| From de66d3b6ce5caa45f046fea05d46670248c50864 Mon Sep 17 00:00:00 2001 |
| From: Josef Bacik <josef@toxicpanda.com> |
| Date: Wed, 18 Dec 2019 17:20:28 -0500 |
| Subject: [PATCH] btrfs: fix invalid removal of root ref |
| |
| commit d49d3287e74ffe55ae7430d1e795e5f9bf7359ea upstream. |
| |
| If we have the following sequence of events |
| |
| btrfs sub create A |
| btrfs sub create A/B |
| btrfs sub snap A C |
| mkdir C/foo |
| mv A/B C/foo |
| rm -rf * |
| |
| We will end up with a transaction abort. |
| |
| The reason for this is because we create a root ref for B pointing to A. |
| When we create a snapshot of C we still have B in our tree, but because |
| the root ref points to A and not C we will make it appear to be empty. |
| |
| The problem happens when we move B into C. This removes the root ref |
| for B pointing to A and adds a ref of B pointing to C. When we rmdir C |
| we'll see that we have a ref to our root and remove the root ref, |
| despite not actually matching our reference name. |
| |
| Now btrfs_del_root_ref() allowing this to work is a bug as well, however |
| we know that this inode does not actually point to a root ref in the |
| first place, so we shouldn't be calling btrfs_del_root_ref() in the |
| first place and instead simply look up our dir index for this item and |
| do the rest of the removal. |
| |
| CC: stable@vger.kernel.org # 4.4+ |
| Signed-off-by: Josef Bacik <josef@toxicpanda.com> |
| Reviewed-by: David Sterba <dsterba@suse.com> |
| Signed-off-by: David Sterba <dsterba@suse.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c |
| index eed3087d5f3e..e0f97af3122a 100644 |
| --- a/fs/btrfs/inode.c |
| +++ b/fs/btrfs/inode.c |
| @@ -4187,13 +4187,16 @@ static int btrfs_unlink_subvol(struct btrfs_trans_handle *trans, |
| } |
| btrfs_release_path(path); |
| |
| - ret = btrfs_del_root_ref(trans, objectid, root->root_key.objectid, |
| - dir_ino, &index, name, name_len); |
| - if (ret < 0) { |
| - if (ret != -ENOENT) { |
| - btrfs_abort_transaction(trans, ret); |
| - goto out; |
| - } |
| + /* |
| + * This is a placeholder inode for a subvolume we didn't have a |
| + * reference to at the time of the snapshot creation. In the meantime |
| + * we could have renamed the real subvol link into our snapshot, so |
| + * depending on btrfs_del_root_ref to return -ENOENT here is incorret. |
| + * Instead simply lookup the dir_index_item for this entry so we can |
| + * remove it. Otherwise we know we have a ref to the root and we can |
| + * call btrfs_del_root_ref, and it _shouldn't_ fail. |
| + */ |
| + if (btrfs_ino(inode) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID) { |
| di = btrfs_search_dir_index_item(root, path, dir_ino, |
| name, name_len); |
| if (IS_ERR_OR_NULL(di)) { |
| @@ -4208,8 +4211,16 @@ static int btrfs_unlink_subvol(struct btrfs_trans_handle *trans, |
| leaf = path->nodes[0]; |
| btrfs_item_key_to_cpu(leaf, &key, path->slots[0]); |
| index = key.offset; |
| + btrfs_release_path(path); |
| + } else { |
| + ret = btrfs_del_root_ref(trans, objectid, |
| + root->root_key.objectid, dir_ino, |
| + &index, name, name_len); |
| + if (ret) { |
| + btrfs_abort_transaction(trans, ret); |
| + goto out; |
| + } |
| } |
| - btrfs_release_path(path); |
| |
| ret = btrfs_delete_delayed_dir_index(trans, BTRFS_I(dir), index); |
| if (ret) { |
| -- |
| 2.7.4 |
| |