Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4098014ybz; Mon, 20 Apr 2020 15:45:30 -0700 (PDT) X-Google-Smtp-Source: APiQypLXPR3Eeg//M4+FIqv0ESJ0CbWXZJPyskg1uMS1qJ5miThQ8unCMzumAxrePlVcKM61dSt9 X-Received: by 2002:aa7:d311:: with SMTP id p17mr16678181edq.73.1587422730240; Mon, 20 Apr 2020 15:45:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587422730; cv=none; d=google.com; s=arc-20160816; b=W2T9b3eIVXvBPQSSUFnulVQhaYB1DF/ZAgDXikS9xK5Hgeh3YA+mPYeMTyD0YhfRYv 2g9z3l4YVKCGx4K4Ser1lvRZFv9MeeQKh030VO2ZfzbOEiAjy/HE9D98LVqjs4Ihq1Jw 8HF5KSF8Mb1fhs40CfTJoy0cxght+ojZJtH5V24NWfwD+oN3L52InMdH4VZC5ZNyk3RZ OqAWJj2vPY+msQavLYbBRD9Us3cVlgIUGfFZtvJRa1Gw7447qeQXauOOxEa62DqQ5mNW TU8kOEXoOpx9aHG8n7d0zr+/Yvop4504Tr8lqxQ4By59nBPfR+TDMbFkB05321VsPtSX 0jCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :reply-to:message-id:subject:cc:to:from:date; bh=2/vyeEiYPIOy4LDNOPuN/RE2/iKyDr/cC/ljBtlsZSQ=; b=tJGneQg447jo5uUJGLLwNPrjRn2rfCfmd7q+Me2yaZJCo9EvZq99KhpHzHpvtj3lKv u2G+PwAi7I55Wlpecr6w41qLJ+Cu0Lh5TAj5gVhrTadqboZTD//4DkCqK1blVRwbBZfr IzCPgI+6hMDmTVsXYEhybFEP4glkKwideZMhrX/zllCnoH9+YUnmiUY18Z5RrgCNG/uX 3EeGppN5FNgx/escLlTh0rsZfC71RkBjKEZYHSv/ZPWokEkgkonlwiYcyszQJfzm62Cx 0PTMkr6w19spLIeEDCVsYqbPmIecrsL3/MKU78OH4NuuLujYM8HJJh2su4mT5VDoOvkf iZqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id du12si440225ejc.498.2020.04.20.15.45.06; Mon, 20 Apr 2020 15:45:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726488AbgDTWoA (ORCPT + 99 others); Mon, 20 Apr 2020 18:44:00 -0400 Received: from mx2.suse.de ([195.135.220.15]:54312 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725958AbgDTWoA (ORCPT ); Mon, 20 Apr 2020 18:44:00 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 6F52CAC53; Mon, 20 Apr 2020 22:43:57 +0000 (UTC) Received: by ds.suse.cz (Postfix, from userid 10065) id E6951DA72D; Tue, 21 Apr 2020 00:43:15 +0200 (CEST) Date: Tue, 21 Apr 2020 00:43:15 +0200 From: David Sterba To: Xiyu Yang Cc: Chris Mason , Josef Bacik , David Sterba , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan Subject: Re: [PATCH] btrfs: Fix btrfs_block_group refcnt leak Message-ID: <20200420224315.GI18421@twin.jikos.cz> Reply-To: dsterba@suse.cz Mail-Followup-To: dsterba@suse.cz, Xiyu Yang , Chris Mason , Josef Bacik , David Sterba , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan References: <1587361120-83160-1-git-send-email-xiyuyang19@fudan.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1587361120-83160-1-git-send-email-xiyuyang19@fudan.edu.cn> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 20, 2020 at 01:38:40PM +0800, Xiyu Yang wrote: > btrfs_remove_block_group() invokes btrfs_lookup_block_group(), which > returns a local reference of the blcok group that contains the given > bytenr to "block_group" with increased refcount. > > When btrfs_remove_block_group() returns, "block_group" becomes invalid, > so the refcount should be decreased to keep refcount balanced. > > The reference counting issue happens in several exception handling paths > of btrfs_remove_block_group(). When those error scenarios occur such as > btrfs_alloc_path() returns NULL, the function forgets to decrease its > refcnt increased by btrfs_lookup_block_group() and will cause a refcnt > leak. > > Fix this issue by jumping to "out_put_group" label and calling > btrfs_put_block_group() when those error scenarios occur. > > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan Thanks for the fix. May I ask if this was found by code inspection or by some analysis tool? > @@ -1132,6 +1132,9 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, > btrfs_delayed_refs_rsv_release(fs_info, 1); > btrfs_free_path(path); > return ret; > +out_put_group: > + btrfs_put_block_group(block_group); > + goto out; As Filipe noted, the trailing gotos are not a great pattern, what we'd like to do is a more linear sequence where the resource allocation/freeing nesting is obvious, like: x = allocate(X); if (!x) goto out; ... y = allocate(Y); if (!y) goto out_free_x; z = allocate(Z); if (!z) goto out_free_y; ... free(z); out_free_y: free(y); out_free_x: free(x); out: return; (where allocate/free can be refcount inc/dec and similar). Sometimes it's not that straightforward and the freeing block needs conditionals, but from code reading perspective this is still better than potentially wild gotos.