Btrfs: fix unsafe usage of merge_state

merge_state can free the current state if it can be merged with the next node,
but in set_extent_bit(), after merge_state, we still use the current extent to
get the next node and cache it into cached_state

Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
This commit is contained in:
Xiao Guangrong 2011-04-20 06:45:49 +00:00 committed by Chris Mason
parent 8233767a22
commit c7f895a2b2

View File

@ -780,20 +780,18 @@ int set_extent_bit(struct extent_io_tree *tree, u64 start, u64 end,
if (err)
goto out;
next_node = rb_next(node);
cache_state(state, cached_state);
merge_state(tree, state);
if (last_end == (u64)-1)
goto out;
start = last_end + 1;
if (start < end && prealloc && !need_resched()) {
next_node = rb_next(node);
if (next_node) {
state = rb_entry(next_node, struct extent_state,
rb_node);
if (state->start == start)
goto hit_next;
}
if (next_node && start < end && prealloc && !need_resched()) {
state = rb_entry(next_node, struct extent_state,
rb_node);
if (state->start == start)
goto hit_next;
}
goto search_again;
}
@ -856,14 +854,22 @@ int set_extent_bit(struct extent_io_tree *tree, u64 start, u64 end,
prealloc = alloc_extent_state_atomic(prealloc);
BUG_ON(!prealloc);
/*
* Avoid to free 'prealloc' if it can be merged with
* the later extent.
*/
atomic_inc(&prealloc->refs);
err = insert_state(tree, prealloc, start, this_end,
&bits);
BUG_ON(err == -EEXIST);
if (err) {
free_extent_state(prealloc);
prealloc = NULL;
goto out;
}
cache_state(prealloc, cached_state);
free_extent_state(prealloc);
prealloc = NULL;
start = this_end + 1;
goto search_again;