Unverified Commit 79948936 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!11709 CVE-2024-46751 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yifan Qiao <qiaoyifan4@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/SF5HM7KCTZ6TMYMF3JB3SSV4EV47TFRI/ 
Filipe Manana (3):
  btrfs: remove superfluous metadata check at btrfs_lookup_extent_info()
  btrfs: reduce nesting for extent processing at
    btrfs_lookup_extent_info()
  btrfs: don't BUG_ON() when 0 reference count at
    btrfs_lookup_extent_info()


-- 
2.39.2
 
https://gitee.com/src-openeuler/kernel/issues/IARX0N 
 
Link:https://gitee.com/openeuler/kernel/pulls/11709

 

Reviewed-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents 72228248 eaf70ded

fs/btrfs/extent-tree.c

+29 −16
Original line number Diff line number Diff line
@@ -117,10 +117,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, 
	struct btrfs_delayed_ref_head *head;

	struct btrfs_delayed_ref_root *delayed_refs;

	struct btrfs_path *path;

	struct btrfs_extent_item *ei;

	struct extent_buffer *leaf;

	struct btrfs_key key;

	u32 item_size;

	u64 num_refs;

	u64 extent_flags;

	int ret;
@@ -155,7 +152,7 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, 
	if (ret < 0)

		goto out_free;



	if (ret > 0 && metadata && key.type == BTRFS_METADATA_ITEM_KEY) {

	if (ret > 0 && key.type == BTRFS_METADATA_ITEM_KEY) {

		if (path->slots[0]) {

			path->slots[0]--;

			btrfs_item_key_to_cpu(path->nodes[0], &key,
@@ -168,14 +165,11 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, 
	}



	if (ret == 0) {

		leaf = path->nodes[0];

		item_size = btrfs_item_size_nr(leaf, path->slots[0]);

		if (item_size >= sizeof(*ei)) {

			ei = btrfs_item_ptr(leaf, path->slots[0],

					    struct btrfs_extent_item);

			num_refs = btrfs_extent_refs(leaf, ei);

			extent_flags = btrfs_extent_flags(leaf, ei);

		} else {

		struct extent_buffer *leaf = path->nodes[0];

		struct btrfs_extent_item *ei;

		const u32 item_size = btrfs_item_size_nr(leaf, path->slots[0]);



		if (unlikely(item_size < sizeof(*ei))) {

			ret = -EINVAL;

			btrfs_print_v0_err(fs_info);

			if (trans)
@@ -186,7 +180,17 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, 
			goto out_free;

		}



		BUG_ON(num_refs == 0);

		ei = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_extent_item);

		num_refs = btrfs_extent_refs(leaf, ei);

		if (unlikely(num_refs == 0)) {

			ret = -EUCLEAN;

			btrfs_err(fs_info,

		"unexpected zero reference count for extent item (%llu %u %llu)",

				  key.objectid, key.type, key.offset);

			btrfs_abort_transaction(trans, ret);

			goto out_free;

		}

		extent_flags = btrfs_extent_flags(leaf, ei);

	} else {

		num_refs = 0;

		extent_flags = 0;
@@ -216,10 +220,19 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans, 
			goto search_again;

		}

		spin_lock(&head->lock);

		if (head->extent_op && head->extent_op->update_flags)

		if (head->extent_op && head->extent_op->update_flags) {

			extent_flags |= head->extent_op->flags_to_set;

		else

			BUG_ON(num_refs == 0);

		} else if (unlikely(num_refs == 0)) {

			spin_unlock(&head->lock);

			mutex_unlock(&head->mutex);

			spin_unlock(&delayed_refs->lock);

			ret = -EUCLEAN;

			btrfs_err(fs_info,

			  "unexpected zero reference count for extent %llu (%s)",

				  bytenr, metadata ? "metadata" : "data");

			btrfs_abort_transaction(trans, ret);

			goto out_free;

		}



		num_refs += head->ref_mod;

		spin_unlock(&head->lock);