diff options
author | Filipe Manana <fdmanana@suse.com> | 2015-03-30 19:26:47 +0200 |
---|---|---|
committer | Chris Mason <clm@fb.com> | 2015-04-13 16:03:27 +0200 |
commit | 113e8283869b9855c8b999796aadd506bbac155f (patch) | |
tree | 568520a2b8ba61cdeaf4e3c51f022a9efee16e3e /fs/btrfs/ioctl.c | |
parent | Btrfs: fix range cloning when same inode used as source and destination (diff) | |
download | linux-113e8283869b9855c8b999796aadd506bbac155f.tar.xz linux-113e8283869b9855c8b999796aadd506bbac155f.zip |
Btrfs: fix inode eviction infinite loop after extent_same ioctl
If we pass a length of 0 to the extent_same ioctl, we end up locking an
extent range with a start offset greater then its end offset (if the
destination file's offset is greater than zero). This results in a warning
from extent_io.c:insert_state through the following call chain:
btrfs_extent_same()
btrfs_double_lock()
lock_extent_range()
lock_extent(inode->io_tree, offset, offset + len - 1)
lock_extent_bits()
__set_extent_bit()
insert_state()
--> WARN_ON(end < start)
This leads to an infinite loop when evicting the inode. This is the same
problem that my previous patch titled
"Btrfs: fix inode eviction infinite loop after cloning into it" addressed
but for the extent_same ioctl instead of the clone ioctl.
CC: <stable@vger.kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Omar Sandoval <osandov@osandov.com>
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs/btrfs/ioctl.c')
-rw-r--r-- | fs/btrfs/ioctl.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 43defea9ab20..3419f5e72bf9 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2897,6 +2897,9 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 len, if (src == dst) return -EINVAL; + if (len == 0) + return 0; + btrfs_double_lock(src, loff, dst, dst_loff, len); ret = extent_same_check_offsets(src, loff, len); |