From patchwork Wed Apr  9 13:38:34 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Filipe Manana <fdmanana@gmail.com>
X-Patchwork-Id: 3955441
Return-Path: <linux-btrfs-owner@kernel.org>
X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 9F0A6BFF02
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed,  9 Apr 2014 13:38:55 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id C7A1C20520
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed,  9 Apr 2014 13:38:54 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 03C0A2051C
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Wed,  9 Apr 2014 13:38:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933417AbaDINit (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Wed, 9 Apr 2014 09:38:49 -0400
Received: from mail-we0-f180.google.com ([74.125.82.180]:50897 "EHLO
	mail-we0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933400AbaDINis (ORCPT
	<rfc822; linux-btrfs@vger.kernel.org>); Wed, 9 Apr 2014 09:38:48 -0400
Received: by mail-we0-f180.google.com with SMTP id p61so2516186wes.11
	for <linux-btrfs@vger.kernel.org>;
	Wed, 09 Apr 2014 06:38:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id;
	bh=pcPc6njMnyd3w9LPsO6ri0Q0EluoJWRd0TWcNWHg4vk=;
	b=XkRXhHgs49cuAqZuXQ9SUXnV6tYm3WxVNK37SLcsI8mkLOkwja6Keeg/4ygu2Y3InB
	HxFKKGoD8m3jTD6mOaK1jU8EKzt/smqmLfnrlg3lazqL+kuwsX2AZgqrhghjiTRfQCR8
	9f2l4Fv2JFxMHBx1BqbGZx8D8aahi6afu5aB9dDbbm0NbnBvMaJBrgnLRYaIv/9jp3ph
	1dxY8UG6Oz/gTDJgDQGPzHJKXUyea/2+1/Tw8yTMbZRc2/PWkXxZczUE0Rk0vggxpSUC
	4e+pfv0DNn3pqUBNCvcoz8+TOcp67qfE2CGYLHQMagZ1JCxys6wNddvgHi72gUi1APWy
	QE1g==
X-Received: by 10.180.20.71 with SMTP id l7mr9988397wie.35.1397050726958;
	Wed, 09 Apr 2014 06:38:46 -0700 (PDT)
Received: from storm-desktop.lan (bl13-136-121.dsl.telepac.pt.
	[85.246.136.121]) by mx.google.com with ESMTPSA id
	i9sm10162666wiy.17.2014.04.09.06.38.43 for <multiple recipients>
	(version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Wed, 09 Apr 2014 06:38:44 -0700 (PDT)
From: Filipe David Borba Manana <fdmanana@gmail.com>
To: linux-btrfs@vger.kernel.org
Cc: Filipe David Borba Manana <fdmanana@gmail.com>
Subject: [PATCH] Btrfs: don't access non-existent key when csum tree is empty
Date: Wed,  9 Apr 2014 14:38:34 +0100
Message-Id: <1397050714-14132-1-git-send-email-fdmanana@gmail.com>
X-Mailer: git-send-email 1.7.9.5
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD,
	T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

When the csum tree is empty, our leaf (path->nodes[0]) has a number
of items equal to 0 and since btrfs_header_nritems() returns an
unsigned integer (and so is our local nritems variable) the following
comparison always evaluates to false:

     if (path->slots[0] >= nritems - 1) {

As the casting rules lead to:

     if ((u32)0 >= (u32)4294967295) {

This makes us access key at slot paths->slots[0] + 1 (1) of the empty leaf
some lines below:

    btrfs_item_key_to_cpu(path->nodes[0], &found_key, slot);
    if (found_key.objectid != BTRFS_EXTENT_CSUM_OBJECTID ||
        found_key.type != BTRFS_EXTENT_CSUM_KEY) {
		found_next = 1;
		goto insert;
    }

So just don't access such non-existent slot and don't set found_next to 1
when the tree is empty. It's very unlikely we'll get a random key with the
objectid and type values above, which is where we could go into trouble.

If nritems is 0, just set found_next to 1 anyway as it will make us insert
a csum item covering our whole extent (or the whole leaf) when the tree is
empty.

Signed-off-by: Filipe David Borba Manana <fdmanana@gmail.com>
---
 fs/btrfs/file-item.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c
index 9d84658..0721113 100644
--- a/fs/btrfs/file-item.c
+++ b/fs/btrfs/file-item.c
@@ -749,7 +749,7 @@ again:
 		int slot = path->slots[0] + 1;
 		/* we didn't find a csum item, insert one */
 		nritems = btrfs_header_nritems(path->nodes[0]);
-		if (path->slots[0] >= nritems - 1) {
+		if (!nritems || (path->slots[0] >= nritems - 1)) {
 			ret = btrfs_next_leaf(root, path);
 			if (ret == 1)
 				found_next = 1;