On 09/19/2016 02:13 PM, David Sterba wrote:
On Wed, Sep 07, 2016 at 10:38:58AM +0300, Nikolay Borisov wrote:
btrfs_uuid_iter_rem is able to return -ENOENT, however this condition
is not handled in btrfs_uuid_tree_iterate which can lead to calling
btrfs_next_item with freed path argument, leading to a null pointer
dereference. Fix it by redoing the search but with an incremented
objectid so we don't loop over the same key.
Signed-off-by: Nikolay Borisov <kernel@xxxxxxxx>
Suggested-by: Chris Mason <clm@xxxxxx>
Link: https://lkml.kernel.org/r/57A473B0.2040203@xxxxxxxx
I'll queue the patch for 4.9, thanks.
Not having a good test for this kept me from trying the patch cold. I
think bumping the objectid will end up missing items.
We know its returning -ENOENT, so it should in theory be enough to just
goto again_search_slot, assuming that we just raced with the deletion.
-chris
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
