[PATCH 0/2] Simple two patches for tree checker

[PATCH 0/2] Simple two patches for tree checker

[Su Yue]

Two commits for enhancing tree checker to reject the img from
https://bugzilla.kernel.org/show_bug.cgi?id=215299.

Su Yue (2):
  btrfs: tree-checker: check item_size for inode_item
  btrfs: tree-checker: check item_size for dev_item

 fs/btrfs/tree-checker.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

-- 
2.34.1

[PATCH 1/2] btrfs: tree-checker: check item_size for inode_item

[Su Yue]

while mounting the crafted image, out-of-bounds access happens:
=======================================================================
[  350.429619] UBSAN: array-index-out-of-bounds in fs/btrfs/struct-funcs.c:161:1
[  350.429636] index 1048096 is out of range for type 'page *[16]'
[  350.429650] CPU: 0 PID: 9 Comm: kworker/u8:1 Not tainted 5.16.0-rc4 #1
[  350.429652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  350.429653] Workqueue: btrfs-endio-meta btrfs_work_helper [btrfs]
[  350.429772] Call Trace:
[  350.429774]  <TASK>
[  350.429776]  dump_stack_lvl+0x47/0x5c
[  350.429780]  ubsan_epilogue+0x5/0x50
[  350.429786]  __ubsan_handle_out_of_bounds+0x66/0x70
[  350.429791]  btrfs_get_16+0xfd/0x120 [btrfs]
[  350.429832]  check_leaf+0x754/0x1a40 [btrfs]
[  350.429874]  ? filemap_read+0x34a/0x390
[  350.429878]  ? load_balance+0x175/0xfc0
[  350.429881]  validate_extent_buffer+0x244/0x310 [btrfs]
[  350.429911]  btrfs_validate_metadata_buffer+0xf8/0x100 [btrfs]
[  350.429935]  end_bio_extent_readpage+0x3af/0x850 [btrfs]
[  350.429969]  ? newidle_balance+0x259/0x480
[  350.429972]  end_workqueue_fn+0x29/0x40 [btrfs]
[  350.429995]  btrfs_work_helper+0x71/0x330 [btrfs]
[  350.430030]  ? __schedule+0x2fb/0xa40
[  350.430033]  process_one_work+0x1f6/0x400
[  350.430035]  ? process_one_work+0x400/0x400
[  350.430036]  worker_thread+0x2d/0x3d0
[  350.430037]  ? process_one_work+0x400/0x400
[  350.430038]  kthread+0x165/0x190
[  350.430041]  ? set_kthread_struct+0x40/0x40
[  350.430043]  ret_from_fork+0x1f/0x30
[  350.430047]  </TASK>
[  350.430077] BTRFS warning (device loop0): bad eb member start: ptr 0xffe20f4e start 20975616 member offset 4293005178 size 2
=======================================================================

check_leaf() is checking the leaf:
========================================================================
corrupt leaf: root=4 block=29396992 slot=1, bad key order, prev (16140901064495857664 1 0) current (1 204 12582912)
leaf 29396992 items 6 free space 3565 generation 6 owner DEV_TREE
leaf 29396992 flags 0x1(WRITTEN) backref revision 1
fs uuid a62e00e8-e94e-4200-8217-12444de93c2e
chunk uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8
        item 0 key (16140901064495857664 INODE_ITEM 0) itemoff 3955 itemsize 40
                generation 0 transid 0 size 0 nbytes 17592186044416
                block group 0 mode 52667 links 33 uid 0 gid 2104132511 rdev 94223634821136
                sequence 100305 flags 0x2409000(none)
                atime 0.0 (1970-01-01 08:00:00)
                ctime 2973280098083405823.4294967295 (-269783007-01-01 21:37:03)
                mtime 18446744071572723616.4026825121 (1902-04-16 12:40:00)
                otime 9249929404488876031.4294967295 (622322949-04-16 04:25:58)
        item 1 key (1 DEV_EXTENT 12582912) itemoff 3907 itemsize 48
                dev extent chunk_tree 3
                chunk_objectid 256 chunk_offset 12582912 length 8388608
                chunk_tree_uuid cecbd0f7-9ca0-441e-ae9f-f782f9732bd8
========================================================================
The corrupted leaf of device tree has an inode item. The leaf passed
checksum and others checks in validate_extent_buffer until check_leaf_item().
Because of the key type BTRFS_INODE_ITEM, check_inode_item() is called even we
are in the device tree. Since the
item offset + sizeof(struct btrfs_inode_item) > eb->len, out-of-bounds access
is triggered.

The item end vs leaf boundary check has been done before
check_leaf_item(), so fix it by checking item size in check_inode_item()
before access of the inode item in extent buffer.

Other check functions except check_dev_item() in check_leaf_item()
has their item size checks.
The commit for check_dev_item() is followed.

No regression observed during running xfstests.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=215299
Cc: Wenqing Liu <wenqingliu0120@gmail.com>
Signed-off-by: Su Yue <l@damenly.su>
---
 fs/btrfs/tree-checker.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 72e1c942197d..2978fc89c093 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1007,6 +1007,7 @@ static int check_inode_item(struct extent_buffer *leaf,
 	struct btrfs_inode_item *iitem;
 	u64 super_gen = btrfs_super_generation(fs_info->super_copy);
 	u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777);
+	u32 item_size = btrfs_item_size(leaf, slot);
 	u32 mode;
 	int ret;
 	u32 flags;
@@ -1016,6 +1017,12 @@ static int check_inode_item(struct extent_buffer *leaf,
 	if (unlikely(ret < 0))
 		return ret;
 
+	if (unlikely(item_size != sizeof(*iitem))) {
+		generic_err(leaf, slot, "invalid item size: has=%u expect=%zu",
+			    item_size, sizeof(*iitem));
+		return -EUCLEAN;
+	}
+
 	iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item);
 
 	/* Here we use super block generation + 1 to handle log tree */
-- 
2.34.1

[PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Su Yue]

Check item size before accessing the device item to avoid out of bound
access.

Signed-off-by: Su Yue <l@damenly.su>
---
 fs/btrfs/tree-checker.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 2978fc89c093..87fff4345977 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -965,6 +965,7 @@ static int check_dev_item(struct extent_buffer *leaf,
 			  struct btrfs_key *key, int slot)
 {
 	struct btrfs_dev_item *ditem;
+	u32 item_size = btrfs_item_size(leaf, slot);
 
 	if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
 		dev_item_err(leaf, slot,
@@ -972,6 +973,13 @@ static int check_dev_item(struct extent_buffer *leaf,
 			     key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
 		return -EUCLEAN;
 	}
+
+	if (unlikely(item_size != sizeof(*ditem))) {
+		dev_item_err(leaf, slot, "invalid item size: has=%u expect=%zu",
+			     item_size, sizeof(*ditem));
+		return -EUCLEAN;
+	}
+
 	ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
 	if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
 		dev_item_err(leaf, slot,
-- 
2.34.1

Re: [PATCH 0/2] Simple two patches for tree checker

[David Sterba]

On Fri, Jan 21, 2022 at 05:33:33PM +0800, Su Yue wrote:
> Two commits for enhancing tree checker to reject the img from
> https://bugzilla.kernel.org/show_bug.cgi?id=215299.
> 
> Su Yue (2):
>   btrfs: tree-checker: check item_size for inode_item
>   btrfs: tree-checker: check item_size for dev_item

Nice, added to misc-next, thanks. I'll update and close the bug.

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Wang Yugui]

Hi,

A btrfs filesystem failed to boot with this patch.

corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid item size: has 0 expect 98

Any way to fix it online?

Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2022/02/05

> Check item size before accessing the device item to avoid out of bound
> access.
> 
> Signed-off-by: Su Yue <l@damenly.su>
> ---
>  fs/btrfs/tree-checker.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> index 2978fc89c093..87fff4345977 100644
> --- a/fs/btrfs/tree-checker.c
> +++ b/fs/btrfs/tree-checker.c
> @@ -965,6 +965,7 @@ static int check_dev_item(struct extent_buffer *leaf,
>  			  struct btrfs_key *key, int slot)
>  {
>  	struct btrfs_dev_item *ditem;
> +	u32 item_size = btrfs_item_size(leaf, slot);
>  
>  	if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
>  		dev_item_err(leaf, slot,
> @@ -972,6 +973,13 @@ static int check_dev_item(struct extent_buffer *leaf,
>  			     key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
>  		return -EUCLEAN;
>  	}
> +
> +	if (unlikely(item_size != sizeof(*ditem))) {
> +		dev_item_err(leaf, slot, "invalid item size: has=%u expect=%zu",
> +			     item_size, sizeof(*ditem));
> +		return -EUCLEAN;
> +	}
> +
>  	ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
>  	if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
>  		dev_item_err(leaf, slot,
> -- 
> 2.34.1

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Wang Yugui]

Hi,

> A btrfs filesystem failed to boot with this patch.
> 
> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid item size: has 0 expect 98
> 
> Any way to fix it online?

This btrfs filesystem is created by centos 7.9 installer (btrfs 4.9?)
about 1 years ago.  and then mainly writen by kernel 5.4/5.10/5.15.

Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2022/02/05


> 
> > Check item size before accessing the device item to avoid out of bound
> > access.
> > 
> > Signed-off-by: Su Yue <l@damenly.su>
> > ---
> >  fs/btrfs/tree-checker.c | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> > 
> > diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> > index 2978fc89c093..87fff4345977 100644
> > --- a/fs/btrfs/tree-checker.c
> > +++ b/fs/btrfs/tree-checker.c
> > @@ -965,6 +965,7 @@ static int check_dev_item(struct extent_buffer *leaf,
> >  			  struct btrfs_key *key, int slot)
> >  {
> >  	struct btrfs_dev_item *ditem;
> > +	u32 item_size = btrfs_item_size(leaf, slot);
> >  
> >  	if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
> >  		dev_item_err(leaf, slot,
> > @@ -972,6 +973,13 @@ static int check_dev_item(struct extent_buffer *leaf,
> >  			     key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
> >  		return -EUCLEAN;
> >  	}
> > +
> > +	if (unlikely(item_size != sizeof(*ditem))) {
> > +		dev_item_err(leaf, slot, "invalid item size: has=%u expect=%zu",
> > +			     item_size, sizeof(*ditem));
> > +		return -EUCLEAN;
> > +	}
> > +
> >  	ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
> >  	if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
> >  		dev_item_err(leaf, slot,
> > -- 
> > 2.34.1
> 

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Su Yue]

On Sat 05 Feb 2022 at 12:35, Wang Yugui <wangyugui@e16-tech.com> 
wrote:

> Hi,
>
>> A btrfs filesystem failed to boot with this patch.
>>
>> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid item 
>> size: has 0 expect 98
>>
>> Any way to fix it online?
>
> This btrfs filesystem is created by centos 7.9 installer (btrfs 
> 4.9?)
> about 1 years ago.  and then mainly writen by kernel 
> 5.4/5.10/5.15.
>
Yes, btrfs-progs v4.9 and v3.10 based kernel.
I created a btrfs and it looks fine.
Could please provide output of
btrfs inspect-internal dump-tree $device -t 3
?
You can trim it if the content is too long only leaf 1081344 is 
needed.


--
Su

> Best Regards
> Wang Yugui (wangyugui@e16-tech.com)
> 2022/02/05
>
>
>>
>> > Check item size before accessing the device item to avoid out 
>> > of bound
>> > access.
>> >
>> > Signed-off-by: Su Yue <l@damenly.su>
>> > ---
>> >  fs/btrfs/tree-checker.c | 8 ++++++++
>> >  1 file changed, 8 insertions(+)
>> >
>> > diff --git a/fs/btrfs/tree-checker.c 
>> > b/fs/btrfs/tree-checker.c
>> > index 2978fc89c093..87fff4345977 100644
>> > --- a/fs/btrfs/tree-checker.c
>> > +++ b/fs/btrfs/tree-checker.c
>> > @@ -965,6 +965,7 @@ static int check_dev_item(struct 
>> > extent_buffer *leaf,
>> >  			  struct btrfs_key *key, int slot)
>> >  {
>> >  	struct btrfs_dev_item *ditem;
>> > +	u32 item_size = btrfs_item_size(leaf, slot);
>> >
>> >  	if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
>> >  		dev_item_err(leaf, slot,
>> > @@ -972,6 +973,13 @@ static int check_dev_item(struct 
>> > extent_buffer *leaf,
>> >  			     key->objectid, 
>> >  BTRFS_DEV_ITEMS_OBJECTID);
>> >  		return -EUCLEAN;
>> >  	}
>> > +
>> > +	if (unlikely(item_size != sizeof(*ditem))) {
>> > +		dev_item_err(leaf, slot, "invalid item size: 
>> > has=%u expect=%zu",
>> > +			     item_size, sizeof(*ditem));
>> > +		return -EUCLEAN;
>> > +	}
>> > +
>> >  	ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
>> >  	if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) 
>> >  {
>> >  		dev_item_err(leaf, slot,
>> > --
>> > 2.34.1
>>

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Wang Yugui]

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

Hi,

> >> A btrfs filesystem failed to boot with this patch.
> >>
> >> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid item
> >> size: has 0 expect 98
> >>
> >> Any way to fix it online?
> >
> > This btrfs filesystem is created by centos 7.9 installer (btrfs
> > 4.9?)
> > about 1 years ago.  and then mainly writen by kernel
> > 5.4/5.10/5.15.
> >
> Yes, btrfs-progs v4.9 and v3.10 based kernel.
> I created a btrfs and it looks fine.
> Could please provide output of
> btrfs inspect-internal dump-tree $device -t 3
> ?
> You can trim it if the content is too long only leaf 1081344 is needed.

Hi,

# btrfs filesystem show /
Label: 'OS_T640'  uuid: 73dcce98-8f6b-4ec8-bfac-fa7c7c87409d
        Total devices 10 FS bytes used 5.53TiB
        devid    1 size 799.00GiB used 332.01GiB path /dev/sda2
        devid    2 size 1.75TiB used 741.00GiB path /dev/sdg1
        devid    3 size 1.75TiB used 745.00GiB path /dev/sdj1
        devid    4 size 1.75TiB used 740.00GiB path /dev/sdi1
        devid    5 size 1.75TiB used 745.00GiB path /dev/sdd1
        devid    6 size 1.75TiB used 480.00GiB path /dev/sde1
        devid    7 size 1.75TiB used 480.00GiB path /dev/sdh1
        devid    8 size 1.75TiB used 479.00GiB path /dev/sdc1
        devid    9 size 1.75TiB used 480.00GiB path /dev/sdb1
        devid   10 size 1.75TiB used 479.00GiB path /dev/sdf1

#btrfs inspect-internal dump-tree /dev/sda2 -t 3 > 3.txt

and then 3.txt is zipped as  this attachment file(3.zip)

Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2022/02/05



[-- Attachment #2: 3.zip --]
[-- Type: application/x-zip-compressed, Size: 120280 bytes --]

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Qu Wenruo]

On 2022/2/5 20:30, Wang Yugui wrote:
> Hi,
>
>>>> A btrfs filesystem failed to boot with this patch.
>>>>
>>>> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid item
>>>> size: has 0 expect 98
>>>>
>>>> Any way to fix it online?
>>>
>>> This btrfs filesystem is created by centos 7.9 installer (btrfs
>>> 4.9?)
>>> about 1 years ago.  and then mainly writen by kernel
>>> 5.4/5.10/5.15.
>>>
>> Yes, btrfs-progs v4.9 and v3.10 based kernel.
>> I created a btrfs and it looks fine.
>> Could please provide output of
>> btrfs inspect-internal dump-tree $device -t 3
>> ?
>> You can trim it if the content is too long only leaf 1081344 is needed.
>
> Hi,
>
> # btrfs filesystem show /
> Label: 'OS_T640'  uuid: 73dcce98-8f6b-4ec8-bfac-fa7c7c87409d
>          Total devices 10 FS bytes used 5.53TiB
>          devid    1 size 799.00GiB used 332.01GiB path /dev/sda2
>          devid    2 size 1.75TiB used 741.00GiB path /dev/sdg1
>          devid    3 size 1.75TiB used 745.00GiB path /dev/sdj1
>          devid    4 size 1.75TiB used 740.00GiB path /dev/sdi1
>          devid    5 size 1.75TiB used 745.00GiB path /dev/sdd1
>          devid    6 size 1.75TiB used 480.00GiB path /dev/sde1
>          devid    7 size 1.75TiB used 480.00GiB path /dev/sdh1
>          devid    8 size 1.75TiB used 479.00GiB path /dev/sdc1
>          devid    9 size 1.75TiB used 480.00GiB path /dev/sdb1
>          devid   10 size 1.75TiB used 479.00GiB path /dev/sdf1
>
> #btrfs inspect-internal dump-tree /dev/sda2 -t 3 > 3.txt
>
> and then 3.txt is zipped as  this attachment file(3.zip)

Full dmesg of the boot failure please.

The dump-tree shows the device item is completely sane, it has size 98,
not the value (0) reported from tree-checker.

Thus I don't know why tree-checker is reporting this problem.

Thanks,
Qu
>
> Best Regards
> Wang Yugui (wangyugui@e16-tech.com)
> 2022/02/05
>
>

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Wang Yugui]

[-- Attachment #1: Type: text/plain, Size: 1981 bytes --]

Hi,

> >>>> A btrfs filesystem failed to boot with this patch.
> >>>>
> >>>> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid item
> >>>> size: has 0 expect 98
> >>>>
> >>>> Any way to fix it online?
> >>>
> >>> This btrfs filesystem is created by centos 7.9 installer (btrfs
> >>> 4.9?)
> >>> about 1 years ago.  and then mainly writen by kernel
> >>> 5.4/5.10/5.15.
> >>>
> >> Yes, btrfs-progs v4.9 and v3.10 based kernel.
> >> I created a btrfs and it looks fine.
> >> Could please provide output of
> >> btrfs inspect-internal dump-tree $device -t 3
> >> ?
> >> You can trim it if the content is too long only leaf 1081344 is needed.
> >
> > Hi,
> >
> > # btrfs filesystem show /
> > Label: 'OS_T640'  uuid: 73dcce98-8f6b-4ec8-bfac-fa7c7c87409d
> >          Total devices 10 FS bytes used 5.53TiB
> >          devid    1 size 799.00GiB used 332.01GiB path /dev/sda2
> >          devid    2 size 1.75TiB used 741.00GiB path /dev/sdg1
> >          devid    3 size 1.75TiB used 745.00GiB path /dev/sdj1
> >          devid    4 size 1.75TiB used 740.00GiB path /dev/sdi1
> >          devid    5 size 1.75TiB used 745.00GiB path /dev/sdd1
> >          devid    6 size 1.75TiB used 480.00GiB path /dev/sde1
> >          devid    7 size 1.75TiB used 480.00GiB path /dev/sdh1
> >          devid    8 size 1.75TiB used 479.00GiB path /dev/sdc1
> >          devid    9 size 1.75TiB used 480.00GiB path /dev/sdb1
> >          devid   10 size 1.75TiB used 479.00GiB path /dev/sdf1
> >
> > #btrfs inspect-internal dump-tree /dev/sda2 -t 3 > 3.txt
> >
> > and then 3.txt is zipped as  this attachment file(3.zip)
> 
> Full dmesg of the boot failure please.
> 
> The dump-tree shows the device item is completely sane, it has size 98,
> not the value (0) reported from tree-checker.
> 
> Thus I don't know why tree-checker is reporting this problem.
> 

This (attachment file boot.dmesg.txt.zip ) is the full dmesg output

Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2022/02/05

[-- Attachment #2: boot.dmesg.txt.zip --]
[-- Type: application/x-zip-compressed, Size: 27568 bytes --]

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Su Yue]

On Sat 05 Feb 2022 at 22:49, Wang Yugui <wangyugui@e16-tech.com> 
wrote:

> Hi,
>
>> >>>> A btrfs filesystem failed to boot with this patch.
>> >>>>
>> >>>> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid 
>> >>>> item
>> >>>> size: has 0 expect 98
>> >>>>
>> >>>> Any way to fix it online?
>> >>>
>> >>> This btrfs filesystem is created by centos 7.9 installer 
>> >>> (btrfs
>> >>> 4.9?)
>> >>> about 1 years ago.  and then mainly writen by kernel
>> >>> 5.4/5.10/5.15.
>> >>>
>> >> Yes, btrfs-progs v4.9 and v3.10 based kernel.
>> >> I created a btrfs and it looks fine.
>> >> Could please provide output of
>> >> btrfs inspect-internal dump-tree $device -t 3
>> >> ?
>> >> You can trim it if the content is too long only leaf 1081344 
>> >> is needed.
>> >
>> > Hi,
>> >
>> > # btrfs filesystem show /
>> > Label: 'OS_T640'  uuid: 73dcce98-8f6b-4ec8-bfac-fa7c7c87409d
>> >          Total devices 10 FS bytes used 5.53TiB
>> >          devid    1 size 799.00GiB used 332.01GiB path 
>> >          /dev/sda2
>> >          devid    2 size 1.75TiB used 741.00GiB path 
>> >          /dev/sdg1
>> >          devid    3 size 1.75TiB used 745.00GiB path 
>> >          /dev/sdj1
>> >          devid    4 size 1.75TiB used 740.00GiB path 
>> >          /dev/sdi1
>> >          devid    5 size 1.75TiB used 745.00GiB path 
>> >          /dev/sdd1
>> >          devid    6 size 1.75TiB used 480.00GiB path 
>> >          /dev/sde1
>> >          devid    7 size 1.75TiB used 480.00GiB path 
>> >          /dev/sdh1
>> >          devid    8 size 1.75TiB used 479.00GiB path 
>> >          /dev/sdc1
>> >          devid    9 size 1.75TiB used 480.00GiB path 
>> >          /dev/sdb1
>> >          devid   10 size 1.75TiB used 479.00GiB path 
>> >          /dev/sdf1
>> >
>> > #btrfs inspect-internal dump-tree /dev/sda2 -t 3 > 3.txt
>> >
>> > and then 3.txt is zipped as  this attachment file(3.zip)
>>
>> Full dmesg of the boot failure please.
>>
>> The dump-tree shows the device item is completely sane, it has 
>> size 98,
>> not the value (0) reported from tree-checker.
>>
>> Thus I don't know why tree-checker is reporting this problem.
>>
>
> This (attachment file boot.dmesg.txt.zip ) is the full dmesg 
> output
>
As Qu suggested to me, would you plase provide output after
apply of the following diff? (It may crash the kernel if there is 
*real*
one invalid dev_item).

diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 9fd145f1c4bc..5fb981b4b42a 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -25,6 +25,7 @@
 #include "volumes.h"
 #include "misc.h"
 #include "btrfs_inode.h"
+#include "print-tree.h"

 /*
  * Error message should follow the following format:
@@ -977,6 +978,7 @@ static int check_dev_item(struct extent_buffer 
*leaf,
        if (unlikely(item_size != sizeof(*ditem))) {
                dev_item_err(leaf, slot, "invalid item size: has 
                %u expect %zu",
                             item_size, sizeof(*ditem));
+               btrfs_print_leaf(leaf);
                return -EUCLEAN;
        }


--
Su
> Best Regards
> Wang Yugui (wangyugui@e16-tech.com)
> 2022/02/05
>
> [2. application/x-zip-compressed; boot.dmesg.txt.zip]...

Re: [PATCH 2/2] btrfs: tree-checker: check item_size for dev_item

[Wang Yugui]

Hi,

> >> >>>> A btrfs filesystem failed to boot with this patch.
> >> >>>>
> >> >>>> corrupt leaf: root=3 block=1081344 slot=0 devid=1 invalid
> >> >>>> item
> >> >>>> size: has 0 expect 98
> >> >>>>


> As Qu suggested to me, would you plase provide output after
> apply of the following diff? (It may crash the kernel if there is *real*
> one invalid dev_item).
> 
> diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
> index 9fd145f1c4bc..5fb981b4b42a 100644
> --- a/fs/btrfs/tree-checker.c
> +++ b/fs/btrfs/tree-checker.c
> @@ -25,6 +25,7 @@
>  #include "volumes.h"
>  #include "misc.h"
>  #include "btrfs_inode.h"
> +#include "print-tree.h"
> 
>  /*
>   * Error message should follow the following format:
> @@ -977,6 +978,7 @@ static int check_dev_item(struct extent_buffer *leaf,
>         if (unlikely(item_size != sizeof(*ditem))) {
>                 dev_item_err(leaf, slot, "invalid item size: has                 %u expect %zu",
>                              item_size, sizeof(*ditem));
> +               btrfs_print_leaf(leaf);
>                 return -EUCLEAN;
>         }

When I tested this new diag patch, I noticed that I wrongly applied
these 2 patches to 5.15.x.
btrfs-tree-checker-check-item_size-for-inode_item.patch
btrfs-tree-checker-check-item_size-for-dev_item.patch

some depency patches(at least btrfs-drop-the-_nr-from-the-item-helpers.patch,
maybe more) are missed.

In fact, without these depency patches, there are some build warning,
but I failed to noticed them.

so this is just my bad now. sorry.

Best Regards
Wang Yugui (wangyugui@e16-tech.com)
2022/02/06

Re: [PATCH 0/2] Simple two patches for tree checker

[Su Yue]

On Mon 24 Jan 2022 at 16:44, David Sterba <dsterba@suse.cz> wrote:

> On Fri, Jan 21, 2022 at 05:33:33PM +0800, Su Yue wrote:
>> Two commits for enhancing tree checker to reject the img from
>> https://bugzilla.kernel.org/show_bug.cgi?id=215299.
>>
>> Su Yue (2):
>>   btrfs: tree-checker: check item_size for inode_item
>>   btrfs: tree-checker: check item_size for dev_item
>
> Nice, added to misc-next, thanks. I'll update and close the bug.

CC the reporter.

Oops. The Link of the crafted image in the first megered patch was 
pasted
wrongly. Just found while testing backports.

It should be

https://bugzilla.kernel.org/show_bug.cgi?id=215289

instead of

https://bugzilla.kernel.org/show_bug.cgi?id=215299

And the latter is still unfixed.

My bad.

--
Su