From patchwork Mon Sep 18 07:21:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 9955585 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F2B8760385 for ; Mon, 18 Sep 2017 07:22:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D719128A52 for ; Mon, 18 Sep 2017 07:22:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CA64A28BA9; Mon, 18 Sep 2017 07:22:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E52B28A52 for ; Mon, 18 Sep 2017 07:22:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751053AbdIRHVu (ORCPT ); Mon, 18 Sep 2017 03:21:50 -0400 Received: from mout.gmx.net ([212.227.17.21]:59147 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751284AbdIRHVs (ORCPT ); Mon, 18 Sep 2017 03:21:48 -0400 Received: from localhost.localdomain ([45.32.39.184]) by mail.gmx.com (mrgmx102 [212.227.17.174]) with ESMTPSA (Nemesis) id 0MHal6-1dqY3K13vw-003NvW; Mon, 18 Sep 2017 09:21:47 +0200 From: Qu Wenruo To: linux-btrfs@vger.kernel.org Cc: dsterba@suse.cz Subject: [PATCH v3 02/14] btrfs-progs: Fix one-byte overlap bug in free_block_group_cache Date: Mon, 18 Sep 2017 16:21:27 +0900 Message-Id: <20170918072139.6300-3-quwenruo.btrfs@gmx.com> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170918072139.6300-1-quwenruo.btrfs@gmx.com> References: <20170918072139.6300-1-quwenruo.btrfs@gmx.com> X-Provags-ID: V03:K0:dmXHRHx7A9HGFdGnk5Z52CP86J13vRN89ucza7tVU+UfZbOSBAh Nz9F+VSUXy8e6gqXShEOkpFl/5MvSDQor7WoQDjsrgPRBuNbcwMwOLYuaLe6jrgap0fJbcn 6adKVDrUWvxO9/s3ReG3Ljp/KbcoZ83yXnvIbbllrDWsc9BHIdCsp1+fLhsPJw5gw9/cqPA VtTdJeVvL+liJZcg5qcsQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:Q47XVnWN39M=:SgyS4VvQ4/h2dImkr+5jEW oyYjcmXCS2jQ0lpp6aiQodVaof2Z8oNp4MxLkkcqpqNQWTYJX/x7e2yfMZzvSB5cZm0ZL1Dzv zmXDP21bK56fFd7B3QRuhpmfrbkDB+r2DCxygMOovhrFtuxhn2qHayM0F+5nr9r3/5HoWM/IW EmjsHEKAy0laSBsPwhcsms+rcwZR2/igxZL//9X/M0fqFkWu3vKeBGb+/16OTfuj8kIAALFso e8V0ARGEJpNwJiZKe8Wl5w/ec1PaKgyZrsiBUu245FqeeBxlrgJBMx7VxDzWljB57CVURdJg2 IAr2SWFhBtiBCeY6pjMC7G9wrGIaYNnNhLXYOUMamXPpFYri4utLiCbWNpWAcReEnaVR6KanR ZqjQi02O5FJKZaC1ZIjPv4wPW7hFow5AfagOeNjT+b77/Pfk5HQP2mNcOYY4lXSz1J5BJwGQ4 fjm1Rppu4Cmx7peWEO3/1b+Ozc6RGc3YjGSfLQ+i1Nx+wwRFFGPWHko5GMyU7Y0tnPwpSw2zP VabxsxP96cjexf0yhP7BZ/5baNNmg0Eqxjap2cxaZZijcovbzyGhSvWiwiOGfjDg2Y0JsFq8u NhlKTm0mUM/f6eroDUy8bapZ3fUa0f9qoGnk8KfpvFvUUDWfNDX/ogFXzTt8WJGwLfV662K1s wMBbFFA2yWO0vk1u887dAxT0QYIuKT9JAV7CNJ6Sai5aFUj8tryvrDnr9MohCn+0UKq9Ktz9e qMHCsIOSBNfDRa8djJrGGVNnMiove4aLZLDGOD/6kLDXZg/EM9kpKrylOnOuXAIFK+FttrACi PzMGZC4y1pGLGvFMDz3TLJfJXIY+w== Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP free_block_group_cache() calls clear_extent_bits() with wrong end, which is one byte larger than the correct range. This will cause the next adjacent cache state be split. And due to the split, private pointer (which points to block group cache) will be reset to NULL. This is very hard to detect as this function only gets called in cleanup_temp_chunks() which is just before mkfs finishes. This bug only get exposed when reworking --rootdir option. Signed-off-by: Qu Wenruo --- extent-tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extent-tree.c b/extent-tree.c index eed56886..525a237e 100644 --- a/extent-tree.c +++ b/extent-tree.c @@ -3724,7 +3724,7 @@ static int free_block_group_cache(struct btrfs_trans_handle *trans, btrfs_remove_free_space_cache(cache); kfree(cache->free_space_ctl); } - clear_extent_bits(&fs_info->block_group_cache, bytenr, bytenr + len, + clear_extent_bits(&fs_info->block_group_cache, bytenr, bytenr + len - 1, (unsigned int)-1); ret = free_space_info(fs_info, flags, len, 0, NULL); if (ret < 0)