mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-12-27 10:01:39 -05:00
00c14a09a7
The syzbot reported KASAN out-of-bounds issue in
hfs_bnode_move():
[ 45.588165][ T9821] hfs: dst 14, src 65536, len -65536
[ 45.588895][ T9821] ==================================================================
[ 45.590114][ T9821] BUG: KASAN: out-of-bounds in hfs_bnode_move+0xfd/0x140
[ 45.591127][ T9821] Read of size 18446744073709486080 at addr ffff888035935400 by task repro/9821
[ 45.592207][ T9821]
[ 45.592420][ T9821] CPU: 0 UID: 0 PID: 9821 Comm: repro Not tainted 6.16.0-rc7-dirty #42 PREEMPT(full)
[ 45.592428][ T9821] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 45.592431][ T9821] Call Trace:
[ 45.592434][ T9821] <TASK>
[ 45.592437][ T9821] dump_stack_lvl+0x1c1/0x2a0
[ 45.592446][ T9821] ? __virt_addr_valid+0x1c8/0x5c0
[ 45.592454][ T9821] ? __pfx_dump_stack_lvl+0x10/0x10
[ 45.592461][ T9821] ? rcu_is_watching+0x15/0xb0
[ 45.592469][ T9821] ? lock_release+0x4b/0x3e0
[ 45.592476][ T9821] ? __virt_addr_valid+0x1c8/0x5c0
[ 45.592483][ T9821] ? __virt_addr_valid+0x4a5/0x5c0
[ 45.592491][ T9821] print_report+0x17e/0x7c0
[ 45.592497][ T9821] ? __virt_addr_valid+0x1c8/0x5c0
[ 45.592504][ T9821] ? __virt_addr_valid+0x4a5/0x5c0
[ 45.592511][ T9821] ? __phys_addr+0xd3/0x180
[ 45.592519][ T9821] ? hfs_bnode_move+0xfd/0x140
[ 45.592526][ T9821] kasan_report+0x147/0x180
[ 45.592531][ T9821] ? _printk+0xcf/0x120
[ 45.592537][ T9821] ? hfs_bnode_move+0xfd/0x140
[ 45.592544][ T9821] ? hfs_bnode_move+0xfd/0x140
[ 45.592552][ T9821] kasan_check_range+0x2b0/0x2c0
[ 45.592557][ T9821] ? hfs_bnode_move+0xfd/0x140
[ 45.592565][ T9821] __asan_memmove+0x29/0x70
[ 45.592572][ T9821] hfs_bnode_move+0xfd/0x140
[ 45.592580][ T9821] hfs_brec_remove+0x473/0x560
[ 45.592589][ T9821] hfs_cat_move+0x6fb/0x960
[ 45.592598][ T9821] ? __pfx_hfs_cat_move+0x10/0x10
[ 45.592607][ T9821] ? seqcount_lockdep_reader_access+0x122/0x1c0
[ 45.592614][ T9821] ? lockdep_hardirqs_on+0x9c/0x150
[ 45.592631][ T9821] ? __lock_acquire+0xaec/0xd80
[ 45.592641][ T9821] hfs_rename+0x1dc/0x2d0
[ 45.592649][ T9821] ? __pfx_hfs_rename+0x10/0x10
[ 45.592657][ T9821] vfs_rename+0xac6/0xed0
[ 45.592664][ T9821] ? __pfx_vfs_rename+0x10/0x10
[ 45.592670][ T9821] ? d_alloc+0x144/0x190
[ 45.592677][ T9821] ? bpf_lsm_path_rename+0x9/0x20
[ 45.592683][ T9821] ? security_path_rename+0x17d/0x490
[ 45.592691][ T9821] do_renameat2+0x890/0xc50
[ 45.592699][ T9821] ? __pfx_do_renameat2+0x10/0x10
[ 45.592707][ T9821] ? getname_flags+0x1e5/0x540
[ 45.592714][ T9821] __x64_sys_rename+0x82/0x90
[ 45.592720][ T9821] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 45.592725][ T9821] do_syscall_64+0xf3/0x3a0
[ 45.592741][ T9821] ? exc_page_fault+0x9f/0xf0
[ 45.592748][ T9821] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 45.592754][ T9821] RIP: 0033:0x7f7f73fe3fc9
[ 45.592760][ T9821] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
[ 45.592765][ T9821] RSP: 002b:00007ffc7e116cf8 EFLAGS: 00000283 ORIG_RAX: 0000000000000052
[ 45.592772][ T9821] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7f73fe3fc9
[ 45.592776][ T9821] RDX: 0000200000000871 RSI: 0000200000000780 RDI: 00002000000003c0
[ 45.592781][ T9821] RBP: 00007ffc7e116d00 R08: 0000000000000000 R09: 00007ffc7e116d30
[ 45.592784][ T9821] R10: fffffffffffffff0 R11: 0000000000000283 R12: 00005557e81f8250
[ 45.592788][ T9821] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 45.592795][ T9821] </TASK>
[ 45.592797][ T9821]
[ 45.619721][ T9821] The buggy address belongs to the physical page:
[ 45.620300][ T9821] page: refcount:1 mapcount:1 mapping:0000000000000000 index:0x559a88174 pfn:0x35935
[ 45.621150][ T9821] memcg:ffff88810a1d5b00
[ 45.621531][ T9821] anon flags: 0xfff60000020838(uptodate|dirty|lru|owner_2|swapbacked|node=0|zone=1|lastcpupid=0x7ff)
[ 45.622496][ T9821] raw: 00fff60000020838 ffffea0000d64d88 ffff888021753e10 ffff888029da0771
[ 45.623260][ T9821] raw: 0000000559a88174 0000000000000000 0000000100000000 ffff88810a1d5b00
[ 45.624030][ T9821] page dumped because: kasan: bad access detected
[ 45.624602][ T9821] page_owner tracks the page as allocated
[ 45.625115][ T9821] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO0
[ 45.626685][ T9821] post_alloc_hook+0x240/0x2a0
[ 45.627127][ T9821] get_page_from_freelist+0x2101/0x21e0
[ 45.627628][ T9821] __alloc_frozen_pages_noprof+0x274/0x380
[ 45.628154][ T9821] alloc_pages_mpol+0x241/0x4b0
[ 45.628593][ T9821] vma_alloc_folio_noprof+0xe4/0x210
[ 45.629066][ T9821] folio_prealloc+0x30/0x180
[ 45.629487][ T9821] __handle_mm_fault+0x34bd/0x5640
[ 45.629957][ T9821] handle_mm_fault+0x40e/0x8e0
[ 45.630392][ T9821] do_user_addr_fault+0xa81/0x1390
[ 45.630862][ T9821] exc_page_fault+0x76/0xf0
[ 45.631273][ T9821] asm_exc_page_fault+0x26/0x30
[ 45.631712][ T9821] page last free pid 5269 tgid 5269 stack trace:
[ 45.632281][ T9821] free_unref_folios+0xc73/0x14c0
[ 45.632740][ T9821] folios_put_refs+0x55b/0x640
[ 45.633177][ T9821] free_pages_and_swap_cache+0x26d/0x510
[ 45.633685][ T9821] tlb_flush_mmu+0x3a0/0x680
[ 45.634105][ T9821] tlb_finish_mmu+0xd4/0x200
[ 45.634525][ T9821] exit_mmap+0x44c/0xb70
[ 45.634914][ T9821] __mmput+0x118/0x420
[ 45.635286][ T9821] exit_mm+0x1da/0x2c0
[ 45.635659][ T9821] do_exit+0x652/0x2330
[ 45.636039][ T9821] do_group_exit+0x21c/0x2d0
[ 45.636457][ T9821] __x64_sys_exit_group+0x3f/0x40
[ 45.636915][ T9821] x64_sys_call+0x21ba/0x21c0
[ 45.637342][ T9821] do_syscall_64+0xf3/0x3a0
[ 45.637756][ T9821] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 45.638290][ T9821] page has been migrated, last migrate reason: numa_misplaced
[ 45.638956][ T9821]
[ 45.639173][ T9821] Memory state around the buggy address:
[ 45.639677][ T9821] ffff888035935300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 45.640397][ T9821] ffff888035935380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 45.641117][ T9821] >ffff888035935400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 45.641837][ T9821] ^
[ 45.642207][ T9821] ffff888035935480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 45.642929][ T9821] ffff888035935500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 45.643650][ T9821] ==================================================================
This commit [1] fixes the issue if an offset inside of b-tree node
or length of the request is bigger than b-tree node. However,
this fix is still not ready for negative values
of the offset or length. Moreover, negative values of
the offset or length doesn't make sense for b-tree's
operations. Because we could try to access the memory address
outside of the beginning of memory page's addresses range.
Also, using of negative values make logic very complicated,
unpredictable, and we could access the wrong item(s)
in the b-tree node.
This patch changes b-tree interface by means of converting
signed integer arguments of offset and length on u32 type.
Such conversion has goal to prevent of using negative values
unintentionally or by mistake in b-tree operations.
[1] 'commit a431930c9b ("hfs: fix slab-out-of-bounds in hfs_bnode_read()")'
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251002200020.2578311-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
535 lines
14 KiB
C
535 lines
14 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* linux/fs/hfsplus/brec.c
|
|
*
|
|
* Copyright (C) 2001
|
|
* Brad Boyer (flar@allandria.com)
|
|
* (C) 2003 Ardis Technologies <roman@ardistech.com>
|
|
*
|
|
* Handle individual btree records
|
|
*/
|
|
|
|
#include "hfsplus_fs.h"
|
|
#include "hfsplus_raw.h"
|
|
|
|
static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd);
|
|
static int hfs_brec_update_parent(struct hfs_find_data *fd);
|
|
static int hfs_btree_inc_height(struct hfs_btree *);
|
|
|
|
/* Get the length and offset of the given record in the given node */
|
|
u16 hfs_brec_lenoff(struct hfs_bnode *node, u16 rec, u16 *off)
|
|
{
|
|
__be16 retval[2];
|
|
u16 dataoff;
|
|
|
|
dataoff = node->tree->node_size - (rec + 2) * 2;
|
|
hfs_bnode_read(node, retval, dataoff, 4);
|
|
*off = be16_to_cpu(retval[1]);
|
|
return be16_to_cpu(retval[0]) - *off;
|
|
}
|
|
|
|
/* Get the length of the key from a keyed record */
|
|
u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
|
|
{
|
|
u16 retval, recoff;
|
|
|
|
if (node->type != HFS_NODE_INDEX && node->type != HFS_NODE_LEAF)
|
|
return 0;
|
|
|
|
if ((node->type == HFS_NODE_INDEX) &&
|
|
!(node->tree->attributes & HFS_TREE_VARIDXKEYS) &&
|
|
(node->tree->cnid != HFSPLUS_ATTR_CNID)) {
|
|
retval = node->tree->max_key_len + 2;
|
|
} else {
|
|
recoff = hfs_bnode_read_u16(node,
|
|
node->tree->node_size - (rec + 1) * 2);
|
|
if (!recoff)
|
|
return 0;
|
|
if (recoff > node->tree->node_size - 2) {
|
|
pr_err("recoff %d too large\n", recoff);
|
|
return 0;
|
|
}
|
|
|
|
retval = hfs_bnode_read_u16(node, recoff) + 2;
|
|
if (retval > node->tree->max_key_len + 2) {
|
|
pr_err("keylen %d too large\n",
|
|
retval);
|
|
retval = 0;
|
|
}
|
|
}
|
|
return retval;
|
|
}
|
|
|
|
int hfs_brec_insert(struct hfs_find_data *fd, void *entry, u32 entry_len)
|
|
{
|
|
struct hfs_btree *tree;
|
|
struct hfs_bnode *node, *new_node;
|
|
int size, key_len, rec;
|
|
int data_off, end_off;
|
|
int idx_rec_off, data_rec_off, end_rec_off;
|
|
__be32 cnid;
|
|
|
|
tree = fd->tree;
|
|
if (!fd->bnode) {
|
|
if (!tree->root)
|
|
hfs_btree_inc_height(tree);
|
|
node = hfs_bnode_find(tree, tree->leaf_head);
|
|
if (IS_ERR(node))
|
|
return PTR_ERR(node);
|
|
fd->bnode = node;
|
|
fd->record = -1;
|
|
}
|
|
new_node = NULL;
|
|
key_len = be16_to_cpu(fd->search_key->key_len) + 2;
|
|
again:
|
|
/* new record idx and complete record size */
|
|
rec = fd->record + 1;
|
|
size = key_len + entry_len;
|
|
|
|
node = fd->bnode;
|
|
hfs_bnode_dump(node);
|
|
/* get last offset */
|
|
end_rec_off = tree->node_size - (node->num_recs + 1) * 2;
|
|
end_off = hfs_bnode_read_u16(node, end_rec_off);
|
|
end_rec_off -= 2;
|
|
hfs_dbg("rec %d, size %d, end_off %d, end_rec_off %d\n",
|
|
rec, size, end_off, end_rec_off);
|
|
if (size > end_rec_off - end_off) {
|
|
if (new_node)
|
|
panic("not enough room!\n");
|
|
new_node = hfs_bnode_split(fd);
|
|
if (IS_ERR(new_node))
|
|
return PTR_ERR(new_node);
|
|
goto again;
|
|
}
|
|
if (node->type == HFS_NODE_LEAF) {
|
|
tree->leaf_count++;
|
|
mark_inode_dirty(tree->inode);
|
|
}
|
|
node->num_recs++;
|
|
/* write new last offset */
|
|
hfs_bnode_write_u16(node,
|
|
offsetof(struct hfs_bnode_desc, num_recs),
|
|
node->num_recs);
|
|
hfs_bnode_write_u16(node, end_rec_off, end_off + size);
|
|
data_off = end_off;
|
|
data_rec_off = end_rec_off + 2;
|
|
idx_rec_off = tree->node_size - (rec + 1) * 2;
|
|
if (idx_rec_off == data_rec_off)
|
|
goto skip;
|
|
/* move all following entries */
|
|
do {
|
|
data_off = hfs_bnode_read_u16(node, data_rec_off + 2);
|
|
hfs_bnode_write_u16(node, data_rec_off, data_off + size);
|
|
data_rec_off += 2;
|
|
} while (data_rec_off < idx_rec_off);
|
|
|
|
/* move data away */
|
|
hfs_bnode_move(node, data_off + size, data_off,
|
|
end_off - data_off);
|
|
|
|
skip:
|
|
hfs_bnode_write(node, fd->search_key, data_off, key_len);
|
|
hfs_bnode_write(node, entry, data_off + key_len, entry_len);
|
|
hfs_bnode_dump(node);
|
|
|
|
/*
|
|
* update parent key if we inserted a key
|
|
* at the start of the node and it is not the new node
|
|
*/
|
|
if (!rec && new_node != node) {
|
|
hfs_bnode_read_key(node, fd->search_key, data_off + size);
|
|
hfs_brec_update_parent(fd);
|
|
}
|
|
|
|
if (new_node) {
|
|
hfs_bnode_put(fd->bnode);
|
|
if (!new_node->parent) {
|
|
hfs_btree_inc_height(tree);
|
|
new_node->parent = tree->root;
|
|
}
|
|
fd->bnode = hfs_bnode_find(tree, new_node->parent);
|
|
|
|
/* create index data entry */
|
|
cnid = cpu_to_be32(new_node->this);
|
|
entry = &cnid;
|
|
entry_len = sizeof(cnid);
|
|
|
|
/* get index key */
|
|
hfs_bnode_read_key(new_node, fd->search_key, 14);
|
|
__hfs_brec_find(fd->bnode, fd, hfs_find_rec_by_key);
|
|
|
|
hfs_bnode_put(new_node);
|
|
new_node = NULL;
|
|
|
|
if ((tree->attributes & HFS_TREE_VARIDXKEYS) ||
|
|
(tree->cnid == HFSPLUS_ATTR_CNID))
|
|
key_len = be16_to_cpu(fd->search_key->key_len) + 2;
|
|
else {
|
|
fd->search_key->key_len =
|
|
cpu_to_be16(tree->max_key_len);
|
|
key_len = tree->max_key_len + 2;
|
|
}
|
|
goto again;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int hfs_brec_remove(struct hfs_find_data *fd)
|
|
{
|
|
struct hfs_btree *tree;
|
|
struct hfs_bnode *node, *parent;
|
|
int end_off, rec_off, data_off, size;
|
|
|
|
tree = fd->tree;
|
|
node = fd->bnode;
|
|
again:
|
|
rec_off = tree->node_size - (fd->record + 2) * 2;
|
|
end_off = tree->node_size - (node->num_recs + 1) * 2;
|
|
|
|
if (node->type == HFS_NODE_LEAF) {
|
|
tree->leaf_count--;
|
|
mark_inode_dirty(tree->inode);
|
|
}
|
|
hfs_bnode_dump(node);
|
|
hfs_dbg("rec %d, len %d\n",
|
|
fd->record, fd->keylength + fd->entrylength);
|
|
if (!--node->num_recs) {
|
|
hfs_bnode_unlink(node);
|
|
if (!node->parent)
|
|
return 0;
|
|
parent = hfs_bnode_find(tree, node->parent);
|
|
if (IS_ERR(parent))
|
|
return PTR_ERR(parent);
|
|
hfs_bnode_put(node);
|
|
node = fd->bnode = parent;
|
|
|
|
__hfs_brec_find(node, fd, hfs_find_rec_by_key);
|
|
goto again;
|
|
}
|
|
hfs_bnode_write_u16(node,
|
|
offsetof(struct hfs_bnode_desc, num_recs),
|
|
node->num_recs);
|
|
|
|
if (rec_off == end_off)
|
|
goto skip;
|
|
size = fd->keylength + fd->entrylength;
|
|
|
|
do {
|
|
data_off = hfs_bnode_read_u16(node, rec_off);
|
|
hfs_bnode_write_u16(node, rec_off + 2, data_off - size);
|
|
rec_off -= 2;
|
|
} while (rec_off >= end_off);
|
|
|
|
/* fill hole */
|
|
hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size,
|
|
data_off - fd->keyoffset - size);
|
|
skip:
|
|
hfs_bnode_dump(node);
|
|
if (!fd->record)
|
|
hfs_brec_update_parent(fd);
|
|
return 0;
|
|
}
|
|
|
|
static struct hfs_bnode *hfs_bnode_split(struct hfs_find_data *fd)
|
|
{
|
|
struct hfs_btree *tree;
|
|
struct hfs_bnode *node, *new_node, *next_node;
|
|
struct hfs_bnode_desc node_desc;
|
|
int num_recs, new_rec_off, new_off, old_rec_off;
|
|
int data_start, data_end, size;
|
|
|
|
tree = fd->tree;
|
|
node = fd->bnode;
|
|
new_node = hfs_bmap_alloc(tree);
|
|
if (IS_ERR(new_node))
|
|
return new_node;
|
|
hfs_bnode_get(node);
|
|
hfs_dbg("this %d - new %d - next %d\n",
|
|
node->this, new_node->this, node->next);
|
|
new_node->next = node->next;
|
|
new_node->prev = node->this;
|
|
new_node->parent = node->parent;
|
|
new_node->type = node->type;
|
|
new_node->height = node->height;
|
|
|
|
if (node->next)
|
|
next_node = hfs_bnode_find(tree, node->next);
|
|
else
|
|
next_node = NULL;
|
|
|
|
if (IS_ERR(next_node)) {
|
|
hfs_bnode_put(node);
|
|
hfs_bnode_put(new_node);
|
|
return next_node;
|
|
}
|
|
|
|
size = tree->node_size / 2 - node->num_recs * 2 - 14;
|
|
old_rec_off = tree->node_size - 4;
|
|
num_recs = 1;
|
|
for (;;) {
|
|
data_start = hfs_bnode_read_u16(node, old_rec_off);
|
|
if (data_start > size)
|
|
break;
|
|
old_rec_off -= 2;
|
|
if (++num_recs < node->num_recs)
|
|
continue;
|
|
/* panic? */
|
|
hfs_bnode_put(node);
|
|
hfs_bnode_put(new_node);
|
|
if (next_node)
|
|
hfs_bnode_put(next_node);
|
|
return ERR_PTR(-ENOSPC);
|
|
}
|
|
|
|
if (fd->record + 1 < num_recs) {
|
|
/* new record is in the lower half,
|
|
* so leave some more space there
|
|
*/
|
|
old_rec_off += 2;
|
|
num_recs--;
|
|
data_start = hfs_bnode_read_u16(node, old_rec_off);
|
|
} else {
|
|
hfs_bnode_put(node);
|
|
hfs_bnode_get(new_node);
|
|
fd->bnode = new_node;
|
|
fd->record -= num_recs;
|
|
fd->keyoffset -= data_start - 14;
|
|
fd->entryoffset -= data_start - 14;
|
|
}
|
|
new_node->num_recs = node->num_recs - num_recs;
|
|
node->num_recs = num_recs;
|
|
|
|
new_rec_off = tree->node_size - 2;
|
|
new_off = 14;
|
|
size = data_start - new_off;
|
|
num_recs = new_node->num_recs;
|
|
data_end = data_start;
|
|
while (num_recs) {
|
|
hfs_bnode_write_u16(new_node, new_rec_off, new_off);
|
|
old_rec_off -= 2;
|
|
new_rec_off -= 2;
|
|
data_end = hfs_bnode_read_u16(node, old_rec_off);
|
|
new_off = data_end - size;
|
|
num_recs--;
|
|
}
|
|
hfs_bnode_write_u16(new_node, new_rec_off, new_off);
|
|
hfs_bnode_copy(new_node, 14, node, data_start, data_end - data_start);
|
|
|
|
/* update new bnode header */
|
|
node_desc.next = cpu_to_be32(new_node->next);
|
|
node_desc.prev = cpu_to_be32(new_node->prev);
|
|
node_desc.type = new_node->type;
|
|
node_desc.height = new_node->height;
|
|
node_desc.num_recs = cpu_to_be16(new_node->num_recs);
|
|
node_desc.reserved = 0;
|
|
hfs_bnode_write(new_node, &node_desc, 0, sizeof(node_desc));
|
|
|
|
/* update previous bnode header */
|
|
node->next = new_node->this;
|
|
hfs_bnode_read(node, &node_desc, 0, sizeof(node_desc));
|
|
node_desc.next = cpu_to_be32(node->next);
|
|
node_desc.num_recs = cpu_to_be16(node->num_recs);
|
|
hfs_bnode_write(node, &node_desc, 0, sizeof(node_desc));
|
|
|
|
/* update next bnode header */
|
|
if (next_node) {
|
|
next_node->prev = new_node->this;
|
|
hfs_bnode_read(next_node, &node_desc, 0, sizeof(node_desc));
|
|
node_desc.prev = cpu_to_be32(next_node->prev);
|
|
hfs_bnode_write(next_node, &node_desc, 0, sizeof(node_desc));
|
|
hfs_bnode_put(next_node);
|
|
} else if (node->this == tree->leaf_tail) {
|
|
/* if there is no next node, this might be the new tail */
|
|
tree->leaf_tail = new_node->this;
|
|
mark_inode_dirty(tree->inode);
|
|
}
|
|
|
|
hfs_bnode_dump(node);
|
|
hfs_bnode_dump(new_node);
|
|
hfs_bnode_put(node);
|
|
|
|
return new_node;
|
|
}
|
|
|
|
static int hfs_brec_update_parent(struct hfs_find_data *fd)
|
|
{
|
|
struct hfs_btree *tree;
|
|
struct hfs_bnode *node, *new_node, *parent;
|
|
int newkeylen, diff;
|
|
int rec, rec_off, end_rec_off;
|
|
int start_off, end_off;
|
|
|
|
tree = fd->tree;
|
|
node = fd->bnode;
|
|
new_node = NULL;
|
|
if (!node->parent)
|
|
return 0;
|
|
|
|
again:
|
|
parent = hfs_bnode_find(tree, node->parent);
|
|
if (IS_ERR(parent))
|
|
return PTR_ERR(parent);
|
|
__hfs_brec_find(parent, fd, hfs_find_rec_by_key);
|
|
if (fd->record < 0)
|
|
return -ENOENT;
|
|
hfs_bnode_dump(parent);
|
|
rec = fd->record;
|
|
|
|
/* size difference between old and new key */
|
|
if ((tree->attributes & HFS_TREE_VARIDXKEYS) ||
|
|
(tree->cnid == HFSPLUS_ATTR_CNID))
|
|
newkeylen = hfs_bnode_read_u16(node, 14) + 2;
|
|
else
|
|
fd->keylength = newkeylen = tree->max_key_len + 2;
|
|
hfs_dbg("rec %d, keylength %d, newkeylen %d\n",
|
|
rec, fd->keylength, newkeylen);
|
|
|
|
rec_off = tree->node_size - (rec + 2) * 2;
|
|
end_rec_off = tree->node_size - (parent->num_recs + 1) * 2;
|
|
diff = newkeylen - fd->keylength;
|
|
if (!diff)
|
|
goto skip;
|
|
if (diff > 0) {
|
|
end_off = hfs_bnode_read_u16(parent, end_rec_off);
|
|
if (end_rec_off - end_off < diff) {
|
|
|
|
hfs_dbg("splitting index node\n");
|
|
fd->bnode = parent;
|
|
new_node = hfs_bnode_split(fd);
|
|
if (IS_ERR(new_node))
|
|
return PTR_ERR(new_node);
|
|
parent = fd->bnode;
|
|
rec = fd->record;
|
|
rec_off = tree->node_size - (rec + 2) * 2;
|
|
end_rec_off = tree->node_size -
|
|
(parent->num_recs + 1) * 2;
|
|
}
|
|
}
|
|
|
|
end_off = start_off = hfs_bnode_read_u16(parent, rec_off);
|
|
hfs_bnode_write_u16(parent, rec_off, start_off + diff);
|
|
start_off -= 4; /* move previous cnid too */
|
|
|
|
while (rec_off > end_rec_off) {
|
|
rec_off -= 2;
|
|
end_off = hfs_bnode_read_u16(parent, rec_off);
|
|
hfs_bnode_write_u16(parent, rec_off, end_off + diff);
|
|
}
|
|
hfs_bnode_move(parent, start_off + diff, start_off,
|
|
end_off - start_off);
|
|
skip:
|
|
hfs_bnode_copy(parent, fd->keyoffset, node, 14, newkeylen);
|
|
hfs_bnode_dump(parent);
|
|
|
|
hfs_bnode_put(node);
|
|
node = parent;
|
|
|
|
if (new_node) {
|
|
__be32 cnid;
|
|
|
|
if (!new_node->parent) {
|
|
hfs_btree_inc_height(tree);
|
|
new_node->parent = tree->root;
|
|
}
|
|
fd->bnode = hfs_bnode_find(tree, new_node->parent);
|
|
/* create index key and entry */
|
|
hfs_bnode_read_key(new_node, fd->search_key, 14);
|
|
cnid = cpu_to_be32(new_node->this);
|
|
|
|
__hfs_brec_find(fd->bnode, fd, hfs_find_rec_by_key);
|
|
hfs_brec_insert(fd, &cnid, sizeof(cnid));
|
|
hfs_bnode_put(fd->bnode);
|
|
hfs_bnode_put(new_node);
|
|
|
|
if (!rec) {
|
|
if (new_node == node)
|
|
goto out;
|
|
/* restore search_key */
|
|
hfs_bnode_read_key(node, fd->search_key, 14);
|
|
}
|
|
new_node = NULL;
|
|
}
|
|
|
|
if (!rec && node->parent)
|
|
goto again;
|
|
out:
|
|
fd->bnode = node;
|
|
return 0;
|
|
}
|
|
|
|
static int hfs_btree_inc_height(struct hfs_btree *tree)
|
|
{
|
|
struct hfs_bnode *node, *new_node;
|
|
struct hfs_bnode_desc node_desc;
|
|
int key_size, rec;
|
|
__be32 cnid;
|
|
|
|
node = NULL;
|
|
if (tree->root) {
|
|
node = hfs_bnode_find(tree, tree->root);
|
|
if (IS_ERR(node))
|
|
return PTR_ERR(node);
|
|
}
|
|
new_node = hfs_bmap_alloc(tree);
|
|
if (IS_ERR(new_node)) {
|
|
hfs_bnode_put(node);
|
|
return PTR_ERR(new_node);
|
|
}
|
|
|
|
tree->root = new_node->this;
|
|
if (!tree->depth) {
|
|
tree->leaf_head = tree->leaf_tail = new_node->this;
|
|
new_node->type = HFS_NODE_LEAF;
|
|
new_node->num_recs = 0;
|
|
} else {
|
|
new_node->type = HFS_NODE_INDEX;
|
|
new_node->num_recs = 1;
|
|
}
|
|
new_node->parent = 0;
|
|
new_node->next = 0;
|
|
new_node->prev = 0;
|
|
new_node->height = ++tree->depth;
|
|
|
|
node_desc.next = cpu_to_be32(new_node->next);
|
|
node_desc.prev = cpu_to_be32(new_node->prev);
|
|
node_desc.type = new_node->type;
|
|
node_desc.height = new_node->height;
|
|
node_desc.num_recs = cpu_to_be16(new_node->num_recs);
|
|
node_desc.reserved = 0;
|
|
hfs_bnode_write(new_node, &node_desc, 0, sizeof(node_desc));
|
|
|
|
rec = tree->node_size - 2;
|
|
hfs_bnode_write_u16(new_node, rec, 14);
|
|
|
|
if (node) {
|
|
/* insert old root idx into new root */
|
|
node->parent = tree->root;
|
|
if (node->type == HFS_NODE_LEAF ||
|
|
tree->attributes & HFS_TREE_VARIDXKEYS ||
|
|
tree->cnid == HFSPLUS_ATTR_CNID)
|
|
key_size = hfs_bnode_read_u16(node, 14) + 2;
|
|
else
|
|
key_size = tree->max_key_len + 2;
|
|
hfs_bnode_copy(new_node, 14, node, 14, key_size);
|
|
|
|
if (!(tree->attributes & HFS_TREE_VARIDXKEYS) &&
|
|
(tree->cnid != HFSPLUS_ATTR_CNID)) {
|
|
key_size = tree->max_key_len + 2;
|
|
hfs_bnode_write_u16(new_node, 14, tree->max_key_len);
|
|
}
|
|
cnid = cpu_to_be32(node->this);
|
|
hfs_bnode_write(new_node, &cnid, 14 + key_size, 4);
|
|
|
|
rec -= 2;
|
|
hfs_bnode_write_u16(new_node, rec, 14 + key_size + 4);
|
|
|
|
hfs_bnode_put(node);
|
|
}
|
|
hfs_bnode_put(new_node);
|
|
mark_inode_dirty(tree->inode);
|
|
|
|
return 0;
|
|
}
|