under CONFIG_BTRFS_DEBUG 2025-09-22 10:54:32 +02:00
reflink.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
reflink.h
relocation.c btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running 2025-10-13 22:29:03 +02:00
relocation.h btrfs: don't print relocation messages from auto reclaim 2025-07-22 00:09:22 +02:00
root-tree.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
root-tree.h
scrub.c btrfs: do not use folio_test_partial_kmap() in ASSERT()s 2025-10-13 22:31:36 +02:00
scrub.h btrfs: convert several int parameters to bool 2025-09-22 10:54:32 +02:00
send.c btrfs: send: fix duplicated rmdir operations when using extrefs 2025-10-17 18:33:34 +02:00
send.h
space-info.c btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
space-info.h btrfs: change dump_block_groups() in btrfs_dump_space_info() from int to bool 2025-07-21 23:58:05 +02:00
subpage.c btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
subpage.h btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
super.c btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() 2025-10-17 18:33:27 +02:00
super.h
sysfs.c btrfs: simplify support block size check 2025-09-22 10:54:31 +02:00
sysfs.h
transaction.c btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() 2025-09-23 09:02:17 +02:00
transaction.h
tree-checker.c btrfs: tree-checker: fix bounds check in check_inode_extref() 2025-10-13 22:35:51 +02:00
tree-checker.h
tree-log.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
tree-log.h
tree-mod-log.c btrfs: reduce size of struct tree_mod_elem 2025-07-22 00:09:20 +02:00
tree-mod-log.h
ulist.c btrfs: use rb_find_add() in ulist_rbtree_insert() 2025-07-21 23:53:25 +02:00
ulist.h
uuid-tree.c
uuid-tree.h
verity.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
verity.h
volumes.c btrfs: add unlikely annotations to branches leading to transaction abort 2025-09-23 08:49:26 +02:00
volumes.h btrfs: fix typos in comments and strings 2025-09-23 08:49:16 +02:00
xattr.c btrfs: replace strcpy() with strscpy() 2025-07-22 00:05:00 +02:00
xattr.h
zlib.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00
zoned.c btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST 2025-10-13 22:35:14 +02:00
zoned.h btrfs: zoned: return error from btrfs_zone_finish_endio() 2025-09-22 10:54:30 +02:00
zstd.c btrfs: add unlikely annotations to branches leading to EIO 2025-09-23 08:49:26 +02:00