From: Liu Bo Date: Sun, 11 Sep 2011 14:52:24 +0000 (-0400) Subject: Btrfs: fix an oops when deleting snapshots X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=14c7cca780bd210564ae964f57a8bb807d0b3dbf;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git Btrfs: fix an oops when deleting snapshots We can reproduce this oops via the following steps: $ mkfs.btrfs /dev/sdb7 $ mount /dev/sdb7 /mnt/btrfs $ for ((i=0; i<3; i++)); do btrfs sub snap /mnt/btrfs /mnt/btrfs/s_$i; done $ rm -fr /mnt/btrfs/* $ rm -fr /mnt/btrfs/* then we'll get ------------[ cut here ]------------ kernel BUG at fs/btrfs/inode.c:2264! [...] Call Trace: [] btrfs_rmdir+0xf7/0x1b0 [btrfs] [] vfs_rmdir+0xa5/0xf0 [] do_rmdir+0x123/0x140 [] ? fput+0x197/0x260 [] ? audit_syscall_entry+0x1bf/0x1f0 [] sys_unlinkat+0x2d/0x40 [] system_call_fastpath+0x16/0x1b RIP [] btrfs_orphan_add+0x179/0x1a0 [btrfs] When it comes to btrfs_lookup_dentry, we may set a snapshot's inode->i_ino to BTRFS_EMPTY_SUBVOL_DIR_OBJECTID instead of BTRFS_FIRST_FREE_OBJECTID, while the snapshot's location.objectid remains unchanged. However, btrfs_ino() does not take this into account, and returns a wrong ino, and causes the oops. Signed-off-by: Liu Bo Signed-off-by: Chris Mason --- diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h index 502b9e988679..d9f99a16edd6 100644 --- a/fs/btrfs/btrfs_inode.h +++ b/fs/btrfs/btrfs_inode.h @@ -176,7 +176,11 @@ static inline u64 btrfs_ino(struct inode *inode) { u64 ino = BTRFS_I(inode)->location.objectid; - if (ino <= BTRFS_FIRST_FREE_OBJECTID) + /* + * !ino: btree_inode + * type == BTRFS_ROOT_ITEM_KEY: subvol dir + */ + if (!ino || BTRFS_I(inode)->location.type == BTRFS_ROOT_ITEM_KEY) ino = inode->i_ino; return ino; }