btrfs: fix btrfs_prev_leaf() to not return the same key twice

commit 6f932d4ef007d6a4ae03badcb749fbb8f49196f6 upstream.

A call to btrfs_prev_leaf() may end up returning a path that points to the
same item (key) again. This happens if while btrfs_prev_leaf(), after we
release the path, a concurrent insertion happens, which moves items off
from a sibling into the front of the previous leaf, and an item with the
computed previous key does not exists.

For example, suppose we have the two following leaves:

  Leaf A

  -------------------------------------------------------------
  | ...   key (300 96 10)   key (300 96 15)   key (300 96 16) |
  -------------------------------------------------------------
              slot 20             slot 21             slot 22

  Leaf B

  -------------------------------------------------------------
  | key (300 96 20)   key (300 96 21)   key (300 96 22)   ... |
  -------------------------------------------------------------
      slot 0             slot 1             slot 2

If we call btrfs_prev_leaf(), from btrfs_previous_item() for example, with
a path pointing to leaf B and slot 0 and the following happens:

1) At btrfs_prev_leaf() we compute the previous key to search as:
   (300 96 19), which is a key that does not exists in the tree;

2) Then we call btrfs_release_path() at btrfs_prev_leaf();

3) Some other task inserts a key at leaf A, that sorts before the key at
   slot 20, for example it has an objectid of 299. In order to make room
   for the new key, the key at slot 22 is moved to the front of leaf B.
   This happens at push_leaf_right(), called from split_leaf().

   After this leaf B now looks like:

  --------------------------------------------------------------------------------
  | key (300 96 16)    key (300 96 20)   key (300 96 21)   key (300 96 22)   ... |
  --------------------------------------------------------------------------------
       slot 0              slot 1             slot 2             slot 3

4) At btrfs_prev_leaf() we call btrfs_search_slot() for the computed
   previous key: (300 96 19). Since the key does not exists,
   btrfs_search_slot() returns 1 and with a path pointing to leaf B
   and slot 1, the item with key (300 96 20);

5) This makes btrfs_prev_leaf() return a path that points to slot 1 of
   leaf B, the same key as before it was called, since the key at slot 0
   of leaf B (300 96 16) is less than the computed previous key, which is
   (300 96 19);

6) As a consequence btrfs_previous_item() returns a path that points again
   to the item with key (300 96 20).

For some users of btrfs_prev_leaf() or btrfs_previous_item() this may not
be functional a problem, despite not making sense to return a new path
pointing again to the same item/key. However for a caller such as
tree-log.c:log_dir_items(), this has a bad consequence, as it can result
in not logging some dir index deletions in case the directory is being
logged without holding the inode's VFS lock (logging triggered while
logging a child inode for example) - for the example scenario above, in
case the dir index keys 17, 18 and 19 were deleted in the current
transaction.

CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index fb7e331b697560e2aae0d9744d21b8465e3060f1..a31986ca9224ed49b3938aac3ff7caae7559e1a2 100644 (file)
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -4189,10 +4189,12 @@ int btrfs_del_items(struct btrfs_trans_handle *trans, struct btrfs_root *root,
 int btrfs_prev_leaf(struct btrfs_root *root, struct btrfs_path *path)
 {
        struct btrfs_key key;
+       struct btrfs_key orig_key;
        struct btrfs_disk_key found_key;
        int ret;
 
        btrfs_item_key_to_cpu(path->nodes[0], &key, 0);
+       orig_key = key;
 
        if (key.offset > 0) {
                key.offset--;
@@ -4209,8 +4211,36 @@ int btrfs_prev_leaf(struct btrfs_root *root, struct btrfs_path *path)
 
        btrfs_release_path(path);
        ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
-       if (ret < 0)
+       if (ret <= 0)
                return ret;
+
+       /*
+        * Previous key not found. Even if we were at slot 0 of the leaf we had
+        * before releasing the path and calling btrfs_search_slot(), we now may
+        * be in a slot pointing to the same original key - this can happen if
+        * after we released the path, one of more items were moved from a
+        * sibling leaf into the front of the leaf we had due to an insertion
+        * (see push_leaf_right()).
+        * If we hit this case and our slot is > 0 and just decrement the slot
+        * so that the caller does not process the same key again, which may or
+        * may not break the caller, depending on its logic.
+        */
+       if (path->slots[0] < btrfs_header_nritems(path->nodes[0])) {
+               btrfs_item_key(path->nodes[0], &found_key, path->slots[0]);
+               ret = comp_keys(&found_key, &orig_key);
+               if (ret == 0) {
+                       if (path->slots[0] > 0) {
+                               path->slots[0]--;
+                               return 0;
+                       }
+                       /*
+                        * At slot 0, same key as before, it means orig_key is
+                        * the lowest, leftmost, key in the tree. We're done.
+                        */
+                       return 1;
+               }
+       }
+
        btrfs_item_key(path->nodes[0], &found_key, 0);
        ret = comp_keys(&found_key, &key);
        /*