linux/fs/btrfs
Robbie Ko 2a7bf53f57 Btrfs: fix tree search logic when replaying directory entry deletes
If a log tree has a layout like the following:

leaf N:
        ...
        item 240 key (282 DIR_LOG_ITEM 0) itemoff 8189 itemsize 8
                dir log end 1275809046
leaf N + 1:
        item 0 key (282 DIR_LOG_ITEM 3936149215) itemoff 16275 itemsize 8
                dir log end 18446744073709551615
        ...

When we pass the value 1275809046 + 1 as the parameter start_ret to the
function tree-log.c:find_dir_range() (done by replay_dir_deletes()), we
end up with path->slots[0] having the value 239 (points to the last item
of leaf N, item 240). Because the dir log item in that position has an
offset value smaller than *start_ret (1275809046 + 1) we need to move on
to the next leaf, however the logic for that is wrong since it compares
the current slot to the number of items in the leaf, which is smaller
and therefore we don't lookup for the next leaf but instead we set the
slot to point to an item that does not exist, at slot 240, and we later
operate on that slot which has unexpected content or in the worst case
can result in an invalid memory access (accessing beyond the last page
of leaf N's extent buffer).

So fix the logic that checks when we need to lookup at the next leaf
by first incrementing the slot and only after to check if that slot
is beyond the last item of the current leaf.

Signed-off-by: Robbie Ko <robbieko@synology.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Fixes: e02119d5a7 (Btrfs: Add a write ahead tree log to optimize synchronous operations)
Cc: stable@vger.kernel.org  # 2.6.29+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
[Modified changelog for clarity and correctness]
2016-11-30 16:56:12 +00:00
..
tests Merge branch 'fst-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.9 2016-10-12 13:16:00 -07:00
acl.c btrfs: Replace -ENOENT by -ERANGE in btrfs_get_acl() 2016-07-26 13:52:25 +02:00
async-thread.c btrfs: plumb fs_info into btrfs_work 2016-07-26 13:53:15 +02:00
async-thread.h btrfs: plumb fs_info into btrfs_work 2016-07-26 13:53:15 +02:00
backref.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
backref.h btrfs: cleanup, remove inode_item_info helper 2015-01-14 19:23:47 +01:00
btrfs_inode.h Btrfs: add a flags field to btrfs_fs_info 2016-09-26 17:59:49 +02:00
check-integrity.c btrfs: convert printk(KERN_* to use pr_* calls 2016-09-26 18:08:44 +02:00
check-integrity.h fs: have submit_bh users pass in op and flags separately 2016-06-07 13:41:38 -06:00
compression.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
compression.h btrfs: move btrfs_compression_type to compression.h 2016-03-11 17:12:46 +01:00
ctree.c Btrfs: remove unnecessary btrfs_mark_buffer_dirty in split_leaf 2016-09-26 19:50:44 +02:00
ctree.h Merge branch 'fst-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.9 2016-10-12 13:16:00 -07:00
dedupe.h btrfs: expand cow_file_range() to support in-band dedup and subpage-blocksize 2016-07-26 13:52:25 +02:00
delayed-inode.c btrfs: unsplit printed strings 2016-09-26 18:08:44 +02:00
delayed-inode.h Btrfs: fix ->iterate_shared() by upgrading i_rwsem for delayed nodes 2016-06-25 06:20:10 -07:00
delayed-ref.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
delayed-ref.h Btrfs: remove rb_node field from the delayed ref node structure 2016-11-19 13:39:18 +00:00
dev-replace.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
dev-replace.h btrfs: refactor btrfs_dev_replace_start for reuse 2016-04-28 10:59:13 +02:00
dir-item.c btrfs: unsplit printed strings 2016-09-26 18:08:44 +02:00
disk-io.c Btrfs: fix emptiness check for dirtied extent buffers at check_leaf() 2016-11-23 20:24:35 +00:00
disk-io.h Btrfs: fix memory leak of block group cache 2016-09-26 17:59:49 +02:00
export.c BTRFS: support NFSv2 export 2015-10-06 06:55:23 -07:00
export.h
extent_io.c Btrfs: remove some no-op casts 2016-10-24 18:20:29 +02:00
extent_io.h Merge branch 'fst-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.9 2016-10-12 13:16:00 -07:00
extent_map.c btrfs: Fix slab accounting flags 2016-07-26 13:52:25 +02:00
extent_map.h btrfs: cleanup, stop casting for extent_map->lookup everywhere 2016-01-15 19:22:28 +01:00
extent-tree.c btrfs: fix WARNING in btrfs_select_ref_head() 2016-10-24 18:20:29 +02:00
file-item.c Btrfs: fix __MAX_CSUM_ITEMS 2016-08-03 14:08:37 -07:00
file.c Btrfs: fix enospc in hole punching 2016-11-30 13:44:16 +00:00
free-space-cache.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
free-space-cache.h btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
free-space-tree.c Merge branch 'fst-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.9 2016-10-12 13:16:00 -07:00
free-space-tree.h Btrfs: implement the free space B-tree 2015-12-17 12:16:47 -08:00
hash.c btrfs: advertise which crc32c implementation is being used at module load 2016-06-06 14:08:28 +02:00
hash.h btrfs: advertise which crc32c implementation is being used at module load 2016-06-06 14:08:28 +02:00
inode-item.c btrfs: rename btrfs_std_error to btrfs_handle_fs_error 2016-04-28 10:36:54 +02:00
inode-map.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
inode-map.h Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots 2016-01-15 19:25:02 +01:00
inode.c btrfs: pass correct args to btrfs_async_run_delayed_refs() 2016-10-24 18:20:29 +02:00
ioctl.c btrfs: make file clone aware of fatal signals 2016-10-24 18:20:29 +02:00
Kconfig rcu: Make SRCU optional by using CONFIG_SRCU 2015-01-06 11:04:29 -08:00
locking.c btrfs: cleanup, remove stray return statements 2016-01-07 14:30:52 +01:00
locking.h btrfs: fix lockups from btrfs_clear_path_blocking 2014-11-19 10:34:35 -08:00
lzo.c btrfs: convert printk(KERN_* to use pr_* calls 2016-09-26 18:08:44 +02:00
Makefile Btrfs: add free space tree sanity tests 2015-12-17 12:16:47 -08:00
math.h btrfs: cleanup 64bit/32bit divs, compile time constants 2015-03-03 17:23:57 +01:00
ordered-data.c btrfs: unsplit printed strings 2016-09-26 18:08:44 +02:00
ordered-data.h Btrfs: fix race setting block group readonly during device replace 2016-05-30 12:58:21 +01:00
orphan.c
print-tree.c btrfs: convert printk(KERN_* to use pr_* calls 2016-09-26 18:08:44 +02:00
print-tree.h
props.c btrfs: simpilify btrfs_subvol_inherit_props 2016-07-26 13:54:22 +02:00
props.h
qgroup.c Btrfs: fix qgroup rescan worker initialization 2016-11-25 18:06:50 +00:00
qgroup.h btrfs: qgroup: Refactor btrfs_qgroup_insert_dirty_extent() 2016-08-25 03:58:21 -07:00
raid56.c Btrfs: remove BUG() in raid56 2016-09-26 17:59:49 +02:00
raid56.h Btrfs: add RAID 5/6 BTRFS_RBIO_REBUILD_MISSING operation 2015-08-09 07:34:26 -07:00
rcu-string.h
reada.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
relocation.c Btrfs: remove unused code when creating and merging reloc trees 2016-11-19 13:39:18 +00:00
root-tree.c btrfs: unsplit printed strings 2016-09-26 18:08:44 +02:00
scrub.c btrfs: unsplit printed strings 2016-09-26 18:08:44 +02:00
send.c Btrfs: fix incremental send failure caused by balance 2016-10-12 10:41:01 +01:00
send.h Btrfs: use linux/sizes.h to represent constants 2016-01-07 14:38:02 +01:00
struct-funcs.c btrfs: fix string and comment grammatical issues and typos 2016-05-25 22:35:14 +02:00
super.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
sysfs.c btrfs: convert printk(KERN_* to use pr_* calls 2016-09-26 18:08:44 +02:00
sysfs.h btrfs: sysfs: introduce helper for syncing bits with sysfs files 2016-01-21 18:50:40 +01:00
transaction.c btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
transaction.h btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
tree-defrag.c Btrfs: fix locking bugs when defragging leaves 2015-12-18 02:51:32 +00:00
tree-log.c Btrfs: fix tree search logic when replaying directory entry deletes 2016-11-30 16:56:12 +00:00
tree-log.h Btrfs: fix lockdep warning on deadlock against an inode's log mutex 2016-08-25 03:58:32 -07:00
ulist.c btrfs: fix string and comment grammatical issues and typos 2016-05-25 22:35:14 +02:00
ulist.h btrfs: ulist: Add ulist_del() function. 2015-06-10 09:26:17 -07:00
uuid-tree.c btrfs: unsplit printed strings 2016-09-26 18:08:44 +02:00
volumes.c Revert "btrfs: let btrfs_delete_unused_bgs() to clean relocated bgs" 2016-10-10 13:43:31 -07:00
volumes.h btrfs: convert pr_* to btrfs_* where possible 2016-09-26 19:37:04 +02:00
xattr.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr.h btrfs: Switch to generic xattr handlers 2016-05-17 19:17:09 -04:00
zlib.c btrfs: convert printk(KERN_* to use pr_* calls 2016-09-26 18:08:44 +02:00