diff options
author | Qu Wenruo <quwenruo@cn.fujitsu.com> | 2015-05-05 10:20:19 +0800 |
---|---|---|
committer | David Sterba <dsterba@suse.cz> | 2015-05-14 15:41:06 +0200 |
commit | f4fac5d46e6105e9b30c1c93878f81b8488368b0 (patch) | |
tree | 67d7b07aadf4f64ac7a8f0cfcd87af51b29ac91e /cmds-check.c | |
parent | ab5984ff6cce6f12063720b6dafc1afcd6606853 (diff) |
btrfs-progs: fsck: Fix a shallow copy which will leads to segfault.
In copy_inode_rec(), a shallow copy happens on rec->holes rb_root.
So for shared inode case, new rec->holes still points to old rb_root,
and when the old inode record is freed, the new inode_rec->holes will
points to garbage and cause segfault when we try to free new
inode_rec->holes.
Fix it by calling copy_file_extent_holes() to do deep copy.
Reported-by: Eric Sandeen <sandeen@redhat.com>
Reported-by: Filipe David Manana <fdmanana@gmail.com>
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.cz>
Diffstat (limited to 'cmds-check.c')
-rw-r--r-- | cmds-check.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/cmds-check.c b/cmds-check.c index 60ef48e3..db121b1c 100644 --- a/cmds-check.c +++ b/cmds-check.c @@ -516,12 +516,14 @@ static struct inode_record *clone_inode_rec(struct inode_record *orig_rec) struct orphan_data_extent *src_orphan; struct orphan_data_extent *dst_orphan; size_t size; + int ret; rec = malloc(sizeof(*rec)); memcpy(rec, orig_rec, sizeof(*rec)); rec->refs = 1; INIT_LIST_HEAD(&rec->backrefs); INIT_LIST_HEAD(&rec->orphan_extents); + rec->holes = RB_ROOT; list_for_each_entry(orig, &orig_rec->backrefs, list) { size = sizeof(*orig) + orig->namelen + 1; @@ -536,6 +538,9 @@ static struct inode_record *clone_inode_rec(struct inode_record *orig_rec) memcpy(dst_orphan, src_orphan, sizeof(*src_orphan)); list_add_tail(&dst_orphan->list, &rec->orphan_extents); } + ret = copy_file_extent_holes(&rec->holes, &orig_rec->holes); + BUG_ON(ret < 0); + return rec; } |