From patchwork Wed Sep  7 07:38:58 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: kernel@kyup.com
X-Patchwork-Id: 9318333
Return-Path: <linux-btrfs-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7288A6077F for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed,  7 Sep 2016 07:39:16 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6767629101
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed,  7 Sep 2016 07:39:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5C12129105; Wed,  7 Sep 2016 07:39:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.5 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 470B729101
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed,  7 Sep 2016 07:39:15 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756379AbcIGHjK (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Wed, 7 Sep 2016 03:39:10 -0400
Received: from mail-wm0-f50.google.com ([74.125.82.50]:34918 "EHLO
	mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754791AbcIGHjJ (ORCPT
	<rfc822; linux-btrfs@vger.kernel.org>); Wed, 7 Sep 2016 03:39:09 -0400
Received: by mail-wm0-f50.google.com with SMTP id i204so71080124wma.0
	for <linux-btrfs@vger.kernel.org>;
	Wed, 07 Sep 2016 00:39:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=nUkhPUujO26eS5VJGG3GyTpxfIkKIR79J9B/lEsh4kg=;
	b=D5wXGonmUsJ7i4VZ1esMs+2GzMuWggU/H3uESB2TaCn1VPvZAmKB4gyWmp84ieUgwR
	YXp4WCFOsoqzifk9bbfZkpTAfXLhNJQOwLBkYzC0jkQjwoSG7Wwirot6fymgA6cVPIGZ
	1QrpMVPor0f9bx8qxuwcuOKiugVpacNkbXr+yAo0l4pgTx+Xv36tfnlOXVMqGrk5OhC3
	T8Bx+QfZEYgDK50MmbAO20BBz/MQh/M+OJv1PHsYV/xrjJ+mtJafjGan+p0GhbeDBd4N
	zBLebsMo7umk+Pl4IMA1Kfhw9CJL2XXivbnFj2XYoIPUquqV1auhUEpG32OP7PfUYVnu
	+5eg==
X-Gm-Message-State: 
 AE9vXwNE18jgz1imxE35fZk2Y3paktBUc+I+12ZOJmnhkrHL10xRwBYeCHe+Xlxl7M1F1KUK
X-Received: by 10.28.113.20 with SMTP id m20mr2319978wmc.82.1473233946685;
	Wed, 07 Sep 2016 00:39:06 -0700 (PDT)
Received: from localhost.localdomain (admins.1h.com. [82.118.240.130])
	by smtp.gmail.com with ESMTPSA id
	kq2sm37349497wjc.41.2016.09.07.00.39.05
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 07 Sep 2016 00:39:06 -0700 (PDT)
From: Nikolay Borisov <kernel@kyup.com>
To: clm@fb.com
Cc: linux-btrfs@vger.kernel.org, Nikolay Borisov <kernel@kyup.com>
Subject: [PATCH] btrfs: Fix handling of -ENOENT from btrfs_uuid_iter_rem
Date: Wed,  7 Sep 2016 10:38:58 +0300
Message-Id: <1473233938-21560-1-git-send-email-kernel@kyup.com>
X-Mailer: git-send-email 1.7.1
In-Reply-To: <b369cabe-9269-800c-cce7-5f5c71147660@fb.com>
References: <b369cabe-9269-800c-cce7-5f5c71147660@fb.com>
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

btrfs_uuid_iter_rem is able to return -ENOENT, however this condition
is not handled in btrfs_uuid_tree_iterate which can lead to calling
btrfs_next_item with freed path argument, leading to a null pointer
dereference. Fix it by redoing the search but with an incremented
objectid so we don't loop over the same key.

Signed-off-by: Nikolay Borisov <kernel@kyup.com>
Suggested-by: Chris Mason <clm@fb.com>
Link: https://lkml.kernel.org/r/57A473B0.2040203@kyup.com
---
 fs/btrfs/uuid-tree.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Hello Chris, 

Since I keep getting those crashes I (hopefully correctly) implemented
your suggestion of redoing the search with an incremented key so we 
don't end up in a loop. Does that look correct?

diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c
index 778282944530..6e5b3866a65c 100644
--- a/fs/btrfs/uuid-tree.c
+++ b/fs/btrfs/uuid-tree.c
@@ -329,8 +329,12 @@ again_search_slot:
 					 * entry per UUID exists.
 					 */
 					goto again_search_slot;
-				}
-				if (ret < 0 && ret != -ENOENT)
+				} else if (ret == -ENOENT) {
+					key.type = 0;
+					key.offset = 0;
+					key.objectid++;
+					goto again_search_slot;
+				} else if (ret < 0)
 					goto out;
 			}
 			item_size -= sizeof(subid_le);