From: Nikolay Borisov <kernel@kyup.com>
To: clm@fb.com
Cc: linux-btrfs@vger.kernel.org, Nikolay Borisov <kernel@kyup.com>
Subject: [PATCH] btrfs: Fix handling of -ENOENT from btrfs_uuid_iter_rem
Date: Wed, 7 Sep 2016 10:38:58 +0300 [thread overview]
Message-ID: <1473233938-21560-1-git-send-email-kernel@kyup.com> (raw)
In-Reply-To: <b369cabe-9269-800c-cce7-5f5c71147660@fb.com>
btrfs_uuid_iter_rem is able to return -ENOENT, however this condition
is not handled in btrfs_uuid_tree_iterate which can lead to calling
btrfs_next_item with freed path argument, leading to a null pointer
dereference. Fix it by redoing the search but with an incremented
objectid so we don't loop over the same key.
Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Suggested-by: Chris Mason <clm@fb.com>
Link: https://lkml.kernel.org/r/57A473B0.2040203@kyup.com
---
fs/btrfs/uuid-tree.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Hello Chris,
Since I keep getting those crashes I (hopefully correctly) implemented
your suggestion of redoing the search with an incremented key so we
don't end up in a loop. Does that look correct?
diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c
index 778282944530..6e5b3866a65c 100644
--- a/fs/btrfs/uuid-tree.c
+++ b/fs/btrfs/uuid-tree.c
@@ -329,8 +329,12 @@ again_search_slot:
* entry per UUID exists.
*/
goto again_search_slot;
- }
- if (ret < 0 && ret != -ENOENT)
+ } else if (ret == -ENOENT) {
+ key.type = 0;
+ key.offset = 0;
+ key.objectid++;
+ goto again_search_slot;
+ } else if (ret < 0)
goto out;
}
item_size -= sizeof(subid_le);
--
2.5.0
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-
next prev parent reply other threads:[~2016-09-07 7:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-05 11:08 Crash in btrfs_uuid_tree_iterate during mount Nikolay Borisov
2016-08-05 15:12 ` Chris Mason
2016-08-05 19:14 ` Nikolay Borisov
2016-08-08 10:49 ` Nikolay Borisov
2016-08-08 14:16 ` Chris Mason
2016-08-08 14:21 ` Nikolay Borisov
2016-08-08 14:24 ` Chris Mason
2016-08-29 7:25 ` Nikolay Borisov
2016-09-07 7:38 ` Nikolay Borisov [this message]
2016-09-19 18:13 ` [PATCH] btrfs: Fix handling of -ENOENT from btrfs_uuid_iter_rem David Sterba
2016-09-19 18:49 ` Chris Mason
2016-09-19 20:18 ` David Sterba
[not found] ` <CAJFSNy5eOdkn=YSA1-T7goOUNuX6ozUiGAM3tCTq7dvzsiJCug@mail.gmail.com>
2016-09-20 7:36 ` Nikolay Borisov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1473233938-21560-1-git-send-email-kernel@kyup.com \
--to=kernel@kyup.com \
--cc=clm@fb.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).