diff options
| author | ZhangXiaoxu <zhangxiaoxu5@huawei.com> | 2019-08-17 01:32:40 -0400 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2019-08-22 16:11:23 -0400 |
| commit | e4f9d6013820d1eba1432d51dd1c5795759aa77f (patch) | |
| tree | e7d3f420754a270eb34f67d6af0187909821aba9 | |
| parent | dc1a3e8e0cc6b2293b48c044710e63395aeb4fb4 (diff) | |
dm btree: fix order of block initialization in btree_split_beneath
When btree_split_beneath() splits a node to two new children, it will
allocate two blocks: left and right. If right block's allocation
failed, the left block will be unlocked and marked dirty. If this
happened, the left block'ss content is zero, because it wasn't
initialized with the btree struct before the attempot to allocate the
right block. Upon return, when flushing the left block to disk, the
validator will fail when check this block. Then a BUG_ON is raised.
Fix this by completely initializing the left block before allocating and
initializing the right block.
Fixes: 4dcb8b57df359 ("dm btree: fix leak of bufio-backed block in btree_split_beneath error path")
Cc: stable@vger.kernel.org
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
| -rw-r--r-- | drivers/md/persistent-data/dm-btree.c | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c index 58b319757b1e..8aae0624a297 100644 --- a/drivers/md/persistent-data/dm-btree.c +++ b/drivers/md/persistent-data/dm-btree.c | |||
| @@ -628,39 +628,40 @@ static int btree_split_beneath(struct shadow_spine *s, uint64_t key) | |||
| 628 | 628 | ||
| 629 | new_parent = shadow_current(s); | 629 | new_parent = shadow_current(s); |
| 630 | 630 | ||
| 631 | pn = dm_block_data(new_parent); | ||
| 632 | size = le32_to_cpu(pn->header.flags) & INTERNAL_NODE ? | ||
| 633 | sizeof(__le64) : s->info->value_type.size; | ||
| 634 | |||
| 635 | /* create & init the left block */ | ||
| 631 | r = new_block(s->info, &left); | 636 | r = new_block(s->info, &left); |
| 632 | if (r < 0) | 637 | if (r < 0) |
| 633 | return r; | 638 | return r; |
| 634 | 639 | ||
| 640 | ln = dm_block_data(left); | ||
| 641 | nr_left = le32_to_cpu(pn->header.nr_entries) / 2; | ||
| 642 | |||
| 643 | ln->header.flags = pn->header.flags; | ||
| 644 | ln->header.nr_entries = cpu_to_le32(nr_left); | ||
| 645 | ln->header.max_entries = pn->header.max_entries; | ||
| 646 | ln->header.value_size = pn->header.value_size; | ||
| 647 | memcpy(ln->keys, pn->keys, nr_left * sizeof(pn->keys[0])); | ||
| 648 | memcpy(value_ptr(ln, 0), value_ptr(pn, 0), nr_left * size); | ||
| 649 | |||
| 650 | /* create & init the right block */ | ||
| 635 | r = new_block(s->info, &right); | 651 | r = new_block(s->info, &right); |
| 636 | if (r < 0) { | 652 | if (r < 0) { |
| 637 | unlock_block(s->info, left); | 653 | unlock_block(s->info, left); |
| 638 | return r; | 654 | return r; |
| 639 | } | 655 | } |
| 640 | 656 | ||
| 641 | pn = dm_block_data(new_parent); | ||
| 642 | ln = dm_block_data(left); | ||
| 643 | rn = dm_block_data(right); | 657 | rn = dm_block_data(right); |
| 644 | |||
| 645 | nr_left = le32_to_cpu(pn->header.nr_entries) / 2; | ||
| 646 | nr_right = le32_to_cpu(pn->header.nr_entries) - nr_left; | 658 | nr_right = le32_to_cpu(pn->header.nr_entries) - nr_left; |
| 647 | 659 | ||
| 648 | ln->header.flags = pn->header.flags; | ||
| 649 | ln->header.nr_entries = cpu_to_le32(nr_left); | ||
| 650 | ln->header.max_entries = pn->header.max_entries; | ||
| 651 | ln->header.value_size = pn->header.value_size; | ||
| 652 | |||
| 653 | rn->header.flags = pn->header.flags; | 660 | rn->header.flags = pn->header.flags; |
| 654 | rn->header.nr_entries = cpu_to_le32(nr_right); | 661 | rn->header.nr_entries = cpu_to_le32(nr_right); |
| 655 | rn->header.max_entries = pn->header.max_entries; | 662 | rn->header.max_entries = pn->header.max_entries; |
| 656 | rn->header.value_size = pn->header.value_size; | 663 | rn->header.value_size = pn->header.value_size; |
| 657 | |||
| 658 | memcpy(ln->keys, pn->keys, nr_left * sizeof(pn->keys[0])); | ||
| 659 | memcpy(rn->keys, pn->keys + nr_left, nr_right * sizeof(pn->keys[0])); | 664 | memcpy(rn->keys, pn->keys + nr_left, nr_right * sizeof(pn->keys[0])); |
| 660 | |||
| 661 | size = le32_to_cpu(pn->header.flags) & INTERNAL_NODE ? | ||
| 662 | sizeof(__le64) : s->info->value_type.size; | ||
| 663 | memcpy(value_ptr(ln, 0), value_ptr(pn, 0), nr_left * size); | ||
| 664 | memcpy(value_ptr(rn, 0), value_ptr(pn, nr_left), | 665 | memcpy(value_ptr(rn, 0), value_ptr(pn, nr_left), |
| 665 | nr_right * size); | 666 | nr_right * size); |
| 666 | 667 | ||