diff options
| author | Dawei Feng <dawei.feng@seu.edu.cn> | 2026-06-27 14:04:02 +0800 |
|---|---|---|
| committer | Carlos Maiolino <cem@kernel.org> | 2026-07-01 11:37:54 +0200 |
| commit | 45de375b25060edf46e20abb36521ba530336ceb (patch) | |
| tree | c2c67cefef822e5398c6014c595ad15d44c195a5 /lib/raid/raid6/git@git.tavy.me:linux-stable.git | |
| parent | 0c1b3a823a22af623d55f225fe2ac7e8b9052821 (diff) | |
xfs: fix memory leak in xfs_dqinode_metadir_create()
If xfs_metadir_create() fails in xfs_dqinode_metadir_create(), the current
code returns directly, leaking the allocated update and transaction state.
If the subsequent commit fails, the caller-owned inode reference is left
behind.
Fix this memory leak by routing the create failure path through
xfs_metadir_cancel(). For both create and commit failures, finish and
release any inode returned to the caller, mirroring the unwind pattern in
xfs_metadir_mkdir().
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1.1.
An x86_64 allyesconfig build showed no new warnings. Runtime validation
used kprobe fault injection during `mount -o uquota` on a metadir XFS
image. Injecting xfs_metadir_create() reproduced the old active-update path
that left mount stuck later in mount setup; after this change, the same
injection reported cancel_hits=1 and irele_hits=1. Injecting
xfs_metadir_commit() exercised the old inode-reference leak path; after
this change, it reported irele_hits=1.
Fixes: e80fbe1ad8ef ("xfs: use metadir for quota inodes")
Cc: stable@vger.kernel.org # v6.13
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Diffstat (limited to 'lib/raid/raid6/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions
