btrfs: memory leak on error path

btrfs: memory leak on error path

[error27]

This was found by smatch (http://repo.or.cz/w/smatch.git/)

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>

--- orig/fs/btrfs/volumes.c	2009-03-26 15:59:39.000000000 +0300
+++ devel/fs/btrfs/volumes.c	2009-03-26 16:00:28.000000000 +0300
@@ -342,6 +342,7 @@
 	return fs_devices;
 error:
 	free_fs_devices(fs_devices);
+	kfree(device);
 	return ERR_PTR(-ENOMEM);
 }
 

btrfs: dereferencing freed memory

[Dan Carpenter]

This was found by smatch (http://repo.or.cz/w/smatch.git/)

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/async-thread.c	2009-03-26 16:36:46.000000000 +0300
+++ devel/fs/btrfs/async-thread.c	2009-03-26 16:39:08.000000000 +0300
@@ -278,8 +278,8 @@
 					   workers->num_workers + i);
 		worker->workers = workers;
 		if (IS_ERR(worker->task)) {
-			kfree(worker);
 			ret = PTR_ERR(worker->task);
+			kfree(worker);
 			goto fail;
 		}
 

btrfs: returning under lock

[Dan Carpenter]

This was found by smatch (http://repo.or.cz/w/smatch.git/)

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>

--- orig/fs/btrfs/transaction.c	2009-03-26 16:25:37.000000000 +0300
+++ devel/fs/btrfs/transaction.c	2009-03-26 16:26:36.000000000 +0300
@@ -914,8 +914,10 @@
 	}
 
 	pinned_copy = kmalloc(sizeof(*pinned_copy), GFP_NOFS);
-	if (!pinned_copy)
+	if (!pinned_copy) {
+		mutex_unlock(&root->fs_info->trans_mutex);
 		return -ENOMEM;
+	}
 
 	extent_io_tree_init(pinned_copy,
 			     root->fs_info->btree_inode->i_mapping, GFP_NOFS);

unhandled kmallocs remaining

[Dan Carpenter]

There are only 4 remaining kmallocs that don't have error handling in 
btrfs.

fs/btrfs/inode.c +277 add_async_extent() 'async_extent'
        async_extent = kmalloc(sizeof(*async_extent), GFP_NOFS);
        async_extent->start = start;

fs/btrfs/inode.c +866 cow_file_range_async() 'async_cow'
                async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
                async_cow->inode = inode;

fs/btrfs/compression.c +355 btrfs_submit_compressed_write() 'cb'
        cb = kmalloc(compressed_bio_size(root, compressed_len), GFP_NOFS);
        atomic_set(&cb->pending_bios, 0);

fs/btrfs/compression.c +605 btrfs_submit_compressed_read() 'cb'
        cb = kmalloc(compressed_bio_size(root, compressed_len), GFP_NOFS);
        atomic_set(&cb->pending_bios, 0);

For this kernel release I'm fishing for reported by tags.
Reported-by: Dan Carpenter <error27@gmail.com>

regards,
dan carpenter

btrfs: [patch] remove dead code

[Dan Carpenter]

This is a small clean up.

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>

--- orig/fs/btrfs/disk-io.c	2009-03-26 17:00:57.000000000 +0300
+++ devel/fs/btrfs/disk-io.c	2009-03-26 17:01:44.000000000 +0300
@@ -1387,8 +1387,6 @@
 
 	ret = extent_range_uptodate(io_tree, start + length,
 				    start + buf_len - 1);
-	if (ret == 1)
-		return ret;
 	return ret;
 }
 

[patch] btrfs: remove dead code

[Dan Carpenter]

merge is always NULL at this point.

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>

--- orig/fs/btrfs/extent_map.c	2009-03-26 17:07:20.000000000 +0300
+++ devel/fs/btrfs/extent_map.c	2009-03-26 17:07:39.000000000 +0300
@@ -234,7 +234,6 @@
 	rb = tree_insert(&tree->map, em->start, &em->rb_node);
 	if (rb) {
 		ret = -EEXIST;
-		free_extent_map(merge);
 		goto out;
 	}
 	atomic_inc(&em->refs);

[patch] btrfs: remove dead code #3

[Dan Carpenter]

kzalloc() already initialized ->error to zero.

regards,
dan carpenter

Signed-off-by: Dan Carpenter <error27@gmail.com>

--- orig/fs/btrfs/volumes.c	2009-03-26 17:14:13.000000000 +0300
+++ devel/fs/btrfs/volumes.c	2009-03-26 17:14:55.000000000 +0300
@@ -2422,10 +2422,8 @@
 		multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
 				GFP_NOFS);
 		if (!multi)
 			return -ENOMEM;
-
-		atomic_set(&multi->error, 0);
 	}
 
 	spin_lock(&em_tree->lock);
 	em = lookup_extent_mapping(em_tree, logical, *length);

Re: [patch] btrfs: remove dead code #3

[Jens Axboe]

On Thu, Mar 26 2009, Dan Carpenter wrote:
> kzalloc() already initialized ->error to zero.
> 
> regards,
> dan carpenter
> 
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> 
> --- orig/fs/btrfs/volumes.c	2009-03-26 17:14:13.000000000 +0300
> +++ devel/fs/btrfs/volumes.c	2009-03-26 17:14:55.000000000 +0300
> @@ -2422,10 +2422,8 @@
>  		multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
>  				GFP_NOFS);
>  		if (!multi)
>  			return -ENOMEM;
> -
> -		atomic_set(&multi->error, 0);
>  	}
>  
>  	spin_lock(&em_tree->lock);
>  	em = lookup_extent_mapping(em_tree, logical, *length);

Careful, some archs require a barrier there. It's dangerous to makes
assumptions about the underlying implementation of such things, I'd
leave that one alone.

-- 
Jens Axboe

Re: [patch] btrfs: remove dead code #3

[Chris Mason]

On Thu, 2009-03-26 at 15:39 +0100, Jens Axboe wrote:
> On Thu, Mar 26 2009, Dan Carpenter wrote:
> > kzalloc() already initialized ->error to zero.
> > 
> > regards,
> > dan carpenter
> > 
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > 
> > --- orig/fs/btrfs/volumes.c	2009-03-26 17:14:13.000000000 +0300
> > +++ devel/fs/btrfs/volumes.c	2009-03-26 17:14:55.000000000 +0300
> > @@ -2422,10 +2422,8 @@
> >  		multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
> >  				GFP_NOFS);
> >  		if (!multi)
> >  			return -ENOMEM;
> > -
> > -		atomic_set(&multi->error, 0);
> >  	}
> >  
> >  	spin_lock(&em_tree->lock);
> >  	em = lookup_extent_mapping(em_tree, logical, *length);
> 
> Careful, some archs require a barrier there. It's dangerous to makes
> assumptions about the underlying implementation of such things, I'd
> leave that one alone.
> 
Yeah, I'm not so much worried about the barrier as I am that assuming a
memset can init an atomic in general.

-chris

Re: [patch] btrfs: remove dead code #3

[Jens Axboe]

On Thu, Mar 26 2009, Chris Mason wrote:
> On Thu, 2009-03-26 at 15:39 +0100, Jens Axboe wrote:
> > On Thu, Mar 26 2009, Dan Carpenter wrote:
> > > kzalloc() already initialized ->error to zero.
> > > 
> > > regards,
> > > dan carpenter
> > > 
> > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > > 
> > > --- orig/fs/btrfs/volumes.c	2009-03-26 17:14:13.000000000 +0300
> > > +++ devel/fs/btrfs/volumes.c	2009-03-26 17:14:55.000000000 +0300
> > > @@ -2422,10 +2422,8 @@
> > >  		multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
> > >  				GFP_NOFS);
> > >  		if (!multi)
> > >  			return -ENOMEM;
> > > -
> > > -		atomic_set(&multi->error, 0);
> > >  	}
> > >  
> > >  	spin_lock(&em_tree->lock);
> > >  	em = lookup_extent_mapping(em_tree, logical, *length);
> > 
> > Careful, some archs require a barrier there. It's dangerous to makes
> > assumptions about the underlying implementation of such things, I'd
> > leave that one alone.
> > 
> Yeah, I'm not so much worried about the barrier as I am that assuming a
> memset can init an atomic in general.

Right, it was more a generic comment. As to the memset(), if someone
decided to add a magic to atomic_t or something for debug purposes, it
would break. That's the bigger problem here :-)

-- 
Jens Axboe

linux-2.6.29: BUG at fs/btrfs/extent-tree.c:3433

[Matteo Frigo]

The following series of commands reliably causes a kernel BUG
with linux-2.6.29:

   lvcreate -L 10G -n x0 test
   lvcreate -L 10G -n x1 test
   lvcreate -L 10G -n x2 test
   mkfs.btrfs -m raid1 -d raid1 /dev/mapper/test-x[01]
   mount /dev/mapper/test-x0 /mnt
   umount /mnt
   lvremove test/x1
   mount -o degraded /dev/mapper/test-x0 /mnt
   btrfs-vol -a /dev/mapper/test-x2 /mnt

The dmesg log is attached.

Thanks for your work on btrfs.

Regards,
Matteo Frigo


[  137.894985] btrfs: allowing degraded mounts
[  138.175419] btrfs searching for 4096 bytes, num_bytes 4096, loop 2, allowed_alloc 0
[  138.176529] btrfs allocation failed flags 18, wanted 4096
[  138.177203] space_info has 8384512 free, is not full
[  138.177206] space_info total=8388608, pinned=0, delalloc=0, may_use=0, used=4096
[  138.177209] block group 20971520 has 8388608 bytes, 4096 used 0 pinned 0 reserved
[  138.177212] 1 blocks of free space at or bigger than bytes is
[  138.177247] ------------[ cut here ]------------
[  138.177865] kernel BUG at fs/btrfs/extent-tree.c:3433!
[  138.178514] invalid opcode: 0000 [#1] SMP 
[  138.179305] last sysfs file: /sys/block/dm-3/removable
[  138.179943] CPU 0 
[  138.180514] Modules linked in: btrfs zlib_deflate zlib_inflate crc32c libcrc32c ipv6 nfs lockd nfs_acl auth_rpcgss sunrpc loop virtio_console virtio_balloon snd_pcm snd_timer snd soundcore snd_page_alloc pcspkr psmouse serio_raw i2c_piix4 i2c_core parport_pc parport button joydev evdev ext3 jbd mbcache dm_mirror dm_region_hash dm_log dm_snapshot dm_mod usbhid hid ide_gd_mod ata_generic ide_pci_generic ata_piix libata scsi_mod floppy virtio_pci virtio_ring virtio e1000 uhci_hcd ehci_hcd piix ide_core thermal processor fan thermal_sys
[  138.180514] Pid: 2444, comm: btrfs-vol Not tainted 2.6.29 #1 
[  138.180514] RIP: 0010:[<ffffffffa03800c3>]  [<ffffffffa03800c3>] __btrfs_reserve_extent+0x290/0x2a5 [btrfs]
[  138.180514] RSP: 0018:ffff88001cce58a8  EFLAGS: 00010246
[  138.180514] RAX: ffff88001d975a38 RBX: ffff88001c41beec RCX: ffffffff8047ad6c
[  138.180514] RDX: 00000000ffffffff RSI: 0000000000000246 RDI: 0000000000000246
[  138.180514] RBP: ffff88001d975960 R08: ffff88001cce540d R09: 0000000000000000
[  138.180514] R10: 000000000000000a R11: 0000000000018600 R12: 0000000000001000
[  138.180514] R13: ffff88001d975a30 R14: ffff88001d975a18 R15: ffff88001c488000
[  138.180514] FS:  00007f63aa2ce740(0000) GS:ffffffff806d4000(0000) knlGS:0000000000000000
[  138.180514] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  138.180514] CR2: 00007f63a9c44d60 CR3: 000000001c497000 CR4: 00000000000006e0
[  138.180514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  138.180514] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  138.180514] Process btrfs-vol (pid: 2444, threadinfo ffff88001cce4000, task ffff88001d946cf0)
[  138.180514] Stack:
[  138.180514]  0000000000000000 ffff88001cce59b8 0000000000000000 0000000000000000
[  138.180514]  ffff880000000012 ffff88001c06ebc8 0000000000000000 0000000000000000
[  138.180514]  0000000000000000 ffff88001cce59b8 ffff88001c432000 0000000000000003
[  138.180514] Call Trace:
[  138.180514]  [<ffffffffa03818f9>] ? btrfs_alloc_extent+0x4a/0xa2 [btrfs]
[  138.180514]  [<ffffffffa03819ba>] ? btrfs_alloc_free_block+0x69/0x96 [btrfs]
[  138.180514]  [<ffffffff803a3de6>] ? extract_buf+0x7e/0xf2
[  138.180514]  [<ffffffffa0374380>] ? __btrfs_cow_block+0x1ed/0x885 [btrfs]
[  138.180514]  [<ffffffff803a3804>] ? mix_pool_bytes_extract+0x57/0x14a
[  138.180514]  [<ffffffffa037518d>] ? btrfs_cow_block+0x1e7/0x1f6 [btrfs]
[  138.180514]  [<ffffffffa037992c>] ? btrfs_search_slot+0x35e/0x99c [btrfs]
[  138.180514]  [<ffffffffa037a4e1>] ? btrfs_insert_empty_items+0x7f/0x4a3 [btrfs]
[  138.180514]  [<ffffffffa03ab039>] ? btrfs_add_device+0x7a/0x1b9 [btrfs]
[  138.180514]  [<ffffffff8047ae12>] ? _spin_lock+0x5/0x7
[  138.180514]  [<ffffffffa03ac201>] ? btrfs_init_new_device+0x719/0x908 [btrfs]
[  138.180514]  [<ffffffff8028f06f>] ? generic_file_aio_write_nolock+0x33/0x7f
[  138.180514]  [<ffffffffa03ae689>] ? btrfs_ioctl+0x607/0x7f6 [btrfs]
[  138.180514]  [<ffffffff80257062>] ? autoremove_wake_function+0x0/0x2e
[  138.180514]  [<ffffffff802a458e>] ? free_pgtables+0x9c/0xbe
[  138.180514]  [<ffffffff802c90aa>] ? vfs_ioctl+0x21/0x6c
[  138.180514]  [<ffffffff802c952e>] ? do_vfs_ioctl+0x439/0x472
[  138.180514]  [<ffffffff802bdad7>] ? vfs_write+0x121/0x156
[  138.180514]  [<ffffffff802c95b8>] ? sys_ioctl+0x51/0x70
[  138.180514]  [<ffffffff8021102a>] ? system_call_fastpath+0x16/0x1b
[  138.180514] Code: 8b 85 b8 00 00 00 48 8d a8 48 ff ff ff 48 8b 85 b8 00 00 00 0f 18 08 48 8d 85 b8 00 00 00 49 39 c6 75 9a 4c 89 ef e8 87 9e ed df <0f> 0b eb fe 48 83 c4 48 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 
[  138.180514] RIP  [<ffffffffa03800c3>] __btrfs_reserve_extent+0x290/0x2a5 [btrfs]
[  138.180514]  RSP <ffff88001cce58a8>
[  138.232118] ---[ end trace 12da8dfd82a051da ]---