On 19.01.2018 09:25, Qu Wenruo wrote:
> Function btrfs_delete_one_dir_name() will check if the dir_item is the
> last content of the item, and delete the whole item if needed.
>
> However if @name_len of one dir_item/dir_index is corrupted and larger
> than the item size, the function will still try to treat it as partly
> remove, which will screw up the whole leaf.
>
> This patch will enhance the item deletion check, to cover corrupted name
> len, so in that case we just delete the whole item.
>
> Signed-off-by: Qu Wenruo <wqu@xxxxxxxx>
Reviewed-by: Nikolay Borisov <nborisov@xxxxxxxx>
Perhaps it would be worth it creating a regression test for that ?
> ---
> dir-item.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/dir-item.c b/dir-item.c
> index e0a0ab4d7a5d..35e0615fb423 100644
> --- a/dir-item.c
> +++ b/dir-item.c
> @@ -263,7 +263,6 @@ int btrfs_delete_one_dir_name(struct btrfs_trans_handle *trans,
> struct btrfs_path *path,
> struct btrfs_dir_item *di)
> {
> -
> struct extent_buffer *leaf;
> u32 sub_item_len;
> u32 item_len;
> @@ -273,7 +272,15 @@ int btrfs_delete_one_dir_name(struct btrfs_trans_handle *trans,
> sub_item_len = sizeof(*di) + btrfs_dir_name_len(leaf, di) +
> btrfs_dir_data_len(leaf, di);
> item_len = btrfs_item_size_nr(leaf, path->slots[0]);
> - if (sub_item_len == item_len) {
> +
> + /*
> + * If @sub_item_len is longer than @item_len, then it means the
> + * name_len is just corrupted.
> + * No good idea to know if there is anything we can recover from
> + * the corrupted item.
> + * Just delete the item.
> + */
> + if (sub_item_len >= item_len) {
> ret = btrfs_del_item(trans, root, path);
> } else {
> unsigned long ptr = (unsigned long)di;
>
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
