path: root/btrfs-corrupt-block.c
diff options
authorQu Wenruo <>2014-08-22 11:42:49 +0800
committerDavid Sterba <>2014-09-14 13:12:27 +0200
commitcf8599c33803932b73e00a54785103030a37a4ee (patch)
tree258a44d71bff40605a25850777968707117a753c /btrfs-corrupt-block.c
parent2527730d5d7e34b7848d8a49b47830e91adb10a1 (diff)
btrfs-progs: corrupt-block: fix a delete and use bug corrupting extent tree
When corrupting extent tree, corrupt-block will iterate each child node/leaf of a node. However, when a node's child is leaf, btrfs_corrupt_extent_leaf() may delete some item in the leaf, which may cause the children number of the parent node decrease. Before this patch, corrupt-block will read out the nritems only *ONCE* and iterate the 'nritems' times. When btrfs_corrupt_extent_leaf() deletes enough item, causing the nritems of btrfs_header decreased, the last few iteration will access non-existed node, which will cause the delete and use bug like the following: deleting extent record: key 40714240 168 16384 Couldn't map the block 3459802452797161472 btrfs-corrupt-block: volumes.c:1137: btrfs_num_copies: Assertion `!(!ce)' failed. Aborted This patch will update the nritmes in each iteration to avoid the bug. Signed-off-by: Qu Wenruo <> Signed-off-by: David Sterba <>
Diffstat (limited to 'btrfs-corrupt-block.c')
1 files changed, 1 insertions, 3 deletions
diff --git a/btrfs-corrupt-block.c b/btrfs-corrupt-block.c
index 1a3ac351..474d48fa 100644
--- a/btrfs-corrupt-block.c
+++ b/btrfs-corrupt-block.c
@@ -264,12 +264,10 @@ static void btrfs_corrupt_extent_tree(struct btrfs_trans_handle *trans,
struct extent_buffer *eb)
int i;
- u32 nr;
if (!eb)
- nr = btrfs_header_nritems(eb);
if (btrfs_is_leaf(eb)) {
btrfs_corrupt_extent_leaf(trans, root, eb);
@@ -280,7 +278,7 @@ static void btrfs_corrupt_extent_tree(struct btrfs_trans_handle *trans,
- for (i = 0; i < nr; i++) {
+ for (i = 0; i < btrfs_header_nritems(eb); i++) {
struct extent_buffer *next;
next = read_tree_block(root, btrfs_node_blockptr(eb, i),