Commit cbf8ae32 authored Jun 07, 2012 by Roland Dreier Committed by Linus Torvalds Jun 07, 2012

btree: fix tree corruption in btree_get_prev()



The memory the parameter __key points to is used as an iterator in
btree_get_prev(), so if we save off a bkey() pointer in retry_key and
then assign that to __key, we'll end up corrupting the btree internals
when we do eg

	longcpy(__key, bkey(geo, node, i), geo->keylen);

to return the key value.  What we should do instead is use longcpy() to
copy the key value that retry_key points to __key.

This can cause a btree to get corrupted by seemingly read-only
operations such as btree_for_each_safe.

[akpm@linux-foundation.org: avoid the double longcpy()]
Signed-off-by: Roland Dreier <roland@purestorage.com>
Acked-by: Joern Engel <joern@logfs.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 7d8a4569

lib/btree.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -319,8 +319,8 @@ void btree_get_prev(struct btree_head head, struct btree_geo *geo,

		if (head->height == 0)
		return NULL;
		retry:
		longcpy(key, __key, geo->keylen);
		retry:
		dec_key(geo, key);

		node = head->node;
		@@ -351,7 +351,7 @@ retry:
		}
		miss:
		if (retry_key) {
		__key = retry_key;
		longcpy(key, retry_key, geo->keylen);
		retry_key = NULL;
		goto retry;
		}

Admin message