From patchwork Sun Apr 10 20:24:03 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sergei Trofimovich <slyich@gmail.com>
X-Patchwork-Id: 696981
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p3AKLfZh027460
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Sun, 10 Apr 2011 20:21:41 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753991Ab1DJUVi (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Sun, 10 Apr 2011 16:21:38 -0400
Received: from mail-fx0-f46.google.com ([209.85.161.46]:52395 "EHLO
	mail-fx0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753643Ab1DJUVi (ORCPT
	<rfc822;linux-btrfs@vger.kernel.org>);
	Sun, 10 Apr 2011 16:21:38 -0400
Received: by fxm17 with SMTP id 17so3195272fxm.19
	for <linux-btrfs@vger.kernel.org>;
	Sun, 10 Apr 2011 13:21:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:date:from:to:cc:subject:message-id:in-reply-to
	:references:x-mailer:mime-version:content-type;
	bh=Ot6U4Vs69bkgXkmxU921nHeNGVPiMY20RoRxdT0/E3I=;
	b=iXuwWyyfYDu3oKR2+muQ2e3vgicfYwOUsNGvbUWUe8ZlyP/aqc7oqZ+VnVMc7pXVv2
	H+Ew4qO5nxjUgyOcwByv6I2YgjIYnWKhdm/H/L38MOD1/1B1Y4TQwtp/DdXuApiS6P5j
	aVjTUGHbYmMtS302EKV2TNJbEylxH0r1xiOzs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:in-reply-to:references:x-mailer
	:mime-version:content-type;
	b=GrjvisA8kMO0teuazv1wGoa3uGiKgV8GRDXjy6XR3XBetc/I8r9feDoGHy+21YNZK/
	ZpPKwd6WDjLUQgHVwms1N7GyT9NKKC//GkzAPFSH3Nq0eosp/0Q/XckM/ivDjbIYgdlf
	qNCiDP5P11PVhXVLfqk2YJwe58VG5gK0AerHc=
Received: by 10.223.86.200 with SMTP id t8mr4573641fal.26.1302466896627;
	Sun, 10 Apr 2011 13:21:36 -0700 (PDT)
Received: from sf ([178.125.152.109])
	by mx.google.com with ESMTPS id n1sm1435966fam.40.2011.04.10.13.21.35
	(version=TLSv1/SSLv3 cipher=OTHER);
	Sun, 10 Apr 2011 13:21:36 -0700 (PDT)
Date: Sun, 10 Apr 2011 23:24:03 +0300
From: Sergei Trofimovich <slyich@gmail.com>
To: Sergei Trofimovich <slyich@gmail.com>
Cc: chris.mason@oracle.com, linux-btrfs@vger.kernel.org,
	cwillu <cwillu@cwillu.com>
Subject: [PATCH] Re: btrfs does not work on usermode linux
Message-ID: <20110410232403.617c3b7f@sf>
In-Reply-To: <20110410230622.09e965ae@sf>
References: <20110410133710.0ef34cb6@sf> <20110410184249.483d8d67@sf>
	<20110410230622.09e965ae@sf>
X-Mailer: Claws Mail 3.7.8 (GTK+ 2.22.1; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]);
	Sun, 10 Apr 2011 20:22:01 +0000 (UTC)


From 0eaf33265f8a2e0d76ee6db1ad74ee4422efb122 Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Sun, 10 Apr 2011 23:19:53 +0300
Subject: [PATCH] btrfs: properly handle overlapping areas in memmove_extent_buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix data corruption caused by memcpy() usage on overlapping data.
I've observed it first when found out usermode linux crash on btrfs.

?all chain is the following:
------------[ cut here ]------------
WARNING: at /home/slyfox/linux-2.6/fs/btrfs/extent_io.c:3900 memcpy_extent_buffer+0x1a5/0x219()
Call Trace:
6fa39a58:  [<601b495e>] _raw_spin_unlock_irqrestore+0x18/0x1c
6fa39a68:  [<60029ad9>] warn_slowpath_common+0x59/0x70
6fa39aa8:  [<60029b05>] warn_slowpath_null+0x15/0x17
6fa39ab8:  [<600efc97>] memcpy_extent_buffer+0x1a5/0x219
6fa39b48:  [<600efd9f>] memmove_extent_buffer+0x94/0x208
6fa39bc8:  [<600becbf>] btrfs_del_items+0x214/0x473
6fa39c78:  [<600ce1b0>] btrfs_delete_one_dir_name+0x7c/0xda
6fa39cc8:  [<600dad6b>] __btrfs_unlink_inode+0xad/0x25d
6fa39d08:  [<600d7864>] btrfs_start_transaction+0xe/0x10
6fa39d48:  [<600dc9ff>] btrfs_unlink_inode+0x1b/0x3b
6fa39d78:  [<600e04bc>] btrfs_unlink+0x70/0xef
6fa39dc8:  [<6007f0d0>] vfs_unlink+0x58/0xa3
6fa39df8:  [<60080278>] do_unlinkat+0xd4/0x162
6fa39e48:  [<600517db>] call_rcu_sched+0xe/0x10
6fa39e58:  [<600452a8>] __put_cred+0x58/0x5a
6fa39e78:  [<6007446c>] sys_faccessat+0x154/0x166
6fa39ed8:  [<60080317>] sys_unlink+0x11/0x13
6fa39ee8:  [<60016b80>] handle_syscall+0x58/0x70
6fa39f08:  [<60021377>] userspace+0x2d4/0x381
6fa39fc8:  [<60014507>] fork_handler+0x62/0x69
---[ end trace 70b0ca2ef0266b93 ]---

http://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg09302.html

Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
---
 fs/btrfs/extent_io.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 20ddb28..3bbda41 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -3897,6 +3897,7 @@ static void copy_pages(struct page *dst_page, struct page *src_page,
 	else
 		src_kaddr = dst_kaddr;
 
+	BUG_ON(abs(src_off - dst_off) < len);
 	memcpy(dst_kaddr + dst_off, src_kaddr + src_off, len);
 	kunmap_atomic(dst_kaddr, KM_USER0);
 	if (dst_page != src_page)
@@ -3970,7 +3971,7 @@ void memmove_extent_buffer(struct extent_buffer *dst, unsigned long dst_offset,
 		       "len %lu len %lu\n", dst_offset, len, dst->len);
 		BUG_ON(1);
 	}
-	if (dst_offset < src_offset) {
+	if (abs(dst_offset - src_offset) >= len) {
 		memcpy_extent_buffer(dst, dst_offset, src_offset, len);
 		return;
 	}
-- 
1.7.3.4