Fix for btrfs_find_free_objectid

btrfs_find_free_objectid may return a used objectid due to arithmetic
underflow. This bug may happen when parameter 'root' is tree root,  so
it may cause serious problems when creating snapshot or sub-volume.

Signed-off-by: Chris Mason <chris.mason@oracle.com>

diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c
index ab74977adf5c8e219b56b9e4da1490b0c5b08125..a0925eabdaa259f9289b2517cc91b838ce78a990 100644 (file)
--- a/fs/btrfs/inode-map.c
+++ b/fs/btrfs/inode-map.c
@@ -62,7 +62,6 @@ int btrfs_find_free_objectid(struct btrfs_trans_handle *trans,
        struct btrfs_path *path;
        struct btrfs_key key;
        int ret;
-       u64 hole_size = 0;
        int slot = 0;
        u64 last_ino = 0;
        int start_found;
@@ -109,8 +108,7 @@ int btrfs_find_free_objectid(struct btrfs_trans_handle *trans,
                        if (start_found) {
                                if (last_ino < search_start)
                                        last_ino = search_start;
-                               hole_size = key.objectid - last_ino;
-                               if (hole_size > 0) {
+                               if (key.objectid > last_ino) {
                                        *objectid = last_ino;
                                        goto found;
                                }