On Mon 18-12-23 22:18:11, Baokun Li wrote: > In ext4_move_extents(), moved_len is only updated when all moves are > successfully executed, and only discards orig_inode and donor_inode > preallocations when moved_len is not zero. When the loop fails to exit > after successfully moving some extents, moved_len is not updated and > remains at 0, so it does not discard the preallocations. > > If the moved extents overlap with the preallocated extents, the > overlapped extents are freed twice in ext4_mb_release_inode_pa() and > ext4_process_freed_data() (as described in commit 94d7c16cbbbd), and > bb_free is incremented twice. Hence when trim is executed, a zero-division > bug is triggered in mb_update_avg_fragment_size() because bb_free is not > zero and bb_fragments is zero. > > Therefore, update move_len after each extent move to avoid the issue. > > Reported-by: Wei Chen <harperchen1110@xxxxxxxxx> > Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> > Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@xxxxxxxxxxxxxx > Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") > CC: stable@xxxxxxxxxxxxxxx # 3.18 > Signed-off-by: Baokun Li <libaokun1@xxxxxxxxxx> > --- > fs/ext4/move_extent.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c > index 3aa57376d9c2..4b9b503c6346 100644 > --- a/fs/ext4/move_extent.c > +++ b/fs/ext4/move_extent.c > @@ -672,7 +672,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, > */ > ext4_double_up_write_data_sem(orig_inode, donor_inode); > /* Swap original branches with new branches */ > - move_extent_per_page(o_filp, donor_inode, > + *moved_len += move_extent_per_page(o_filp, donor_inode, > orig_page_index, donor_page_index, > offset_in_page, cur_len, > unwritten, &ret); Although this is currently fine, I think ext4_move_extents() should be careful and zero out *moved_len before it starts using it. > @@ -682,7 +682,6 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, > o_start += cur_len; > d_start += cur_len; > } > - *moved_len = o_start - orig_blk; > if (*moved_len > len) > *moved_len = len; So I'm not sure the *moved_len > len condition can ever trigger but if it does, we'd need to check it whenever we are returning moved_len. So either I'd delete the condition or move it to the out label. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
