Commit 113e8283 authored Mar 30, 2015 by Filipe Manana Committed by Chris Mason Apr 13, 2015

Btrfs: fix inode eviction infinite loop after extent_same ioctl



If we pass a length of 0 to the extent_same ioctl, we end up locking an
extent range with a start offset greater then its end offset (if the
destination file's offset is greater than zero). This results in a warning
from extent_io.c:insert_state through the following call chain:

  btrfs_extent_same()
    btrfs_double_lock()
      lock_extent_range()
        lock_extent(inode->io_tree, offset, offset + len - 1)
          lock_extent_bits()
            __set_extent_bit()
              insert_state()
                --> WARN_ON(end < start)

This leads to an infinite loop when evicting the inode. This is the same
problem that my previous patch titled
"Btrfs: fix inode eviction infinite loop after cloning into it" addressed
but for the extent_same ioctl instead of the clone ioctl.

CC: <stable@vger.kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: Omar Sandoval <osandov@osandov.com>
Signed-off-by: Chris Mason <clm@fb.com>

parent df858e76

fs/btrfs/ioctl.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -2897,6 +2897,9 @@ static int btrfs_extent_same(struct inode *src, u64 loff, u64 len,
		if (src == dst)
		return -EINVAL;

		if (len == 0)
		return 0;

		btrfs_double_lock(src, loff, dst, dst_loff, len);

		ret = extent_same_check_offsets(src, loff, len);

Admin message