* btrfs: memory leak on error path
@ 2009-03-26 13:39 error27
2009-03-26 13:42 ` btrfs: dereferencing freed memory Dan Carpenter
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: error27 @ 2009-03-26 13:39 UTC (permalink / raw)
To: chris.mason; +Cc: linux-btrfs
This was found by smatch (http://repo.or.cz/w/smatch.git/)
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/volumes.c 2009-03-26 15:59:39.000000000 +0300
+++ devel/fs/btrfs/volumes.c 2009-03-26 16:00:28.000000000 +0300
@@ -342,6 +342,7 @@
return fs_devices;
error:
free_fs_devices(fs_devices);
+ kfree(device);
return ERR_PTR(-ENOMEM);
}
^ permalink raw reply [flat|nested] 11+ messages in thread
* btrfs: dereferencing freed memory
2009-03-26 13:39 btrfs: memory leak on error path error27
@ 2009-03-26 13:42 ` Dan Carpenter
2009-03-26 13:45 ` btrfs: returning under lock Dan Carpenter
2009-03-26 13:54 ` unhandled kmallocs remaining Dan Carpenter
2 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2009-03-26 13:42 UTC (permalink / raw)
To: chris.mason; +Cc: linux-btrfs
This was found by smatch (http://repo.or.cz/w/smatch.git/)
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/async-thread.c 2009-03-26 16:36:46.000000000 +0300
+++ devel/fs/btrfs/async-thread.c 2009-03-26 16:39:08.000000000 +0300
@@ -278,8 +278,8 @@
workers->num_workers + i);
worker->workers = workers;
if (IS_ERR(worker->task)) {
- kfree(worker);
ret = PTR_ERR(worker->task);
+ kfree(worker);
goto fail;
}
^ permalink raw reply [flat|nested] 11+ messages in thread
* btrfs: returning under lock
2009-03-26 13:39 btrfs: memory leak on error path error27
2009-03-26 13:42 ` btrfs: dereferencing freed memory Dan Carpenter
@ 2009-03-26 13:45 ` Dan Carpenter
2009-03-26 13:54 ` unhandled kmallocs remaining Dan Carpenter
2 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2009-03-26 13:45 UTC (permalink / raw)
To: chris.mason; +Cc: linux-btrfs
This was found by smatch (http://repo.or.cz/w/smatch.git/)
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/transaction.c 2009-03-26 16:25:37.000000000 +0300
+++ devel/fs/btrfs/transaction.c 2009-03-26 16:26:36.000000000 +0300
@@ -914,8 +914,10 @@
}
pinned_copy = kmalloc(sizeof(*pinned_copy), GFP_NOFS);
- if (!pinned_copy)
+ if (!pinned_copy) {
+ mutex_unlock(&root->fs_info->trans_mutex);
return -ENOMEM;
+ }
extent_io_tree_init(pinned_copy,
root->fs_info->btree_inode->i_mapping, GFP_NOFS);
^ permalink raw reply [flat|nested] 11+ messages in thread
* unhandled kmallocs remaining
2009-03-26 13:39 btrfs: memory leak on error path error27
2009-03-26 13:42 ` btrfs: dereferencing freed memory Dan Carpenter
2009-03-26 13:45 ` btrfs: returning under lock Dan Carpenter
@ 2009-03-26 13:54 ` Dan Carpenter
2009-03-26 14:04 ` btrfs: [patch] remove dead code Dan Carpenter
` (2 more replies)
2 siblings, 3 replies; 11+ messages in thread
From: Dan Carpenter @ 2009-03-26 13:54 UTC (permalink / raw)
To: chris.mason; +Cc: linux-btrfs
There are only 4 remaining kmallocs that don't have error handling in
btrfs.
fs/btrfs/inode.c +277 add_async_extent() 'async_extent'
async_extent = kmalloc(sizeof(*async_extent), GFP_NOFS);
async_extent->start = start;
fs/btrfs/inode.c +866 cow_file_range_async() 'async_cow'
async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
async_cow->inode = inode;
fs/btrfs/compression.c +355 btrfs_submit_compressed_write() 'cb'
cb = kmalloc(compressed_bio_size(root, compressed_len), GFP_NOFS);
atomic_set(&cb->pending_bios, 0);
fs/btrfs/compression.c +605 btrfs_submit_compressed_read() 'cb'
cb = kmalloc(compressed_bio_size(root, compressed_len), GFP_NOFS);
atomic_set(&cb->pending_bios, 0);
For this kernel release I'm fishing for reported by tags.
Reported-by: Dan Carpenter <error27@gmail.com>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 11+ messages in thread
* btrfs: [patch] remove dead code
2009-03-26 13:54 ` unhandled kmallocs remaining Dan Carpenter
@ 2009-03-26 14:04 ` Dan Carpenter
2009-03-26 14:10 ` [patch] btrfs: " Dan Carpenter
2009-03-26 14:20 ` [patch] btrfs: remove dead code #3 Dan Carpenter
2 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2009-03-26 14:04 UTC (permalink / raw)
To: chris.mason; +Cc: linux-btrfs
This is a small clean up.
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/disk-io.c 2009-03-26 17:00:57.000000000 +0300
+++ devel/fs/btrfs/disk-io.c 2009-03-26 17:01:44.000000000 +0300
@@ -1387,8 +1387,6 @@
ret = extent_range_uptodate(io_tree, start + length,
start + buf_len - 1);
- if (ret == 1)
- return ret;
return ret;
}
^ permalink raw reply [flat|nested] 11+ messages in thread
* [patch] btrfs: remove dead code
2009-03-26 13:54 ` unhandled kmallocs remaining Dan Carpenter
2009-03-26 14:04 ` btrfs: [patch] remove dead code Dan Carpenter
@ 2009-03-26 14:10 ` Dan Carpenter
2009-03-26 14:20 ` [patch] btrfs: remove dead code #3 Dan Carpenter
2 siblings, 0 replies; 11+ messages in thread
From: Dan Carpenter @ 2009-03-26 14:10 UTC (permalink / raw)
To: chris.mason; +Cc: linux-btrfs
merge is always NULL at this point.
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/extent_map.c 2009-03-26 17:07:20.000000000 +0300
+++ devel/fs/btrfs/extent_map.c 2009-03-26 17:07:39.000000000 +0300
@@ -234,7 +234,6 @@
rb = tree_insert(&tree->map, em->start, &em->rb_node);
if (rb) {
ret = -EEXIST;
- free_extent_map(merge);
goto out;
}
atomic_inc(&em->refs);
^ permalink raw reply [flat|nested] 11+ messages in thread
* [patch] btrfs: remove dead code #3
2009-03-26 13:54 ` unhandled kmallocs remaining Dan Carpenter
2009-03-26 14:04 ` btrfs: [patch] remove dead code Dan Carpenter
2009-03-26 14:10 ` [patch] btrfs: " Dan Carpenter
@ 2009-03-26 14:20 ` Dan Carpenter
2009-03-26 14:39 ` Jens Axboe
2 siblings, 1 reply; 11+ messages in thread
From: Dan Carpenter @ 2009-03-26 14:20 UTC (permalink / raw)
Cc: chris.mason, linux-btrfs
kzalloc() already initialized ->error to zero.
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
--- orig/fs/btrfs/volumes.c 2009-03-26 17:14:13.000000000 +0300
+++ devel/fs/btrfs/volumes.c 2009-03-26 17:14:55.000000000 +0300
@@ -2422,10 +2422,8 @@
multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
GFP_NOFS);
if (!multi)
return -ENOMEM;
-
- atomic_set(&multi->error, 0);
}
spin_lock(&em_tree->lock);
em = lookup_extent_mapping(em_tree, logical, *length);
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] btrfs: remove dead code #3
2009-03-26 14:20 ` [patch] btrfs: remove dead code #3 Dan Carpenter
@ 2009-03-26 14:39 ` Jens Axboe
2009-03-26 14:48 ` Chris Mason
0 siblings, 1 reply; 11+ messages in thread
From: Jens Axboe @ 2009-03-26 14:39 UTC (permalink / raw)
To: Dan Carpenter; +Cc: no, To-header, on, input <,
On Thu, Mar 26 2009, Dan Carpenter wrote:
> kzalloc() already initialized ->error to zero.
>
> regards,
> dan carpenter
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> --- orig/fs/btrfs/volumes.c 2009-03-26 17:14:13.000000000 +0300
> +++ devel/fs/btrfs/volumes.c 2009-03-26 17:14:55.000000000 +0300
> @@ -2422,10 +2422,8 @@
> multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
> GFP_NOFS);
> if (!multi)
> return -ENOMEM;
> -
> - atomic_set(&multi->error, 0);
> }
>
> spin_lock(&em_tree->lock);
> em = lookup_extent_mapping(em_tree, logical, *length);
Careful, some archs require a barrier there. It's dangerous to makes
assumptions about the underlying implementation of such things, I'd
leave that one alone.
--
Jens Axboe
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] btrfs: remove dead code #3
2009-03-26 14:39 ` Jens Axboe
@ 2009-03-26 14:48 ` Chris Mason
2009-03-26 15:43 ` Jens Axboe
0 siblings, 1 reply; 11+ messages in thread
From: Chris Mason @ 2009-03-26 14:48 UTC (permalink / raw)
To: Jens Axboe; +Cc: Dan Carpenter, no, To-header, on, ;;chris.mason, linux-btrfs
On Thu, 2009-03-26 at 15:39 +0100, Jens Axboe wrote:
> On Thu, Mar 26 2009, Dan Carpenter wrote:
> > kzalloc() already initialized ->error to zero.
> >
> > regards,
> > dan carpenter
> >
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> >
> > --- orig/fs/btrfs/volumes.c 2009-03-26 17:14:13.000000000 +0300
> > +++ devel/fs/btrfs/volumes.c 2009-03-26 17:14:55.000000000 +0300
> > @@ -2422,10 +2422,8 @@
> > multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
> > GFP_NOFS);
> > if (!multi)
> > return -ENOMEM;
> > -
> > - atomic_set(&multi->error, 0);
> > }
> >
> > spin_lock(&em_tree->lock);
> > em = lookup_extent_mapping(em_tree, logical, *length);
>
> Careful, some archs require a barrier there. It's dangerous to makes
> assumptions about the underlying implementation of such things, I'd
> leave that one alone.
>
Yeah, I'm not so much worried about the barrier as I am that assuming a
memset can init an atomic in general.
-chris
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [patch] btrfs: remove dead code #3
2009-03-26 14:48 ` Chris Mason
@ 2009-03-26 15:43 ` Jens Axboe
2009-03-26 23:30 ` linux-2.6.29: BUG at fs/btrfs/extent-tree.c:3433 Matteo Frigo
0 siblings, 1 reply; 11+ messages in thread
From: Jens Axboe @ 2009-03-26 15:43 UTC (permalink / raw)
To: Chris Mason; +Cc: Dan Carpenter, no, To-header, on, ;;chris.mason, linux-btrfs
On Thu, Mar 26 2009, Chris Mason wrote:
> On Thu, 2009-03-26 at 15:39 +0100, Jens Axboe wrote:
> > On Thu, Mar 26 2009, Dan Carpenter wrote:
> > > kzalloc() already initialized ->error to zero.
> > >
> > > regards,
> > > dan carpenter
> > >
> > > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > >
> > > --- orig/fs/btrfs/volumes.c 2009-03-26 17:14:13.000000000 +0300
> > > +++ devel/fs/btrfs/volumes.c 2009-03-26 17:14:55.000000000 +0300
> > > @@ -2422,10 +2422,8 @@
> > > multi = kzalloc(btrfs_multi_bio_size(stripes_allocated),
> > > GFP_NOFS);
> > > if (!multi)
> > > return -ENOMEM;
> > > -
> > > - atomic_set(&multi->error, 0);
> > > }
> > >
> > > spin_lock(&em_tree->lock);
> > > em = lookup_extent_mapping(em_tree, logical, *length);
> >
> > Careful, some archs require a barrier there. It's dangerous to makes
> > assumptions about the underlying implementation of such things, I'd
> > leave that one alone.
> >
> Yeah, I'm not so much worried about the barrier as I am that assuming a
> memset can init an atomic in general.
Right, it was more a generic comment. As to the memset(), if someone
decided to add a magic to atomic_t or something for debug purposes, it
would break. That's the bigger problem here :-)
--
Jens Axboe
^ permalink raw reply [flat|nested] 11+ messages in thread
* linux-2.6.29: BUG at fs/btrfs/extent-tree.c:3433
2009-03-26 15:43 ` Jens Axboe
@ 2009-03-26 23:30 ` Matteo Frigo
0 siblings, 0 replies; 11+ messages in thread
From: Matteo Frigo @ 2009-03-26 23:30 UTC (permalink / raw)
To: linux-btrfs
The following series of commands reliably causes a kernel BUG
with linux-2.6.29:
lvcreate -L 10G -n x0 test
lvcreate -L 10G -n x1 test
lvcreate -L 10G -n x2 test
mkfs.btrfs -m raid1 -d raid1 /dev/mapper/test-x[01]
mount /dev/mapper/test-x0 /mnt
umount /mnt
lvremove test/x1
mount -o degraded /dev/mapper/test-x0 /mnt
btrfs-vol -a /dev/mapper/test-x2 /mnt
The dmesg log is attached.
Thanks for your work on btrfs.
Regards,
Matteo Frigo
[ 137.894985] btrfs: allowing degraded mounts
[ 138.175419] btrfs searching for 4096 bytes, num_bytes 4096, loop 2, allowed_alloc 0
[ 138.176529] btrfs allocation failed flags 18, wanted 4096
[ 138.177203] space_info has 8384512 free, is not full
[ 138.177206] space_info total=8388608, pinned=0, delalloc=0, may_use=0, used=4096
[ 138.177209] block group 20971520 has 8388608 bytes, 4096 used 0 pinned 0 reserved
[ 138.177212] 1 blocks of free space at or bigger than bytes is
[ 138.177247] ------------[ cut here ]------------
[ 138.177865] kernel BUG at fs/btrfs/extent-tree.c:3433!
[ 138.178514] invalid opcode: 0000 [#1] SMP
[ 138.179305] last sysfs file: /sys/block/dm-3/removable
[ 138.179943] CPU 0
[ 138.180514] Modules linked in: btrfs zlib_deflate zlib_inflate crc32c libcrc32c ipv6 nfs lockd nfs_acl auth_rpcgss sunrpc loop virtio_console virtio_balloon snd_pcm snd_timer snd soundcore snd_page_alloc pcspkr psmouse serio_raw i2c_piix4 i2c_core parport_pc parport button joydev evdev ext3 jbd mbcache dm_mirror dm_region_hash dm_log dm_snapshot dm_mod usbhid hid ide_gd_mod ata_generic ide_pci_generic ata_piix libata scsi_mod floppy virtio_pci virtio_ring virtio e1000 uhci_hcd ehci_hcd piix ide_core thermal processor fan thermal_sys
[ 138.180514] Pid: 2444, comm: btrfs-vol Not tainted 2.6.29 #1
[ 138.180514] RIP: 0010:[<ffffffffa03800c3>] [<ffffffffa03800c3>] __btrfs_reserve_extent+0x290/0x2a5 [btrfs]
[ 138.180514] RSP: 0018:ffff88001cce58a8 EFLAGS: 00010246
[ 138.180514] RAX: ffff88001d975a38 RBX: ffff88001c41beec RCX: ffffffff8047ad6c
[ 138.180514] RDX: 00000000ffffffff RSI: 0000000000000246 RDI: 0000000000000246
[ 138.180514] RBP: ffff88001d975960 R08: ffff88001cce540d R09: 0000000000000000
[ 138.180514] R10: 000000000000000a R11: 0000000000018600 R12: 0000000000001000
[ 138.180514] R13: ffff88001d975a30 R14: ffff88001d975a18 R15: ffff88001c488000
[ 138.180514] FS: 00007f63aa2ce740(0000) GS:ffffffff806d4000(0000) knlGS:0000000000000000
[ 138.180514] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 138.180514] CR2: 00007f63a9c44d60 CR3: 000000001c497000 CR4: 00000000000006e0
[ 138.180514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 138.180514] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 138.180514] Process btrfs-vol (pid: 2444, threadinfo ffff88001cce4000, task ffff88001d946cf0)
[ 138.180514] Stack:
[ 138.180514] 0000000000000000 ffff88001cce59b8 0000000000000000 0000000000000000
[ 138.180514] ffff880000000012 ffff88001c06ebc8 0000000000000000 0000000000000000
[ 138.180514] 0000000000000000 ffff88001cce59b8 ffff88001c432000 0000000000000003
[ 138.180514] Call Trace:
[ 138.180514] [<ffffffffa03818f9>] ? btrfs_alloc_extent+0x4a/0xa2 [btrfs]
[ 138.180514] [<ffffffffa03819ba>] ? btrfs_alloc_free_block+0x69/0x96 [btrfs]
[ 138.180514] [<ffffffff803a3de6>] ? extract_buf+0x7e/0xf2
[ 138.180514] [<ffffffffa0374380>] ? __btrfs_cow_block+0x1ed/0x885 [btrfs]
[ 138.180514] [<ffffffff803a3804>] ? mix_pool_bytes_extract+0x57/0x14a
[ 138.180514] [<ffffffffa037518d>] ? btrfs_cow_block+0x1e7/0x1f6 [btrfs]
[ 138.180514] [<ffffffffa037992c>] ? btrfs_search_slot+0x35e/0x99c [btrfs]
[ 138.180514] [<ffffffffa037a4e1>] ? btrfs_insert_empty_items+0x7f/0x4a3 [btrfs]
[ 138.180514] [<ffffffffa03ab039>] ? btrfs_add_device+0x7a/0x1b9 [btrfs]
[ 138.180514] [<ffffffff8047ae12>] ? _spin_lock+0x5/0x7
[ 138.180514] [<ffffffffa03ac201>] ? btrfs_init_new_device+0x719/0x908 [btrfs]
[ 138.180514] [<ffffffff8028f06f>] ? generic_file_aio_write_nolock+0x33/0x7f
[ 138.180514] [<ffffffffa03ae689>] ? btrfs_ioctl+0x607/0x7f6 [btrfs]
[ 138.180514] [<ffffffff80257062>] ? autoremove_wake_function+0x0/0x2e
[ 138.180514] [<ffffffff802a458e>] ? free_pgtables+0x9c/0xbe
[ 138.180514] [<ffffffff802c90aa>] ? vfs_ioctl+0x21/0x6c
[ 138.180514] [<ffffffff802c952e>] ? do_vfs_ioctl+0x439/0x472
[ 138.180514] [<ffffffff802bdad7>] ? vfs_write+0x121/0x156
[ 138.180514] [<ffffffff802c95b8>] ? sys_ioctl+0x51/0x70
[ 138.180514] [<ffffffff8021102a>] ? system_call_fastpath+0x16/0x1b
[ 138.180514] Code: 8b 85 b8 00 00 00 48 8d a8 48 ff ff ff 48 8b 85 b8 00 00 00 0f 18 08 48 8d 85 b8 00 00 00 49 39 c6 75 9a 4c 89 ef e8 87 9e ed df <0f> 0b eb fe 48 83 c4 48 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3
[ 138.180514] RIP [<ffffffffa03800c3>] __btrfs_reserve_extent+0x290/0x2a5 [btrfs]
[ 138.180514] RSP <ffff88001cce58a8>
[ 138.232118] ---[ end trace 12da8dfd82a051da ]---
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2009-03-26 23:30 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-03-26 13:39 btrfs: memory leak on error path error27
2009-03-26 13:42 ` btrfs: dereferencing freed memory Dan Carpenter
2009-03-26 13:45 ` btrfs: returning under lock Dan Carpenter
2009-03-26 13:54 ` unhandled kmallocs remaining Dan Carpenter
2009-03-26 14:04 ` btrfs: [patch] remove dead code Dan Carpenter
2009-03-26 14:10 ` [patch] btrfs: " Dan Carpenter
2009-03-26 14:20 ` [patch] btrfs: remove dead code #3 Dan Carpenter
2009-03-26 14:39 ` Jens Axboe
2009-03-26 14:48 ` Chris Mason
2009-03-26 15:43 ` Jens Axboe
2009-03-26 23:30 ` linux-2.6.29: BUG at fs/btrfs/extent-tree.c:3433 Matteo Frigo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.