<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/btrfs, branch linux-3.14.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Btrfs: don't use src fd for printk</title>
<updated>2016-06-01T19:12:46+00:00</updated>
<author>
<name>Josef Bacik</name>
<email>jbacik@fb.com</email>
</author>
<published>2016-03-25T14:02:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=75d8e34e6f11202607c3f18f2870513c820fb7de'/>
<id>75d8e34e6f11202607c3f18f2870513c820fb7de</id>
<content type='text'>
commit c79b4713304f812d3d6c95826fc3e5fc2c0b0c14 upstream.

The fd we pass in may not be on a btrfs file system, so don't try to do
BTRFS_I() on it.  Thanks,

Signed-off-by: Josef Bacik &lt;jbacik@fb.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Cc: Jeff Mahoney &lt;jeffm@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c79b4713304f812d3d6c95826fc3e5fc2c0b0c14 upstream.

The fd we pass in may not be on a btrfs file system, so don't try to do
BTRFS_I() on it.  Thanks,

Signed-off-by: Josef Bacik &lt;jbacik@fb.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Cc: Jeff Mahoney &lt;jeffm@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: fix number of transaction units required to create symlink</title>
<updated>2016-03-03T23:06:51+00:00</updated>
<author>
<name>Filipe Manana</name>
<email>fdmanana@suse.com</email>
</author>
<published>2015-12-31T18:16:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=55330b801ed55f24a64ca4be6f777ee2f3e38cd9'/>
<id>55330b801ed55f24a64ca4be6f777ee2f3e38cd9</id>
<content type='text'>
commit 9269d12b2d57d9e3d13036bb750762d1110d425c upstream.

We weren't accounting for the insertion of an inline extent item for the
symlink inode nor that we need to update the parent inode item (through
the call to btrfs_add_nondir()). So fix this by including two more
transaction units.

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9269d12b2d57d9e3d13036bb750762d1110d425c upstream.

We weren't accounting for the insertion of an inline extent item for the
symlink inode nor that we need to update the parent inode item (through
the call to btrfs_add_nondir()). So fix this by including two more
transaction units.

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: send, don't BUG_ON() when an empty symlink is found</title>
<updated>2016-03-03T23:06:50+00:00</updated>
<author>
<name>Filipe Manana</name>
<email>fdmanana@suse.com</email>
</author>
<published>2015-12-31T18:07:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e5e48c0ad397cd92f2a8ec81c3ded958ceb357a1'/>
<id>e5e48c0ad397cd92f2a8ec81c3ded958ceb357a1</id>
<content type='text'>
commit a879719b8c90e15c9e7fa7266d5e3c0ca962f9df upstream.

When a symlink is successfully created it always has an inline extent
containing the source path. However if an error happens when creating
the symlink, we can leave in the subvolume's tree a symlink inode without
any such inline extent item - this happens if after btrfs_symlink() calls
btrfs_end_transaction() and before it calls the inode eviction handler
(through the final iput() call), the transaction gets committed and a
crash happens before the eviction handler gets called, or if a snapshot
of the subvolume is made before the eviction handler gets called. Sadly
we can't just avoid this by making btrfs_symlink() call
btrfs_end_transaction() after it calls the eviction handler, because the
later can commit the current transaction before it removes any items from
the subvolume tree (if it encounters ENOSPC errors while reserving space
for removing all the items).

So make send fail more gracefully, with an -EIO error, and print a
message to dmesg/syslog informing that there's an empty symlink inode,
so that the user can delete the empty symlink or do something else
about it.

Reported-by: Stephen R. van den Berg &lt;srb@cuci.nl&gt;
Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a879719b8c90e15c9e7fa7266d5e3c0ca962f9df upstream.

When a symlink is successfully created it always has an inline extent
containing the source path. However if an error happens when creating
the symlink, we can leave in the subvolume's tree a symlink inode without
any such inline extent item - this happens if after btrfs_symlink() calls
btrfs_end_transaction() and before it calls the inode eviction handler
(through the final iput() call), the transaction gets committed and a
crash happens before the eviction handler gets called, or if a snapshot
of the subvolume is made before the eviction handler gets called. Sadly
we can't just avoid this by making btrfs_symlink() call
btrfs_end_transaction() after it calls the eviction handler, because the
later can commit the current transaction before it removes any items from
the subvolume tree (if it encounters ENOSPC errors while reserving space
for removing all the items).

So make send fail more gracefully, with an -EIO error, and print a
message to dmesg/syslog informing that there's an empty symlink inode,
so that the user can delete the empty symlink or do something else
about it.

Reported-by: Stephen R. van den Berg &lt;srb@cuci.nl&gt;
Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: igrab inode in writepage</title>
<updated>2016-03-03T23:06:50+00:00</updated>
<author>
<name>Josef Bacik</name>
<email>jbacik@fb.com</email>
</author>
<published>2015-10-22T19:05:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d985de97bf3d0aef79d5ac619733cb4627af0368'/>
<id>d985de97bf3d0aef79d5ac619733cb4627af0368</id>
<content type='text'>
commit be7bd730841e69fe8f70120098596f648cd1f3ff upstream.

We hit this panic on a few of our boxes this week where we have an
ordered_extent with an NULL inode.  We do an igrab() of the inode in writepages,
but weren't doing it in writepage which can be called directly from the VM on
dirty pages.  If the inode has been unlinked then we could have I_FREEING set
which means igrab() would return NULL and we get this panic.  Fix this by trying
to igrab in btrfs_writepage, and if it returns NULL then just redirty the page
and return AOP_WRITEPAGE_ACTIVATE; so the VM knows it wasn't successful.  Thanks,

Signed-off-by: Josef Bacik &lt;jbacik@fb.com&gt;
Reviewed-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit be7bd730841e69fe8f70120098596f648cd1f3ff upstream.

We hit this panic on a few of our boxes this week where we have an
ordered_extent with an NULL inode.  We do an igrab() of the inode in writepages,
but weren't doing it in writepage which can be called directly from the VM on
dirty pages.  If the inode has been unlinked then we could have I_FREEING set
which means igrab() would return NULL and we get this panic.  Fix this by trying
to igrab in btrfs_writepage, and if it returns NULL then just redirty the page
and return AOP_WRITEPAGE_ACTIVATE; so the VM knows it wasn't successful.  Thanks,

Signed-off-by: Josef Bacik &lt;jbacik@fb.com&gt;
Reviewed-by: Liu Bo &lt;bo.li.liu@oracle.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: add missing brelse when superblock checksum fails</title>
<updated>2016-03-03T23:06:50+00:00</updated>
<author>
<name>Anand Jain</name>
<email>anand.jain@oracle.com</email>
</author>
<published>2015-10-07T09:23:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7354b179aff3dccac22c6e9110a26b5885606a12'/>
<id>7354b179aff3dccac22c6e9110a26b5885606a12</id>
<content type='text'>
commit b2acdddfad13c38a1e8b927d83c3cf321f63601a upstream.

Looks like oversight, call brelse() when checksum fails. Further down the
code, in the non error path, we do call brelse() and so we don't see
brelse() in the goto error paths.

Signed-off-by: Anand Jain &lt;anand.jain@oracle.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b2acdddfad13c38a1e8b927d83c3cf321f63601a upstream.

Looks like oversight, call brelse() when checksum fails. Further down the
code, in the non error path, we do call brelse() and so we don't see
brelse() in the goto error paths.

Signed-off-by: Anand Jain &lt;anand.jain@oracle.com&gt;
Reviewed-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl</title>
<updated>2016-02-25T19:58:52+00:00</updated>
<author>
<name>Filipe Manana</name>
<email>fdmanana@suse.com</email>
</author>
<published>2016-02-03T19:17:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d5b6db240e5689761a92e294c0a18b1afff20d1'/>
<id>5d5b6db240e5689761a92e294c0a18b1afff20d1</id>
<content type='text'>
commit 0c0fe3b0fa45082cd752553fdb3a4b42503a118e upstream.

While doing some tests I ran into an hang on an extent buffer's rwlock
that produced the following trace:

[39389.800012] NMI watchdog: BUG: soft lockup - CPU#15 stuck for 22s! [fdm-stress:32166]
[39389.800016] NMI watchdog: BUG: soft lockup - CPU#14 stuck for 22s! [fdm-stress:32165]
[39389.800016] Modules linked in: btrfs dm_mod ppdev xor sha256_generic hmac raid6_pq drbg ansi_cprng aesni_intel i2c_piix4 acpi_cpufreq aes_x86_64 ablk_helper tpm_tis parport_pc i2c_core sg cryptd evdev psmouse lrw tpm parport gf128mul serio_raw pcspkr glue_helper processor button loop autofs4 ext4 crc16 mbcache jbd2 sd_mod sr_mod cdrom ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring crc32c_intel scsi_mod e1000 virtio floppy [last unloaded: btrfs]
[39389.800016] irq event stamp: 0
[39389.800016] hardirqs last  enabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800016] hardirqs last disabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800016] softirqs last  enabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800016] softirqs last disabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800016] CPU: 14 PID: 32165 Comm: fdm-stress Not tainted 4.4.0-rc6-btrfs-next-18+ #1
[39389.800016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
[39389.800016] task: ffff880175b1ca40 ti: ffff8800a185c000 task.ti: ffff8800a185c000
[39389.800016] RIP: 0010:[&lt;ffffffff810902af&gt;]  [&lt;ffffffff810902af&gt;] queued_spin_lock_slowpath+0x57/0x158
[39389.800016] RSP: 0018:ffff8800a185fb80  EFLAGS: 00000202
[39389.800016] RAX: 0000000000000101 RBX: ffff8801710c4e9c RCX: 0000000000000101
[39389.800016] RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000001
[39389.800016] RBP: ffff8800a185fb98 R08: 0000000000000001 R09: 0000000000000000
[39389.800016] R10: ffff8800a185fb68 R11: 6db6db6db6db6db7 R12: ffff8801710c4e98
[39389.800016] R13: ffff880175b1ca40 R14: ffff8800a185fc10 R15: ffff880175b1ca40
[39389.800016] FS:  00007f6d37fff700(0000) GS:ffff8802be9c0000(0000) knlGS:0000000000000000
[39389.800016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[39389.800016] CR2: 00007f6d300019b8 CR3: 0000000037c93000 CR4: 00000000001406e0
[39389.800016] Stack:
[39389.800016]  ffff8801710c4e98 ffff8801710c4e98 ffff880175b1ca40 ffff8800a185fbb0
[39389.800016]  ffffffff81091e11 ffff8801710c4e98 ffff8800a185fbc8 ffffffff81091895
[39389.800016]  ffff8801710c4e98 ffff8800a185fbe8 ffffffff81486c5c ffffffffa067288c
[39389.800016] Call Trace:
[39389.800016]  [&lt;ffffffff81091e11&gt;] queued_read_lock_slowpath+0x46/0x60
[39389.800016]  [&lt;ffffffff81091895&gt;] do_raw_read_lock+0x3e/0x41
[39389.800016]  [&lt;ffffffff81486c5c&gt;] _raw_read_lock+0x3d/0x44
[39389.800016]  [&lt;ffffffffa067288c&gt;] ? btrfs_tree_read_lock+0x54/0x125 [btrfs]
[39389.800016]  [&lt;ffffffffa067288c&gt;] btrfs_tree_read_lock+0x54/0x125 [btrfs]
[39389.800016]  [&lt;ffffffffa0622ced&gt;] ? btrfs_find_item+0xa7/0xd2 [btrfs]
[39389.800016]  [&lt;ffffffffa069363f&gt;] btrfs_ref_to_path+0xd6/0x174 [btrfs]
[39389.800016]  [&lt;ffffffffa0693730&gt;] inode_to_path+0x53/0xa2 [btrfs]
[39389.800016]  [&lt;ffffffffa0693e2e&gt;] paths_from_inode+0x117/0x2ec [btrfs]
[39389.800016]  [&lt;ffffffffa0670cff&gt;] btrfs_ioctl+0xd5b/0x2793 [btrfs]
[39389.800016]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800016]  [&lt;ffffffff81276727&gt;] ? __this_cpu_preempt_check+0x13/0x15
[39389.800016]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800016]  [&lt;ffffffff8118b3d4&gt;] ? rcu_read_unlock+0x3e/0x5d
[39389.800016]  [&lt;ffffffff811822f8&gt;] do_vfs_ioctl+0x42b/0x4ea
[39389.800016]  [&lt;ffffffff8118b4f3&gt;] ? __fget_light+0x62/0x71
[39389.800016]  [&lt;ffffffff8118240e&gt;] SyS_ioctl+0x57/0x79
[39389.800016]  [&lt;ffffffff814872d7&gt;] entry_SYSCALL_64_fastpath+0x12/0x6f
[39389.800016] Code: b9 01 01 00 00 f7 c6 00 ff ff ff 75 32 83 fe 01 89 ca 89 f0 0f 45 d7 f0 0f b1 13 39 f0 74 04 89 c6 eb e2 ff ca 0f 84 fa 00 00 00 &lt;8b&gt; 03 84 c0 74 04 f3 90 eb f6 66 c7 03 01 00 e9 e6 00 00 00 e8
[39389.800012] Modules linked in: btrfs dm_mod ppdev xor sha256_generic hmac raid6_pq drbg ansi_cprng aesni_intel i2c_piix4 acpi_cpufreq aes_x86_64 ablk_helper tpm_tis parport_pc i2c_core sg cryptd evdev psmouse lrw tpm parport gf128mul serio_raw pcspkr glue_helper processor button loop autofs4 ext4 crc16 mbcache jbd2 sd_mod sr_mod cdrom ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring crc32c_intel scsi_mod e1000 virtio floppy [last unloaded: btrfs]
[39389.800012] irq event stamp: 0
[39389.800012] hardirqs last  enabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800012] hardirqs last disabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800012] softirqs last  enabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800012] softirqs last disabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800012] CPU: 15 PID: 32166 Comm: fdm-stress Tainted: G             L  4.4.0-rc6-btrfs-next-18+ #1
[39389.800012] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
[39389.800012] task: ffff880179294380 ti: ffff880034a60000 task.ti: ffff880034a60000
[39389.800012] RIP: 0010:[&lt;ffffffff81091e8d&gt;]  [&lt;ffffffff81091e8d&gt;] queued_write_lock_slowpath+0x62/0x72
[39389.800012] RSP: 0018:ffff880034a639f0  EFLAGS: 00000206
[39389.800012] RAX: 0000000000000101 RBX: ffff8801710c4e98 RCX: 0000000000000000
[39389.800012] RDX: 00000000000000ff RSI: 0000000000000000 RDI: ffff8801710c4e9c
[39389.800012] RBP: ffff880034a639f8 R08: 0000000000000001 R09: 0000000000000000
[39389.800012] R10: ffff880034a639b0 R11: 0000000000001000 R12: ffff8801710c4e98
[39389.800012] R13: 0000000000000001 R14: ffff880172cbc000 R15: ffff8801710c4e00
[39389.800012] FS:  00007f6d377fe700(0000) GS:ffff8802be9e0000(0000) knlGS:0000000000000000
[39389.800012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[39389.800012] CR2: 00007f6d3d3c1000 CR3: 0000000037c93000 CR4: 00000000001406e0
[39389.800012] Stack:
[39389.800012]  ffff8801710c4e98 ffff880034a63a10 ffffffff81091963 ffff8801710c4e98
[39389.800012]  ffff880034a63a30 ffffffff81486f1b ffffffffa0672cb3 ffff8801710c4e00
[39389.800012]  ffff880034a63a78 ffffffffa0672cb3 ffff8801710c4e00 ffff880034a63a58
[39389.800012] Call Trace:
[39389.800012]  [&lt;ffffffff81091963&gt;] do_raw_write_lock+0x72/0x8c
[39389.800012]  [&lt;ffffffff81486f1b&gt;] _raw_write_lock+0x3a/0x41
[39389.800012]  [&lt;ffffffffa0672cb3&gt;] ? btrfs_tree_lock+0x119/0x251 [btrfs]
[39389.800012]  [&lt;ffffffffa0672cb3&gt;] btrfs_tree_lock+0x119/0x251 [btrfs]
[39389.800012]  [&lt;ffffffffa061aeba&gt;] ? rcu_read_unlock+0x5b/0x5d [btrfs]
[39389.800012]  [&lt;ffffffffa061ce13&gt;] ? btrfs_root_node+0xda/0xe6 [btrfs]
[39389.800012]  [&lt;ffffffffa061ce83&gt;] btrfs_lock_root_node+0x22/0x42 [btrfs]
[39389.800012]  [&lt;ffffffffa062046b&gt;] btrfs_search_slot+0x1b8/0x758 [btrfs]
[39389.800012]  [&lt;ffffffff810fc6b0&gt;] ? time_hardirqs_on+0x15/0x28
[39389.800012]  [&lt;ffffffffa06365db&gt;] btrfs_lookup_inode+0x31/0x95 [btrfs]
[39389.800012]  [&lt;ffffffff8108d62f&gt;] ? trace_hardirqs_on+0xd/0xf
[39389.800012]  [&lt;ffffffff8148482b&gt;] ? mutex_lock_nested+0x397/0x3bc
[39389.800012]  [&lt;ffffffffa068821b&gt;] __btrfs_update_delayed_inode+0x59/0x1c0 [btrfs]
[39389.800012]  [&lt;ffffffffa068858e&gt;] __btrfs_commit_inode_delayed_items+0x194/0x5aa [btrfs]
[39389.800012]  [&lt;ffffffff81486ab7&gt;] ? _raw_spin_unlock+0x31/0x44
[39389.800012]  [&lt;ffffffffa0688a48&gt;] __btrfs_run_delayed_items+0xa4/0x15c [btrfs]
[39389.800012]  [&lt;ffffffffa0688d62&gt;] btrfs_run_delayed_items+0x11/0x13 [btrfs]
[39389.800012]  [&lt;ffffffffa064048e&gt;] btrfs_commit_transaction+0x234/0x96e [btrfs]
[39389.800012]  [&lt;ffffffffa0618d10&gt;] btrfs_sync_fs+0x145/0x1ad [btrfs]
[39389.800012]  [&lt;ffffffffa0671176&gt;] btrfs_ioctl+0x11d2/0x2793 [btrfs]
[39389.800012]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800012]  [&lt;ffffffff81140261&gt;] ? __might_fault+0x4c/0xa7
[39389.800012]  [&lt;ffffffff81140261&gt;] ? __might_fault+0x4c/0xa7
[39389.800012]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800012]  [&lt;ffffffff8118b3d4&gt;] ? rcu_read_unlock+0x3e/0x5d
[39389.800012]  [&lt;ffffffff811822f8&gt;] do_vfs_ioctl+0x42b/0x4ea
[39389.800012]  [&lt;ffffffff8118b4f3&gt;] ? __fget_light+0x62/0x71
[39389.800012]  [&lt;ffffffff8118240e&gt;] SyS_ioctl+0x57/0x79
[39389.800012]  [&lt;ffffffff814872d7&gt;] entry_SYSCALL_64_fastpath+0x12/0x6f
[39389.800012] Code: f0 0f b1 13 85 c0 75 ef eb 2a f3 90 8a 03 84 c0 75 f8 f0 0f b0 13 84 c0 75 f0 ba ff 00 00 00 eb 0a f0 0f b1 13 ff c8 74 0b f3 90 &lt;8b&gt; 03 83 f8 01 75 f7 eb ed c6 43 04 00 5b 5d c3 0f 1f 44 00 00

This happens because in the code path executed by the inode_paths ioctl we
end up nesting two calls to read lock a leaf's rwlock when after the first
call to read_lock() and before the second call to read_lock(), another
task (running the delayed items as part of a transaction commit) has
already called write_lock() against the leaf's rwlock. This situation is
illustrated by the following diagram:

         Task A                       Task B

  btrfs_ref_to_path()               btrfs_commit_transaction()
    read_lock(&amp;eb-&gt;lock);

                                      btrfs_run_delayed_items()
                                        __btrfs_commit_inode_delayed_items()
                                          __btrfs_update_delayed_inode()
                                            btrfs_lookup_inode()

                                              write_lock(&amp;eb-&gt;lock);
                                                --&gt; task waits for lock

    read_lock(&amp;eb-&gt;lock);
    --&gt; makes this task hang
        forever (and task B too
	of course)

So fix this by avoiding doing the nested read lock, which is easily
avoidable. This issue does not happen if task B calls write_lock() after
task A does the second call to read_lock(), however there does not seem
to exist anything in the documentation that mentions what is the expected
behaviour for recursive locking of rwlocks (leaving the idea that doing
so is not a good usage of rwlocks).

Also, as a side effect necessary for this fix, make sure we do not
needlessly read lock extent buffers when the input path has skip_locking
set (used when called from send).

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0c0fe3b0fa45082cd752553fdb3a4b42503a118e upstream.

While doing some tests I ran into an hang on an extent buffer's rwlock
that produced the following trace:

[39389.800012] NMI watchdog: BUG: soft lockup - CPU#15 stuck for 22s! [fdm-stress:32166]
[39389.800016] NMI watchdog: BUG: soft lockup - CPU#14 stuck for 22s! [fdm-stress:32165]
[39389.800016] Modules linked in: btrfs dm_mod ppdev xor sha256_generic hmac raid6_pq drbg ansi_cprng aesni_intel i2c_piix4 acpi_cpufreq aes_x86_64 ablk_helper tpm_tis parport_pc i2c_core sg cryptd evdev psmouse lrw tpm parport gf128mul serio_raw pcspkr glue_helper processor button loop autofs4 ext4 crc16 mbcache jbd2 sd_mod sr_mod cdrom ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring crc32c_intel scsi_mod e1000 virtio floppy [last unloaded: btrfs]
[39389.800016] irq event stamp: 0
[39389.800016] hardirqs last  enabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800016] hardirqs last disabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800016] softirqs last  enabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800016] softirqs last disabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800016] CPU: 14 PID: 32165 Comm: fdm-stress Not tainted 4.4.0-rc6-btrfs-next-18+ #1
[39389.800016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
[39389.800016] task: ffff880175b1ca40 ti: ffff8800a185c000 task.ti: ffff8800a185c000
[39389.800016] RIP: 0010:[&lt;ffffffff810902af&gt;]  [&lt;ffffffff810902af&gt;] queued_spin_lock_slowpath+0x57/0x158
[39389.800016] RSP: 0018:ffff8800a185fb80  EFLAGS: 00000202
[39389.800016] RAX: 0000000000000101 RBX: ffff8801710c4e9c RCX: 0000000000000101
[39389.800016] RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000001
[39389.800016] RBP: ffff8800a185fb98 R08: 0000000000000001 R09: 0000000000000000
[39389.800016] R10: ffff8800a185fb68 R11: 6db6db6db6db6db7 R12: ffff8801710c4e98
[39389.800016] R13: ffff880175b1ca40 R14: ffff8800a185fc10 R15: ffff880175b1ca40
[39389.800016] FS:  00007f6d37fff700(0000) GS:ffff8802be9c0000(0000) knlGS:0000000000000000
[39389.800016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[39389.800016] CR2: 00007f6d300019b8 CR3: 0000000037c93000 CR4: 00000000001406e0
[39389.800016] Stack:
[39389.800016]  ffff8801710c4e98 ffff8801710c4e98 ffff880175b1ca40 ffff8800a185fbb0
[39389.800016]  ffffffff81091e11 ffff8801710c4e98 ffff8800a185fbc8 ffffffff81091895
[39389.800016]  ffff8801710c4e98 ffff8800a185fbe8 ffffffff81486c5c ffffffffa067288c
[39389.800016] Call Trace:
[39389.800016]  [&lt;ffffffff81091e11&gt;] queued_read_lock_slowpath+0x46/0x60
[39389.800016]  [&lt;ffffffff81091895&gt;] do_raw_read_lock+0x3e/0x41
[39389.800016]  [&lt;ffffffff81486c5c&gt;] _raw_read_lock+0x3d/0x44
[39389.800016]  [&lt;ffffffffa067288c&gt;] ? btrfs_tree_read_lock+0x54/0x125 [btrfs]
[39389.800016]  [&lt;ffffffffa067288c&gt;] btrfs_tree_read_lock+0x54/0x125 [btrfs]
[39389.800016]  [&lt;ffffffffa0622ced&gt;] ? btrfs_find_item+0xa7/0xd2 [btrfs]
[39389.800016]  [&lt;ffffffffa069363f&gt;] btrfs_ref_to_path+0xd6/0x174 [btrfs]
[39389.800016]  [&lt;ffffffffa0693730&gt;] inode_to_path+0x53/0xa2 [btrfs]
[39389.800016]  [&lt;ffffffffa0693e2e&gt;] paths_from_inode+0x117/0x2ec [btrfs]
[39389.800016]  [&lt;ffffffffa0670cff&gt;] btrfs_ioctl+0xd5b/0x2793 [btrfs]
[39389.800016]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800016]  [&lt;ffffffff81276727&gt;] ? __this_cpu_preempt_check+0x13/0x15
[39389.800016]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800016]  [&lt;ffffffff8118b3d4&gt;] ? rcu_read_unlock+0x3e/0x5d
[39389.800016]  [&lt;ffffffff811822f8&gt;] do_vfs_ioctl+0x42b/0x4ea
[39389.800016]  [&lt;ffffffff8118b4f3&gt;] ? __fget_light+0x62/0x71
[39389.800016]  [&lt;ffffffff8118240e&gt;] SyS_ioctl+0x57/0x79
[39389.800016]  [&lt;ffffffff814872d7&gt;] entry_SYSCALL_64_fastpath+0x12/0x6f
[39389.800016] Code: b9 01 01 00 00 f7 c6 00 ff ff ff 75 32 83 fe 01 89 ca 89 f0 0f 45 d7 f0 0f b1 13 39 f0 74 04 89 c6 eb e2 ff ca 0f 84 fa 00 00 00 &lt;8b&gt; 03 84 c0 74 04 f3 90 eb f6 66 c7 03 01 00 e9 e6 00 00 00 e8
[39389.800012] Modules linked in: btrfs dm_mod ppdev xor sha256_generic hmac raid6_pq drbg ansi_cprng aesni_intel i2c_piix4 acpi_cpufreq aes_x86_64 ablk_helper tpm_tis parport_pc i2c_core sg cryptd evdev psmouse lrw tpm parport gf128mul serio_raw pcspkr glue_helper processor button loop autofs4 ext4 crc16 mbcache jbd2 sd_mod sr_mod cdrom ata_generic virtio_scsi ata_piix libata virtio_pci virtio_ring crc32c_intel scsi_mod e1000 virtio floppy [last unloaded: btrfs]
[39389.800012] irq event stamp: 0
[39389.800012] hardirqs last  enabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800012] hardirqs last disabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800012] softirqs last  enabled at (0): [&lt;ffffffff8104e58d&gt;] copy_process+0x638/0x1a35
[39389.800012] softirqs last disabled at (0): [&lt;          (null)&gt;]           (null)
[39389.800012] CPU: 15 PID: 32166 Comm: fdm-stress Tainted: G             L  4.4.0-rc6-btrfs-next-18+ #1
[39389.800012] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS by qemu-project.org 04/01/2014
[39389.800012] task: ffff880179294380 ti: ffff880034a60000 task.ti: ffff880034a60000
[39389.800012] RIP: 0010:[&lt;ffffffff81091e8d&gt;]  [&lt;ffffffff81091e8d&gt;] queued_write_lock_slowpath+0x62/0x72
[39389.800012] RSP: 0018:ffff880034a639f0  EFLAGS: 00000206
[39389.800012] RAX: 0000000000000101 RBX: ffff8801710c4e98 RCX: 0000000000000000
[39389.800012] RDX: 00000000000000ff RSI: 0000000000000000 RDI: ffff8801710c4e9c
[39389.800012] RBP: ffff880034a639f8 R08: 0000000000000001 R09: 0000000000000000
[39389.800012] R10: ffff880034a639b0 R11: 0000000000001000 R12: ffff8801710c4e98
[39389.800012] R13: 0000000000000001 R14: ffff880172cbc000 R15: ffff8801710c4e00
[39389.800012] FS:  00007f6d377fe700(0000) GS:ffff8802be9e0000(0000) knlGS:0000000000000000
[39389.800012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[39389.800012] CR2: 00007f6d3d3c1000 CR3: 0000000037c93000 CR4: 00000000001406e0
[39389.800012] Stack:
[39389.800012]  ffff8801710c4e98 ffff880034a63a10 ffffffff81091963 ffff8801710c4e98
[39389.800012]  ffff880034a63a30 ffffffff81486f1b ffffffffa0672cb3 ffff8801710c4e00
[39389.800012]  ffff880034a63a78 ffffffffa0672cb3 ffff8801710c4e00 ffff880034a63a58
[39389.800012] Call Trace:
[39389.800012]  [&lt;ffffffff81091963&gt;] do_raw_write_lock+0x72/0x8c
[39389.800012]  [&lt;ffffffff81486f1b&gt;] _raw_write_lock+0x3a/0x41
[39389.800012]  [&lt;ffffffffa0672cb3&gt;] ? btrfs_tree_lock+0x119/0x251 [btrfs]
[39389.800012]  [&lt;ffffffffa0672cb3&gt;] btrfs_tree_lock+0x119/0x251 [btrfs]
[39389.800012]  [&lt;ffffffffa061aeba&gt;] ? rcu_read_unlock+0x5b/0x5d [btrfs]
[39389.800012]  [&lt;ffffffffa061ce13&gt;] ? btrfs_root_node+0xda/0xe6 [btrfs]
[39389.800012]  [&lt;ffffffffa061ce83&gt;] btrfs_lock_root_node+0x22/0x42 [btrfs]
[39389.800012]  [&lt;ffffffffa062046b&gt;] btrfs_search_slot+0x1b8/0x758 [btrfs]
[39389.800012]  [&lt;ffffffff810fc6b0&gt;] ? time_hardirqs_on+0x15/0x28
[39389.800012]  [&lt;ffffffffa06365db&gt;] btrfs_lookup_inode+0x31/0x95 [btrfs]
[39389.800012]  [&lt;ffffffff8108d62f&gt;] ? trace_hardirqs_on+0xd/0xf
[39389.800012]  [&lt;ffffffff8148482b&gt;] ? mutex_lock_nested+0x397/0x3bc
[39389.800012]  [&lt;ffffffffa068821b&gt;] __btrfs_update_delayed_inode+0x59/0x1c0 [btrfs]
[39389.800012]  [&lt;ffffffffa068858e&gt;] __btrfs_commit_inode_delayed_items+0x194/0x5aa [btrfs]
[39389.800012]  [&lt;ffffffff81486ab7&gt;] ? _raw_spin_unlock+0x31/0x44
[39389.800012]  [&lt;ffffffffa0688a48&gt;] __btrfs_run_delayed_items+0xa4/0x15c [btrfs]
[39389.800012]  [&lt;ffffffffa0688d62&gt;] btrfs_run_delayed_items+0x11/0x13 [btrfs]
[39389.800012]  [&lt;ffffffffa064048e&gt;] btrfs_commit_transaction+0x234/0x96e [btrfs]
[39389.800012]  [&lt;ffffffffa0618d10&gt;] btrfs_sync_fs+0x145/0x1ad [btrfs]
[39389.800012]  [&lt;ffffffffa0671176&gt;] btrfs_ioctl+0x11d2/0x2793 [btrfs]
[39389.800012]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800012]  [&lt;ffffffff81140261&gt;] ? __might_fault+0x4c/0xa7
[39389.800012]  [&lt;ffffffff81140261&gt;] ? __might_fault+0x4c/0xa7
[39389.800012]  [&lt;ffffffff8108a8b0&gt;] ? arch_local_irq_save+0x9/0xc
[39389.800012]  [&lt;ffffffff8118b3d4&gt;] ? rcu_read_unlock+0x3e/0x5d
[39389.800012]  [&lt;ffffffff811822f8&gt;] do_vfs_ioctl+0x42b/0x4ea
[39389.800012]  [&lt;ffffffff8118b4f3&gt;] ? __fget_light+0x62/0x71
[39389.800012]  [&lt;ffffffff8118240e&gt;] SyS_ioctl+0x57/0x79
[39389.800012]  [&lt;ffffffff814872d7&gt;] entry_SYSCALL_64_fastpath+0x12/0x6f
[39389.800012] Code: f0 0f b1 13 85 c0 75 ef eb 2a f3 90 8a 03 84 c0 75 f8 f0 0f b0 13 84 c0 75 f0 ba ff 00 00 00 eb 0a f0 0f b1 13 ff c8 74 0b f3 90 &lt;8b&gt; 03 83 f8 01 75 f7 eb ed c6 43 04 00 5b 5d c3 0f 1f 44 00 00

This happens because in the code path executed by the inode_paths ioctl we
end up nesting two calls to read lock a leaf's rwlock when after the first
call to read_lock() and before the second call to read_lock(), another
task (running the delayed items as part of a transaction commit) has
already called write_lock() against the leaf's rwlock. This situation is
illustrated by the following diagram:

         Task A                       Task B

  btrfs_ref_to_path()               btrfs_commit_transaction()
    read_lock(&amp;eb-&gt;lock);

                                      btrfs_run_delayed_items()
                                        __btrfs_commit_inode_delayed_items()
                                          __btrfs_update_delayed_inode()
                                            btrfs_lookup_inode()

                                              write_lock(&amp;eb-&gt;lock);
                                                --&gt; task waits for lock

    read_lock(&amp;eb-&gt;lock);
    --&gt; makes this task hang
        forever (and task B too
	of course)

So fix this by avoiding doing the nested read lock, which is easily
avoidable. This issue does not happen if task B calls write_lock() after
task A does the second call to read_lock(), however there does not seem
to exist anything in the documentation that mentions what is the expected
behaviour for recursive locking of rwlocks (leaving the idea that doing
so is not a good usage of rwlocks).

Also, as a side effect necessary for this fix, make sure we do not
needlessly read lock extent buffers when the input path has skip_locking
set (used when called from send).

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: properly set the termination value of ctx-&gt;pos in readdir</title>
<updated>2016-02-25T19:58:52+00:00</updated>
<author>
<name>David Sterba</name>
<email>dsterba@suse.com</email>
</author>
<published>2015-11-13T12:44:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2519d8ef595ef42b258c407a5139e107a780fcc2'/>
<id>2519d8ef595ef42b258c407a5139e107a780fcc2</id>
<content type='text'>
commit bc4ef7592f657ae81b017207a1098817126ad4cb upstream.

The value of ctx-&gt;pos in the last readdir call is supposed to be set to
INT_MAX due to 32bit compatibility, unless 'pos' is intentially set to a
larger value, then it's LLONG_MAX.

There's a report from PaX SIZE_OVERFLOW plugin that "ctx-&gt;pos++"
overflows (https://forums.grsecurity.net/viewtopic.php?f=1&amp;t=4284), on a
64bit arch, where the value is 0x7fffffffffffffff ie. LLONG_MAX before
the increment.

We can get to that situation like that:

* emit all regular readdir entries
* still in the same call to readdir, bump the last pos to INT_MAX
* next call to readdir will not emit any entries, but will reach the
  bump code again, finds pos to be INT_MAX and sets it to LLONG_MAX

Normally this is not a problem, but if we call readdir again, we'll find
'pos' set to LLONG_MAX and the unconditional increment will overflow.

The report from Victor at
(http://thread.gmane.org/gmane.comp.file-systems.btrfs/49500) with debugging
print shows that pattern:

 Overflow: e
 Overflow: 7fffffff
 Overflow: 7fffffffffffffff
 PAX: size overflow detected in function btrfs_real_readdir
   fs/btrfs/inode.c:5760 cicus.935_282 max, count: 9, decl: pos; num: 0;
   context: dir_context;
 CPU: 0 PID: 2630 Comm: polkitd Not tainted 4.2.3-grsec #1
 Hardware name: Gigabyte Technology Co., Ltd. H81ND2H/H81ND2H, BIOS F3 08/11/2015
  ffffffff81901608 0000000000000000 ffffffff819015e6 ffffc90004973d48
  ffffffff81742f0f 0000000000000007 ffffffff81901608 ffffc90004973d78
  ffffffff811cb706 0000000000000000 ffff8800d47359e0 ffffc90004973ed8
 Call Trace:
  [&lt;ffffffff81742f0f&gt;] dump_stack+0x4c/0x7f
  [&lt;ffffffff811cb706&gt;] report_size_overflow+0x36/0x40
  [&lt;ffffffff812ef0bc&gt;] btrfs_real_readdir+0x69c/0x6d0
  [&lt;ffffffff811dafc8&gt;] iterate_dir+0xa8/0x150
  [&lt;ffffffff811e6d8d&gt;] ? __fget_light+0x2d/0x70
  [&lt;ffffffff811dba3a&gt;] SyS_getdents+0xba/0x1c0
 Overflow: 1a
  [&lt;ffffffff811db070&gt;] ? iterate_dir+0x150/0x150
  [&lt;ffffffff81749b69&gt;] entry_SYSCALL_64_fastpath+0x12/0x83

The jump from 7fffffff to 7fffffffffffffff happens when new dir entries
are not yet synced and are processed from the delayed list. Then the code
could go to the bump section again even though it might not emit any new
dir entries from the delayed list.

The fix avoids entering the "bump" section again once we've finished
emitting the entries, both for synced and delayed entries.

References: https://forums.grsecurity.net/viewtopic.php?f=1&amp;t=4284
Reported-by: Victor &lt;services@swwu.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Tested-by: Holger Hoffstätte &lt;holger.hoffstaette@googlemail.com&gt;
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bc4ef7592f657ae81b017207a1098817126ad4cb upstream.

The value of ctx-&gt;pos in the last readdir call is supposed to be set to
INT_MAX due to 32bit compatibility, unless 'pos' is intentially set to a
larger value, then it's LLONG_MAX.

There's a report from PaX SIZE_OVERFLOW plugin that "ctx-&gt;pos++"
overflows (https://forums.grsecurity.net/viewtopic.php?f=1&amp;t=4284), on a
64bit arch, where the value is 0x7fffffffffffffff ie. LLONG_MAX before
the increment.

We can get to that situation like that:

* emit all regular readdir entries
* still in the same call to readdir, bump the last pos to INT_MAX
* next call to readdir will not emit any entries, but will reach the
  bump code again, finds pos to be INT_MAX and sets it to LLONG_MAX

Normally this is not a problem, but if we call readdir again, we'll find
'pos' set to LLONG_MAX and the unconditional increment will overflow.

The report from Victor at
(http://thread.gmane.org/gmane.comp.file-systems.btrfs/49500) with debugging
print shows that pattern:

 Overflow: e
 Overflow: 7fffffff
 Overflow: 7fffffffffffffff
 PAX: size overflow detected in function btrfs_real_readdir
   fs/btrfs/inode.c:5760 cicus.935_282 max, count: 9, decl: pos; num: 0;
   context: dir_context;
 CPU: 0 PID: 2630 Comm: polkitd Not tainted 4.2.3-grsec #1
 Hardware name: Gigabyte Technology Co., Ltd. H81ND2H/H81ND2H, BIOS F3 08/11/2015
  ffffffff81901608 0000000000000000 ffffffff819015e6 ffffc90004973d48
  ffffffff81742f0f 0000000000000007 ffffffff81901608 ffffc90004973d78
  ffffffff811cb706 0000000000000000 ffff8800d47359e0 ffffc90004973ed8
 Call Trace:
  [&lt;ffffffff81742f0f&gt;] dump_stack+0x4c/0x7f
  [&lt;ffffffff811cb706&gt;] report_size_overflow+0x36/0x40
  [&lt;ffffffff812ef0bc&gt;] btrfs_real_readdir+0x69c/0x6d0
  [&lt;ffffffff811dafc8&gt;] iterate_dir+0xa8/0x150
  [&lt;ffffffff811e6d8d&gt;] ? __fget_light+0x2d/0x70
  [&lt;ffffffff811dba3a&gt;] SyS_getdents+0xba/0x1c0
 Overflow: 1a
  [&lt;ffffffff811db070&gt;] ? iterate_dir+0x150/0x150
  [&lt;ffffffff81749b69&gt;] entry_SYSCALL_64_fastpath+0x12/0x83

The jump from 7fffffff to 7fffffffffffffff happens when new dir entries
are not yet synced and are processed from the delayed list. Then the code
could go to the bump section again even though it might not emit any new
dir entries from the delayed list.

The fix avoids entering the "bump" section again once we've finished
emitting the entries, both for synced and delayed entries.

References: https://forums.grsecurity.net/viewtopic.php?f=1&amp;t=4284
Reported-by: Victor &lt;services@swwu.com&gt;
Signed-off-by: David Sterba &lt;dsterba@suse.com&gt;
Tested-by: Holger Hoffstätte &lt;holger.hoffstaette@googlemail.com&gt;
Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow</title>
<updated>2016-01-23T04:34:50+00:00</updated>
<author>
<name>Filipe Manana</name>
<email>fdmanana@suse.com</email>
</author>
<published>2015-11-09T00:33:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=389e0b9bbb64969281951ea5a1383448babac2b0'/>
<id>389e0b9bbb64969281951ea5a1383448babac2b0</id>
<content type='text'>
commit 1d512cb77bdbda80f0dd0620a3b260d697fd581d upstream.

If we are using the NO_HOLES feature, we have a tiny time window when
running delalloc for a nodatacow inode where we can race with a concurrent
link or xattr add operation leading to a BUG_ON.

This happens because at run_delalloc_nocow() we end up casting a leaf item
of type BTRFS_INODE_[REF|EXTREF]_KEY or of type BTRFS_XATTR_ITEM_KEY to a
file extent item (struct btrfs_file_extent_item) and then analyse its
extent type field, which won't match any of the expected extent types
(values BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]) and therefore trigger an
explicit BUG_ON(1).

The following sequence diagram shows how the race happens when running a
no-cow dellaloc range [4K, 8K[ for inode 257 and we have the following
neighbour leafs:

             Leaf X (has N items)                    Leaf Y

 [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]
              slot N - 2         slot N - 1              slot 0

 (Note the implicit hole for inode 257 regarding the [0, 8K[ range)

       CPU 1                                         CPU 2

 run_dealloc_nocow()
   btrfs_lookup_file_extent()
     --&gt; searches for a key with value
         (257 EXTENT_DATA 4096) in the
         fs/subvol tree
     --&gt; returns us a path with
         path-&gt;nodes[0] == leaf X and
         path-&gt;slots[0] == N

   because path-&gt;slots[0] is &gt;=
   btrfs_header_nritems(leaf X), it
   calls btrfs_next_leaf()

   btrfs_next_leaf()
     --&gt; releases the path

                                              hard link added to our inode,
                                              with key (257 INODE_REF 500)
                                              added to the end of leaf X,
                                              so leaf X now has N + 1 keys

     --&gt; searches for the key
         (257 INODE_REF 256), because
         it was the last key in leaf X
         before it released the path,
         with path-&gt;keep_locks set to 1

     --&gt; ends up at leaf X again and
         it verifies that the key
         (257 INODE_REF 256) is no longer
         the last key in the leaf, so it
         returns with path-&gt;nodes[0] ==
         leaf X and path-&gt;slots[0] == N,
         pointing to the new item with
         key (257 INODE_REF 500)

   the loop iteration of run_dealloc_nocow()
   does not break out the loop and continues
   because the key referenced in the path
   at path-&gt;nodes[0] and path-&gt;slots[0] is
   for inode 257, its type is &lt; BTRFS_EXTENT_DATA_KEY
   and its offset (500) is less then our delalloc
   range's end (8192)

   the item pointed by the path, an inode reference item,
   is (incorrectly) interpreted as a file extent item and
   we get an invalid extent type, leading to the BUG_ON(1):

   if (extent_type == BTRFS_FILE_EXTENT_REG ||
      extent_type == BTRFS_FILE_EXTENT_PREALLOC) {
       (...)
   } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
       (...)
   } else {
       BUG_ON(1)
   }

The same can happen if a xattr is added concurrently and ends up having
a key with an offset smaller then the delalloc's range end.

So fix this by skipping keys with a type smaller than
BTRFS_EXTENT_DATA_KEY.

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1d512cb77bdbda80f0dd0620a3b260d697fd581d upstream.

If we are using the NO_HOLES feature, we have a tiny time window when
running delalloc for a nodatacow inode where we can race with a concurrent
link or xattr add operation leading to a BUG_ON.

This happens because at run_delalloc_nocow() we end up casting a leaf item
of type BTRFS_INODE_[REF|EXTREF]_KEY or of type BTRFS_XATTR_ITEM_KEY to a
file extent item (struct btrfs_file_extent_item) and then analyse its
extent type field, which won't match any of the expected extent types
(values BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]) and therefore trigger an
explicit BUG_ON(1).

The following sequence diagram shows how the race happens when running a
no-cow dellaloc range [4K, 8K[ for inode 257 and we have the following
neighbour leafs:

             Leaf X (has N items)                    Leaf Y

 [ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]
              slot N - 2         slot N - 1              slot 0

 (Note the implicit hole for inode 257 regarding the [0, 8K[ range)

       CPU 1                                         CPU 2

 run_dealloc_nocow()
   btrfs_lookup_file_extent()
     --&gt; searches for a key with value
         (257 EXTENT_DATA 4096) in the
         fs/subvol tree
     --&gt; returns us a path with
         path-&gt;nodes[0] == leaf X and
         path-&gt;slots[0] == N

   because path-&gt;slots[0] is &gt;=
   btrfs_header_nritems(leaf X), it
   calls btrfs_next_leaf()

   btrfs_next_leaf()
     --&gt; releases the path

                                              hard link added to our inode,
                                              with key (257 INODE_REF 500)
                                              added to the end of leaf X,
                                              so leaf X now has N + 1 keys

     --&gt; searches for the key
         (257 INODE_REF 256), because
         it was the last key in leaf X
         before it released the path,
         with path-&gt;keep_locks set to 1

     --&gt; ends up at leaf X again and
         it verifies that the key
         (257 INODE_REF 256) is no longer
         the last key in the leaf, so it
         returns with path-&gt;nodes[0] ==
         leaf X and path-&gt;slots[0] == N,
         pointing to the new item with
         key (257 INODE_REF 500)

   the loop iteration of run_dealloc_nocow()
   does not break out the loop and continues
   because the key referenced in the path
   at path-&gt;nodes[0] and path-&gt;slots[0] is
   for inode 257, its type is &lt; BTRFS_EXTENT_DATA_KEY
   and its offset (500) is less then our delalloc
   range's end (8192)

   the item pointed by the path, an inode reference item,
   is (incorrectly) interpreted as a file extent item and
   we get an invalid extent type, leading to the BUG_ON(1):

   if (extent_type == BTRFS_FILE_EXTENT_REG ||
      extent_type == BTRFS_FILE_EXTENT_PREALLOC) {
       (...)
   } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
       (...)
   } else {
       BUG_ON(1)
   }

The same can happen if a xattr is added concurrently and ends up having
a key with an offset smaller then the delalloc's range end.

So fix this by skipping keys with a type smaller than
BTRFS_EXTENT_DATA_KEY.

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Btrfs: fix race leading to incorrect item deletion when dropping extents</title>
<updated>2016-01-23T04:34:50+00:00</updated>
<author>
<name>Filipe Manana</name>
<email>fdmanana@suse.com</email>
</author>
<published>2015-11-06T13:33:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=de4306a7e44ef04d877c681ab69e1ab2d0bc1397'/>
<id>de4306a7e44ef04d877c681ab69e1ab2d0bc1397</id>
<content type='text'>
commit aeafbf8486c9e2bd53f5cc3c10c0b7fd7149d69c upstream.

While running a stress test I got the following warning triggered:

  [191627.672810] ------------[ cut here ]------------
  [191627.673949] WARNING: CPU: 8 PID: 8447 at fs/btrfs/file.c:779 __btrfs_drop_extents+0x391/0xa50 [btrfs]()
  (...)
  [191627.701485] Call Trace:
  [191627.702037]  [&lt;ffffffff8145f077&gt;] dump_stack+0x4f/0x7b
  [191627.702992]  [&lt;ffffffff81095de5&gt;] ? console_unlock+0x356/0x3a2
  [191627.704091]  [&lt;ffffffff8104b3b0&gt;] warn_slowpath_common+0xa1/0xbb
  [191627.705380]  [&lt;ffffffffa0664499&gt;] ? __btrfs_drop_extents+0x391/0xa50 [btrfs]
  [191627.706637]  [&lt;ffffffff8104b46d&gt;] warn_slowpath_null+0x1a/0x1c
  [191627.707789]  [&lt;ffffffffa0664499&gt;] __btrfs_drop_extents+0x391/0xa50 [btrfs]
  [191627.709155]  [&lt;ffffffff8115663c&gt;] ? cache_alloc_debugcheck_after.isra.32+0x171/0x1d0
  [191627.712444]  [&lt;ffffffff81155007&gt;] ? kmemleak_alloc_recursive.constprop.40+0x16/0x18
  [191627.714162]  [&lt;ffffffffa06570c9&gt;] insert_reserved_file_extent.constprop.40+0x83/0x24e [btrfs]
  [191627.715887]  [&lt;ffffffffa065422b&gt;] ? start_transaction+0x3bb/0x610 [btrfs]
  [191627.717287]  [&lt;ffffffffa065b604&gt;] btrfs_finish_ordered_io+0x273/0x4e2 [btrfs]
  [191627.728865]  [&lt;ffffffffa065b888&gt;] finish_ordered_fn+0x15/0x17 [btrfs]
  [191627.730045]  [&lt;ffffffffa067d688&gt;] normal_work_helper+0x14c/0x32c [btrfs]
  [191627.731256]  [&lt;ffffffffa067d96a&gt;] btrfs_endio_write_helper+0x12/0x14 [btrfs]
  [191627.732661]  [&lt;ffffffff81061119&gt;] process_one_work+0x24c/0x4ae
  [191627.733822]  [&lt;ffffffff810615b0&gt;] worker_thread+0x206/0x2c2
  [191627.734857]  [&lt;ffffffff810613aa&gt;] ? process_scheduled_works+0x2f/0x2f
  [191627.736052]  [&lt;ffffffff810613aa&gt;] ? process_scheduled_works+0x2f/0x2f
  [191627.737349]  [&lt;ffffffff810669a6&gt;] kthread+0xef/0xf7
  [191627.738267]  [&lt;ffffffff810f3b3a&gt;] ? time_hardirqs_on+0x15/0x28
  [191627.739330]  [&lt;ffffffff810668b7&gt;] ? __kthread_parkme+0xad/0xad
  [191627.741976]  [&lt;ffffffff81465592&gt;] ret_from_fork+0x42/0x70
  [191627.743080]  [&lt;ffffffff810668b7&gt;] ? __kthread_parkme+0xad/0xad
  [191627.744206] ---[ end trace bbfddacb7aaada8d ]---

  $ cat -n fs/btrfs/file.c
  691  int __btrfs_drop_extents(struct btrfs_trans_handle *trans,
  (...)
  758                  btrfs_item_key_to_cpu(leaf, &amp;key, path-&gt;slots[0]);
  759                  if (key.objectid &gt; ino ||
  760                      key.type &gt; BTRFS_EXTENT_DATA_KEY || key.offset &gt;= end)
  761                          break;
  762
  763                  fi = btrfs_item_ptr(leaf, path-&gt;slots[0],
  764                                      struct btrfs_file_extent_item);
  765                  extent_type = btrfs_file_extent_type(leaf, fi);
  766
  767                  if (extent_type == BTRFS_FILE_EXTENT_REG ||
  768                      extent_type == BTRFS_FILE_EXTENT_PREALLOC) {
  (...)
  774                  } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
  (...)
  778                  } else {
  779                          WARN_ON(1);
  780                          extent_end = search_start;
  781                  }
  (...)

This happened because the item we were processing did not match a file
extent item (its key type != BTRFS_EXTENT_DATA_KEY), and even on this
case we cast the item to a struct btrfs_file_extent_item pointer and
then find a type field value that does not match any of the expected
values (BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]). This scenario happens
due to a tiny time window where a race can happen as exemplified below.
For example, consider the following scenario where we're using the
NO_HOLES feature and we have the following two neighbour leafs:

               Leaf X (has N items)                    Leaf Y

[ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]
          slot N - 2         slot N - 1              slot 0

Our inode 257 has an implicit hole in the range [0, 8K[ (implicit rather
than explicit because NO_HOLES is enabled). Now if our inode has an
ordered extent for the range [4K, 8K[ that is finishing, the following
can happen:

          CPU 1                                       CPU 2

  btrfs_finish_ordered_io()
    insert_reserved_file_extent()
      __btrfs_drop_extents()
         Searches for the key
          (257 EXTENT_DATA 4096) through
          btrfs_lookup_file_extent()

         Key not found and we get a path where
         path-&gt;nodes[0] == leaf X and
         path-&gt;slots[0] == N

         Because path-&gt;slots[0] is &gt;=
         btrfs_header_nritems(leaf X), we call
         btrfs_next_leaf()

         btrfs_next_leaf() releases the path

                                                  inserts key
                                                  (257 INODE_REF 4096)
                                                  at the end of leaf X,
                                                  leaf X now has N + 1 keys,
                                                  and the new key is at
                                                  slot N

         btrfs_next_leaf() searches for
         key (257 INODE_REF 256), with
         path-&gt;keep_locks set to 1,
         because it was the last key it
         saw in leaf X

           finds it in leaf X again and
           notices it's no longer the last
           key of the leaf, so it returns 0
           with path-&gt;nodes[0] == leaf X and
           path-&gt;slots[0] == N (which is now
           &lt; btrfs_header_nritems(leaf X)),
           pointing to the new key
           (257 INODE_REF 4096)

         __btrfs_drop_extents() casts the
         item at path-&gt;nodes[0], slot
         path-&gt;slots[0], to a struct
         btrfs_file_extent_item - it does
         not skip keys for the target
         inode with a type less than
         BTRFS_EXTENT_DATA_KEY
         (BTRFS_INODE_REF_KEY &lt; BTRFS_EXTENT_DATA_KEY)

         sees a bogus value for the type
         field triggering the WARN_ON in
         the trace shown above, and sets
         extent_end = search_start (4096)

         does the if-then-else logic to
         fixup 0 length extent items created
         by a past bug from hole punching:

           if (extent_end == key.offset &amp;&amp;
               extent_end &gt;= search_start)
               goto delete_extent_item;

         that evaluates to true and it ends
         up deleting the key pointed to by
         path-&gt;slots[0], (257 INODE_REF 4096),
         from leaf X

The same could happen for example for a xattr that ends up having a key
with an offset value that matches search_start (very unlikely but not
impossible).

So fix this by ensuring that keys smaller than BTRFS_EXTENT_DATA_KEY are
skipped, never casted to struct btrfs_file_extent_item and never deleted
by accident. Also protect against the unexpected case of getting a key
for a lower inode number by skipping that key and issuing a warning.

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit aeafbf8486c9e2bd53f5cc3c10c0b7fd7149d69c upstream.

While running a stress test I got the following warning triggered:

  [191627.672810] ------------[ cut here ]------------
  [191627.673949] WARNING: CPU: 8 PID: 8447 at fs/btrfs/file.c:779 __btrfs_drop_extents+0x391/0xa50 [btrfs]()
  (...)
  [191627.701485] Call Trace:
  [191627.702037]  [&lt;ffffffff8145f077&gt;] dump_stack+0x4f/0x7b
  [191627.702992]  [&lt;ffffffff81095de5&gt;] ? console_unlock+0x356/0x3a2
  [191627.704091]  [&lt;ffffffff8104b3b0&gt;] warn_slowpath_common+0xa1/0xbb
  [191627.705380]  [&lt;ffffffffa0664499&gt;] ? __btrfs_drop_extents+0x391/0xa50 [btrfs]
  [191627.706637]  [&lt;ffffffff8104b46d&gt;] warn_slowpath_null+0x1a/0x1c
  [191627.707789]  [&lt;ffffffffa0664499&gt;] __btrfs_drop_extents+0x391/0xa50 [btrfs]
  [191627.709155]  [&lt;ffffffff8115663c&gt;] ? cache_alloc_debugcheck_after.isra.32+0x171/0x1d0
  [191627.712444]  [&lt;ffffffff81155007&gt;] ? kmemleak_alloc_recursive.constprop.40+0x16/0x18
  [191627.714162]  [&lt;ffffffffa06570c9&gt;] insert_reserved_file_extent.constprop.40+0x83/0x24e [btrfs]
  [191627.715887]  [&lt;ffffffffa065422b&gt;] ? start_transaction+0x3bb/0x610 [btrfs]
  [191627.717287]  [&lt;ffffffffa065b604&gt;] btrfs_finish_ordered_io+0x273/0x4e2 [btrfs]
  [191627.728865]  [&lt;ffffffffa065b888&gt;] finish_ordered_fn+0x15/0x17 [btrfs]
  [191627.730045]  [&lt;ffffffffa067d688&gt;] normal_work_helper+0x14c/0x32c [btrfs]
  [191627.731256]  [&lt;ffffffffa067d96a&gt;] btrfs_endio_write_helper+0x12/0x14 [btrfs]
  [191627.732661]  [&lt;ffffffff81061119&gt;] process_one_work+0x24c/0x4ae
  [191627.733822]  [&lt;ffffffff810615b0&gt;] worker_thread+0x206/0x2c2
  [191627.734857]  [&lt;ffffffff810613aa&gt;] ? process_scheduled_works+0x2f/0x2f
  [191627.736052]  [&lt;ffffffff810613aa&gt;] ? process_scheduled_works+0x2f/0x2f
  [191627.737349]  [&lt;ffffffff810669a6&gt;] kthread+0xef/0xf7
  [191627.738267]  [&lt;ffffffff810f3b3a&gt;] ? time_hardirqs_on+0x15/0x28
  [191627.739330]  [&lt;ffffffff810668b7&gt;] ? __kthread_parkme+0xad/0xad
  [191627.741976]  [&lt;ffffffff81465592&gt;] ret_from_fork+0x42/0x70
  [191627.743080]  [&lt;ffffffff810668b7&gt;] ? __kthread_parkme+0xad/0xad
  [191627.744206] ---[ end trace bbfddacb7aaada8d ]---

  $ cat -n fs/btrfs/file.c
  691  int __btrfs_drop_extents(struct btrfs_trans_handle *trans,
  (...)
  758                  btrfs_item_key_to_cpu(leaf, &amp;key, path-&gt;slots[0]);
  759                  if (key.objectid &gt; ino ||
  760                      key.type &gt; BTRFS_EXTENT_DATA_KEY || key.offset &gt;= end)
  761                          break;
  762
  763                  fi = btrfs_item_ptr(leaf, path-&gt;slots[0],
  764                                      struct btrfs_file_extent_item);
  765                  extent_type = btrfs_file_extent_type(leaf, fi);
  766
  767                  if (extent_type == BTRFS_FILE_EXTENT_REG ||
  768                      extent_type == BTRFS_FILE_EXTENT_PREALLOC) {
  (...)
  774                  } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
  (...)
  778                  } else {
  779                          WARN_ON(1);
  780                          extent_end = search_start;
  781                  }
  (...)

This happened because the item we were processing did not match a file
extent item (its key type != BTRFS_EXTENT_DATA_KEY), and even on this
case we cast the item to a struct btrfs_file_extent_item pointer and
then find a type field value that does not match any of the expected
values (BTRFS_FILE_EXTENT_[REG|PREALLOC|INLINE]). This scenario happens
due to a tiny time window where a race can happen as exemplified below.
For example, consider the following scenario where we're using the
NO_HOLES feature and we have the following two neighbour leafs:

               Leaf X (has N items)                    Leaf Y

[ ... (257 INODE_ITEM 0) (257 INODE_REF 256) ]  [ (257 EXTENT_DATA 8192), ... ]
          slot N - 2         slot N - 1              slot 0

Our inode 257 has an implicit hole in the range [0, 8K[ (implicit rather
than explicit because NO_HOLES is enabled). Now if our inode has an
ordered extent for the range [4K, 8K[ that is finishing, the following
can happen:

          CPU 1                                       CPU 2

  btrfs_finish_ordered_io()
    insert_reserved_file_extent()
      __btrfs_drop_extents()
         Searches for the key
          (257 EXTENT_DATA 4096) through
          btrfs_lookup_file_extent()

         Key not found and we get a path where
         path-&gt;nodes[0] == leaf X and
         path-&gt;slots[0] == N

         Because path-&gt;slots[0] is &gt;=
         btrfs_header_nritems(leaf X), we call
         btrfs_next_leaf()

         btrfs_next_leaf() releases the path

                                                  inserts key
                                                  (257 INODE_REF 4096)
                                                  at the end of leaf X,
                                                  leaf X now has N + 1 keys,
                                                  and the new key is at
                                                  slot N

         btrfs_next_leaf() searches for
         key (257 INODE_REF 256), with
         path-&gt;keep_locks set to 1,
         because it was the last key it
         saw in leaf X

           finds it in leaf X again and
           notices it's no longer the last
           key of the leaf, so it returns 0
           with path-&gt;nodes[0] == leaf X and
           path-&gt;slots[0] == N (which is now
           &lt; btrfs_header_nritems(leaf X)),
           pointing to the new key
           (257 INODE_REF 4096)

         __btrfs_drop_extents() casts the
         item at path-&gt;nodes[0], slot
         path-&gt;slots[0], to a struct
         btrfs_file_extent_item - it does
         not skip keys for the target
         inode with a type less than
         BTRFS_EXTENT_DATA_KEY
         (BTRFS_INODE_REF_KEY &lt; BTRFS_EXTENT_DATA_KEY)

         sees a bogus value for the type
         field triggering the WARN_ON in
         the trace shown above, and sets
         extent_end = search_start (4096)

         does the if-then-else logic to
         fixup 0 length extent items created
         by a past bug from hole punching:

           if (extent_end == key.offset &amp;&amp;
               extent_end &gt;= search_start)
               goto delete_extent_item;

         that evaluates to true and it ends
         up deleting the key pointed to by
         path-&gt;slots[0], (257 INODE_REF 4096),
         from leaf X

The same could happen for example for a xattr that ends up having a key
with an offset value that matches search_start (very unlikely but not
impossible).

So fix this by ensuring that keys smaller than BTRFS_EXTENT_DATA_KEY are
skipped, never casted to struct btrfs_file_extent_item and never deleted
by accident. Also protect against the unexpected case of getting a key
for a lower inode number by skipping that key and issuing a warning.

Signed-off-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>btrfs: fix use after free iterating extrefs</title>
<updated>2015-10-27T00:45:56+00:00</updated>
<author>
<name>Chris Mason</name>
<email>clm@fb.com</email>
</author>
<published>2015-10-13T18:06:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=997badf1e03dfd39854094f7767e1a4cf5ed310b'/>
<id>997badf1e03dfd39854094f7767e1a4cf5ed310b</id>
<content type='text'>
commit dc6c5fb3b514221f2e9d21ee626a9d95d3418dff upstream.

The code for btrfs inode-resolve has never worked properly for
files with enough hard links to trigger extrefs.  It was trying to
get the leaf out of a path after freeing the path:

	btrfs_release_path(path);
	leaf = path-&gt;nodes[0];
	item_size = btrfs_item_size_nr(leaf, slot);

The fix here is to use the extent buffer we cloned just a little higher
up to avoid deadlocks caused by using the leaf in the path.

Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
cc: Mark Fasheh &lt;mfasheh@suse.de&gt;
Reviewed-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Reviewed-by: Mark Fasheh &lt;mfasheh@suse.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dc6c5fb3b514221f2e9d21ee626a9d95d3418dff upstream.

The code for btrfs inode-resolve has never worked properly for
files with enough hard links to trigger extrefs.  It was trying to
get the leaf out of a path after freeing the path:

	btrfs_release_path(path);
	leaf = path-&gt;nodes[0];
	item_size = btrfs_item_size_nr(leaf, slot);

The fix here is to use the extent buffer we cloned just a little higher
up to avoid deadlocks caused by using the leaf in the path.

Signed-off-by: Chris Mason &lt;clm@fb.com&gt;
cc: Mark Fasheh &lt;mfasheh@suse.de&gt;
Reviewed-by: Filipe Manana &lt;fdmanana@suse.com&gt;
Reviewed-by: Mark Fasheh &lt;mfasheh@suse.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
