linux

mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00

History

Filipe Manana 1d512cb77b Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow If we are using the NO_HOLES feature, we have a tiny time window when running delalloc for a nodatacow inode where we can race with a concurrent link or xattr add operation leading to a BUG_ON. This happens because at run_delalloc_nocow() we end up casting a leaf item of type BTRFS_INODE_[REF\|EXTREF]_KEY or of type BTRFS_XATTR_ITEM_KEY to a file extent item (struct btrfs_file_extent_item) and then analyse its extent type field, which won't match any of the expected extent types (values BTRFS_FILE_EXTENT_[REG\|PREALLOC\|INLINE]) and therefore trigger an explicit BUG_ON(1). The following sequence diagram shows how the race happens when running a no-cow dellaloc range [4K, 8K[ for inode 257 and we have the following neighbour leafs: Leaf X (has N items) Leaf Y [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ] [ (257 EXTENT_DATA 8192), ... ] slot N - 2 slot N - 1 slot 0 (Note the implicit hole for inode 257 regarding the [0, 8K[ range) CPU 1 CPU 2 run_dealloc_nocow() btrfs_lookup_file_extent() --> searches for a key with value (257 EXTENT_DATA 4096) in the fs/subvol tree --> returns us a path with path->nodes[0] == leaf X and path->slots[0] == N because path->slots[0] is >= btrfs_header_nritems(leaf X), it calls btrfs_next_leaf() btrfs_next_leaf() --> releases the path hard link added to our inode, with key (257 INODE_REF 500) added to the end of leaf X, so leaf X now has N + 1 keys --> searches for the key (257 INODE_REF 256), because it was the last key in leaf X before it released the path, with path->keep_locks set to 1 --> ends up at leaf X again and it verifies that the key (257 INODE_REF 256) is no longer the last key in the leaf, so it returns with path->nodes[0] == leaf X and path->slots[0] == N, pointing to the new item with key (257 INODE_REF 500) the loop iteration of run_dealloc_nocow() does not break out the loop and continues because the key referenced in the path at path->nodes[0] and path->slots[0] is for inode 257, its type is < BTRFS_EXTENT_DATA_KEY and its offset (500) is less then our delalloc range's end (8192) the item pointed by the path, an inode reference item, is (incorrectly) interpreted as a file extent item and we get an invalid extent type, leading to the BUG_ON(1): if (extent_type == BTRFS_FILE_EXTENT_REG \|\| extent_type == BTRFS_FILE_EXTENT_PREALLOC) { (...) } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) { (...) } else { BUG_ON(1) } The same can happen if a xattr is added concurrently and ends up having a key with an offset smaller then the delalloc's range end. So fix this by skipping keys with a type smaller than BTRFS_EXTENT_DATA_KEY. Cc: stable@vger.kernel.org Signed-off-by: Filipe Manana <fdmanana@suse.com>		2015-11-09 11:29:14 +00:00
..
tests	Btrfs: add fragment=* debug mount option	2015-10-21 18:51:43 -07:00
acl.c	btrfs: remove useless ACL check	2014-06-09 17:20:42 -07:00
async-thread.c	btrfs: async_thread: Fix workqueue 'max_active' value when initializing	2015-08-31 11:46:40 -07:00
async-thread.h	btrfs: async_thread: Fix workqueue 'max_active' value when initializing	2015-08-31 11:46:40 -07:00
backref.c	btrfs: fix use after free iterating extrefs	2015-10-26 19:38:28 -07:00
backref.h	btrfs: cleanup, remove inode_item_info helper	2015-01-14 19:23:47 +01:00
btrfs_inode.h	Btrfs: Direct I/O: Fix space accounting	2015-09-21 13:47:55 -07:00
check-integrity.c	Merge branch 'cleanups/for-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.4	2015-10-21 18:21:40 -07:00
check-integrity.h
compression.c	Merge branch 'cleanups/for-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.4	2015-10-21 18:21:40 -07:00
compression.h	btrfs: constify structs with op functions or static definitions	2015-02-16 18:48:44 +01:00
ctree.c	Merge branch 'cleanups/for-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.4	2015-10-21 18:21:40 -07:00
ctree.h	btrfs: qgroup: Fix a race in delayed_ref which leads to abort trans	2015-10-26 19:44:39 -07:00
delayed-inode.c	btrfs: comment the rest of implicit barriers before waitqueue_active	2015-10-10 18:42:00 +02:00
delayed-inode.h
delayed-ref.c	btrfs: qgroup: Fix a race in delayed_ref which leads to abort trans	2015-10-26 19:44:39 -07:00
delayed-ref.h	btrfs: qgroup: Fix a race in delayed_ref which leads to abort trans	2015-10-26 19:44:39 -07:00
dev-replace.c	Merge branch 'fix/waitqueue-barriers' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.4	2015-10-12 16:24:40 -07:00
dev-replace.h
dir-item.c	Btrfs: make xattr replace operations atomic	2014-11-20 17:20:07 -08:00
disk-io.c	btrfs: qgroup: exit the rescan worker during umount	2015-11-05 10:32:20 +00:00
disk-io.h	Btrfs: add btrfs_read_dev_one_super() to read one specific SB	2015-10-01 17:29:38 +02:00
export.c	BTRFS: support NFSv2 export	2015-10-06 06:55:23 -07:00
export.h
extent-tree.c	Btrfs: find_free_extent: Do not erroneously skip LOOP_CACHING_WAIT state	2015-11-03 07:44:20 -08:00
extent-tree.h	btrfs: qgroup: Add new qgroup calculation function	2015-06-10 09:25:49 -07:00
extent_io.c	btrfs: extent_io: Introduce new function clear_record_extent_bits()	2015-10-21 18:37:44 -07:00
extent_io.h	btrfs: qgroup: Introduce btrfs_qgroup_reserve_data function	2015-10-21 18:37:45 -07:00
extent_map.c	Btrfs: do not move em to modified list when unpinning	2014-11-21 11:59:54 -08:00
extent_map.h	Btrfs: fix NULL pointer crash when running balance and scrub concurrently	2014-06-19 14:20:55 -07:00
file-item.c	Merge branch 'cleanups-post-3.19' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.1	2015-03-25 10:52:48 -07:00
file.c	Btrfs: fix race leading to incorrect item deletion when dropping extents	2015-11-08 21:51:28 +00:00
free-space-cache.c	Btrfs: don't do extra bitmap search in one bit case	2015-10-21 18:55:41 -07:00
free-space-cache.h	Btrfs: keep track of largest extent in bitmaps	2015-10-21 18:55:40 -07:00
hash.c	btrfs: LLVMLinux: Remove VLAIS	2014-10-14 10:51:22 +02:00
hash.h
inode-item.c	Btrfs: consolidate btrfs_error() to btrfs_std_error()	2015-09-29 16:30:00 +02:00
inode-map.c	btrfs: qgroup: Cleanup old inaccurate facilities	2015-10-21 18:41:06 -07:00
inode-map.h
inode.c	Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow	2015-11-09 11:29:14 +00:00
ioctl.c	btrfs: check unsupported filters in balance arguments	2015-10-26 19:38:26 -07:00
Kconfig	rcu: Make SRCU optional by using CONFIG_SRCU	2015-01-06 11:04:29 -08:00
locking.c	btrfs: comment the rest of implicit barriers before waitqueue_active	2015-10-10 18:42:00 +02:00
locking.h	btrfs: fix lockups from btrfs_clear_path_blocking	2014-11-19 10:34:35 -08:00
lzo.c	btrfs: constify structs with op functions or static definitions	2015-02-16 18:48:44 +01:00
Makefile	Btrfs: add sanity tests for new qgroup accounting code	2014-06-09 17:20:49 -07:00
math.h	btrfs: cleanup 64bit/32bit divs, compile time constants	2015-03-03 17:23:57 +01:00
ordered-data.c	Btrfs: change how we wait for pending ordered extents	2015-10-21 18:51:40 -07:00
ordered-data.h	Btrfs: change how we wait for pending ordered extents	2015-10-21 18:51:40 -07:00
orphan.c	btrfs: kill the key type accessor helpers	2014-09-17 13:37:12 -07:00
print-tree.c	btrfs: remove parameter blocksize from read_tree_block	2014-10-02 17:14:50 +02:00
print-tree.h
props.c	btrfs: cleanup iterating over prop_handlers array	2015-10-21 18:28:48 +02:00
props.h
qgroup.c	Btrfs: fix sleeping inside atomic context in qgroup rescan worker	2015-11-05 11:02:22 +00:00
qgroup.h	btrfs: qgroup: Check if qgroup reserved space leaked	2015-10-21 18:41:10 -07:00
raid56.c	btrfs: comment waitqueue_active implied by locks	2015-10-10 18:35:10 +02:00
raid56.h	Btrfs: add RAID 5/6 BTRFS_RBIO_REBUILD_MISSING operation	2015-08-09 07:34:26 -07:00
rcu-string.h
reada.c	btrfs: reada: Fix returned errno code	2015-10-21 18:29:50 +02:00
relocation.c	Btrfs: fix regression running delayed references when using qgroups	2015-10-25 19:53:26 +00:00
root-tree.c	Merge branch 'cleanups/for-4.4' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.4	2015-10-21 18:21:40 -07:00
scrub.c	btrfs: switch message printers to ratelimited variants	2015-10-08 13:04:06 +02:00
send.c	btrfs: fix resending received snapshot with parent	2015-10-13 20:04:10 +01:00
send.h
struct-funcs.c
super.c	Btrfs: add fragment=* debug mount option	2015-10-21 18:51:43 -07:00
sysfs.c	Btrfs: rename super_kobj to fsid_kobj	2015-09-29 16:29:59 +02:00
sysfs.h	Btrfs: rename btrfs_kobj_rm_device to btrfs_sysfs_rm_device_link	2015-09-29 16:29:59 +02:00
transaction.c	Merge branch 'allocator-fixes' into for-linus-4.4	2015-10-21 19:00:38 -07:00
transaction.h	Merge branch 'allocator-fixes' into for-linus-4.4	2015-10-21 19:00:38 -07:00
tree-defrag.c	Btrfs: cleanup: remove unnecessary check before btrfs_free_path is called	2015-08-31 11:46:41 -07:00
tree-log.c	Btrfs: fix regression running delayed references when using qgroups	2015-10-25 19:53:26 +00:00
tree-log.h	Btrfs: fix metadata inconsistencies after directory fsync	2015-03-26 17:56:23 -07:00
ulist.c	btrfs: ulist: Add ulist_del() function.	2015-06-10 09:26:17 -07:00
ulist.h	btrfs: ulist: Add ulist_del() function.	2015-06-10 09:26:17 -07:00
uuid-tree.c	Btrfs: make btrfs_search_forward return with nodes unlocked	2014-09-17 13:38:02 -07:00
volumes.c	btrfs: extend balance filter usage to take minimum and maximum	2015-10-26 19:38:30 -07:00
volumes.h	btrfs: add balance filters limits, stripes and usage to supported mask	2015-10-26 19:38:30 -07:00
xattr.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-04-26 17:22:07 -07:00
xattr.h
zlib.c	btrfs: constify structs with op functions or static definitions	2015-02-16 18:48:44 +01:00