Re: [PATCH v2 0/5] btrfs: Enhanced runtime defence against fuzzed images

[Nikolay Borisov <nborisov@suse.com>]

On 25.07.19 г. 9:12 ч., Qu Wenruo wrote:
> Another wave of defence enhancment, including:
> 
> - Enhanced eb accessors
>   Not really needed for the fuzzed images, as 448de471cd4c
>   ("btrfs: Check the first key and level for cached extent buffer")
>   already fixed half of the reported images.
>   Just add a final layer of safe net.
> 
>   Just to complain here, two experienced btrfs developer have got
>   confused by @start, @len in functions like read_extent_buffer() with
>   logical address.
>   The best example to solve the confusion is to check the
>   read_extent_buffer() call in btree_read_extent_buffer_pages().
> 
>   I'm not sure why this confusion happens or even get spread.
>   My guess is the extent_buffer::start naming causing the problem.
> 
>   If so, I would definitely rename extent_buffer::start to
>   extent_buffer::bytenr at any cost.
>   Hopes the new commend will address the problem for now.

it should either be bytenr or disk_bytenr or disk_addr or address.
Looking at the code base though, it seems there is already a convention
that bytenr means the byte number in the logical address space. So
indeed, bytenr should be ok.

> 
> - BUG_ON() hunt in __btrfs_free_extent()
>   Kill BUG_ON()s in __btrfs_free_extent(), replace with error reporting
>   and why it shouldn't happen.
> 
>   Also add comment on what __btrfs_free_extent() is designed to do, with
>   two dump-tree examples for newcomers.
> 
> - BUG_ON() hunt in __btrfs_inc_extent_ref()
>   Just like __btrfs_free_extent(), but less comment as
>   comment for __btrfs_free_extent() should also work for
>   __btrfs_inc_extent_ref(), and __btrfs_inc_extent_ref() has a better
>   structure than __btrfs_free_extent().
> 
> - Defence against unbalanced empty leaf
> 
> - Defence against bad key order across two tree blocks
> 
> The last two cases can't be rejected by tree-checker and they are all
> cross-eb cases.
> Thankfully we can reuse existing first_key check against unbalanced
> empty leaf, but needs extra check deep into ctree.c for tree block
> merging time check.
> 
> Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com>
> [ Not to mail bombarding the report, thus only RB tag in cover letter ]
> 
> Changelog:
> v2:
> - Remove duplicated error message in WARN() call.
>   Changed to WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG))
>   Also move WARN() after btrfs error message.
> 
> - Fix a comment error in __btrfs_free_extent()
>   It's not adding refs to a tree block, but adding the same refs
>   to an existing tree block ref.
>   It's impossible a btrfs tree owning the same tree block directly twice.
> 
> - Add comment for eb accessors about @start and @len
>   If anyone could tell me why such confusion between @start @len and
>   logical address is here, I will definitely solve the root cause no
>   matter how many codes need to be modified.
> 
> - Use bool to replace int where only two values are returned
>   Also rename to follow the bool type.
> 
> - Remove one unrelated change for the error handler in
>   btrfs_inc_extent_ref()
> 
> - Add Reviewed-by tag
> 
> Qu Wenruo (5):
>   btrfs: extent_io: Do extra check for extent buffer read write
>     functions
>   btrfs: extent-tree: Kill BUG_ON() in __btrfs_free_extent() and do
>     better comment
>   btrfs: Detect unbalanced tree with empty leaf before crashing btree
>     operations
>   btrfs: extent-tree: Kill the BUG_ON() in
>     insert_inline_extent_backref()
>   btrfs: ctree: Checking key orders before merged tree blocks
> 
>  fs/btrfs/ctree.c        |  68 +++++++++++++++++
>  fs/btrfs/disk-io.c      |   8 ++
>  fs/btrfs/extent-tree.c  | 164 ++++++++++++++++++++++++++++++++++++----
>  fs/btrfs/extent_io.c    |  76 ++++++++++---------
>  fs/btrfs/tree-checker.c |   6 ++
>  5 files changed, 271 insertions(+), 51 deletions(-)
>