From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Cc: Jungyeon Yoon <jungyeon.yoon@gmail.com>
Subject: [PATCH v5 0/4] btrfs: Enhanced runtime defence against fuzzed images
Date: Wed, 19 Aug 2020 14:35:46 +0800 [thread overview]
Message-ID: <20200819063550.62832-1-wqu@suse.com> (raw)
This patch is revived after one year, as one internal report has hit one
BUG_ON() with real world fs, so I believe this patchset still makes sense.
- Enhanced eb accessors
Not really needed for the fuzzed images, as 448de471cd4c
("btrfs: Check the first key and level for cached extent buffer")
already fixed half of the reported images.
Just add a final layer of safe net.
Just to complain here, two experienced btrfs developer have got
confused by @start, @len in functions like read_extent_buffer() with
logical address.
The best example to solve the confusion is to check the
read_extent_buffer() call in btree_read_extent_buffer_pages().
I'm not sure why this confusion happens or even get spread.
My guess is the extent_buffer::start naming causing the problem.
If so, I would definitely rename extent_buffer::start to
extent_buffer::bytenr at any cost.
Hopes the new commend will address the problem for now.
- BUG_ON() hunt in __btrfs_free_extent()
Kill BUG_ON()s in __btrfs_free_extent(), replace with error reporting
and why it shouldn't happen.
Also add comment on what __btrfs_free_extent() is designed to do, with
two dump-tree examples for newcomers.
- BUG_ON() hunt in __btrfs_inc_extent_ref()
Just like __btrfs_free_extent(), but less comment as
comment for __btrfs_free_extent() should also work for
__btrfs_inc_extent_ref(), and __btrfs_inc_extent_ref() has a better
structure than __btrfs_free_extent().
- Defence against unbalanced empty leaf
- Defence against bad key order across two tree blocks
The last two cases can't be rejected by tree-checker and they are all
cross-eb cases.
Thankfully we can reuse existing first_key check against unbalanced
empty leaf, but needs extra check deep into ctree.c for tree block
merging time check.
Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com>
[ Not to mail bombarding the report, thus only RB tag in cover letter ]
Changelog:
v2:
- Remove duplicated error message in WARN() call.
Changed to WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG))
Also move WARN() after btrfs error message.
- Fix a comment error in __btrfs_free_extent()
It's not adding refs to a tree block, but adding the same refs
to an existing tree block ref.
It's impossible a btrfs tree owning the same tree block directly twice.
- Add comment for eb accessors about @start and @len
If anyone could tell me why such confusion between @start @len and
logical address is here, I will definitely solve the root cause no
matter how many codes need to be modified.
- Use bool to replace int where only two values are returned
Also rename to follow the bool type.
- Remove one unrelated change for the error handler in
btrfs_inc_extent_ref()
- Add Reviewed-by tag
v3:
- Rebased to latest misc-next branch
All conflicts can be auto-merged.
v4:
- Remove one patch which is already merged
A little surprised by the fact that git can't detecth such case.
- Add new reviewed-by tags from Josef
v5:
- Properly inline the check while make the report code into another
function for the 1st patch
- Keep btrfs_abort_transaction() call where it is for the 2nd patch
To make the line number correct and abort transaction asap.
- Function naming update for the 4th patch
Qu Wenruo (4):
btrfs: extent_io: do extra check for extent buffer read write
functions
btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent() and do
better comment
btrfs: extent-tree: kill the BUG_ON() in
insert_inline_extent_backref()
btrfs: ctree: checking key orders before merged tree blocks
fs/btrfs/ctree.c | 71 +++++++++++++++++
fs/btrfs/extent-tree.c | 170 +++++++++++++++++++++++++++++++++++++----
fs/btrfs/extent_io.c | 82 +++++++++++---------
3 files changed, 272 insertions(+), 51 deletions(-)
--
2.28.0
next reply other threads:[~2020-08-19 6:35 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-19 6:35 Qu Wenruo [this message]
2020-08-19 6:35 ` [PATCH v5 1/4] btrfs: extent_io: do extra check for extent buffer read write functions Qu Wenruo
2020-08-19 17:11 ` David Sterba
2020-08-19 23:14 ` Qu Wenruo
2020-08-20 9:50 ` David Sterba
2020-08-20 9:58 ` Qu Wenruo
2020-08-20 14:46 ` David Sterba
2020-08-20 15:18 ` David Sterba
2020-08-20 23:39 ` Qu Wenruo
2020-08-19 6:35 ` [PATCH v5 2/4] btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent() and do better comment Qu Wenruo
2020-08-19 6:35 ` [PATCH v5 3/4] btrfs: extent-tree: kill the BUG_ON() in insert_inline_extent_backref() Qu Wenruo
2020-08-19 6:35 ` [PATCH v5 4/4] btrfs: ctree: checking key orders before merged tree blocks Qu Wenruo
2020-08-27 14:47 ` [PATCH v5 0/4] btrfs: Enhanced runtime defence against fuzzed images David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200819063550.62832-1-wqu@suse.com \
--to=wqu@suse.com \
--cc=jungyeon.yoon@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).