btrfs: propagate error to btrfs_cmp_data_prepare caller

Commit Message

Naohiro Aota Sept. 8, 2017, 8:48 a.m. UTC

btrfs_cmp_data_prepare() (almost) always returns 0 i.e. ignoring errors
from gather_extent_pages(). While the pages are freed by
btrfs_cmp_data_free(), cmp->num_pages still has > 0. Then,
btrfs_extent_same() try to access the already freed pages causing faults
(or violates PageLocked assertion).

This patch just return the error as is so that the caller stop the process.

Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Fixes: f441460202cb ("btrfs: fix deadlock with extent-same and readpage")
Cc: <stable@vger.kernel.org> # 4.2
---
 fs/btrfs/ioctl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Sterba Sept. 13, 2017, 3:27 p.m. UTC | #1

On Fri, Sep 08, 2017 at 05:48:55PM +0900, Naohiro Aota wrote:
> btrfs_cmp_data_prepare() (almost) always returns 0 i.e. ignoring errors
> from gather_extent_pages(). While the pages are freed by
> btrfs_cmp_data_free(), cmp->num_pages still has > 0. Then,
> btrfs_extent_same() try to access the already freed pages causing faults
> (or violates PageLocked assertion).
> 
> This patch just return the error as is so that the caller stop the process.
> 
> Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
> Fixes: f441460202cb ("btrfs: fix deadlock with extent-same and readpage")
> Cc: <stable@vger.kernel.org> # 4.2

Reviewed-by: David Sterba <dsterba@suse.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index ae8fbf9d3de2..b5971923f15f 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3028,7 +3028,7 @@  static int btrfs_cmp_data_prepare(struct inode *src, u64 loff,
 out:
 	if (ret)
 		btrfs_cmp_data_free(cmp);
-	return 0;
+	return ret;
 }
 
 static int btrfs_cmp_data(u64 len, struct cmp_pages *cmp)