[0/3] btrfs: Part 2 of enhanced defence against fuzzed images

Message ID	20190716090034.11641-1-wqu@suse.com (mailing list archive)
Headers	show Return-Path: <linux-btrfs-owner@kernel.org> From: Qu Wenruo <wqu@suse.com> To: linux-btrfs@vger.kernel.org Cc: Jungyeon Yoon <jungyeon.yoon@gmail.com> Subject: [PATCH 0/3] btrfs: Part 2 of enhanced defence against fuzzed images Date: Tue, 16 Jul 2019 17:00:31 +0800 Message-Id: <20190716090034.11641-1-wqu@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk
Series	btrfs: Part 2 of enhanced defence against fuzzed images \| expand [0/3] btrfs: Part 2 of enhanced defence against fuzzed images [1/3] btrfs: delayed-inode: Kill the BUG_ON() in btrfs_delete_delayed_dir_index() [2/3] btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type [3/3] btrfs: tree-checker: Add ROOT_ITEM check

Message ID

20190716090034.11641-1-wqu@suse.com (mailing list archive)

Headers

From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Cc: Jungyeon Yoon <jungyeon.yoon@gmail.com>
Subject: [PATCH 0/3] btrfs: Part 2 of enhanced defence against fuzzed images
Date: Tue, 16 Jul 2019 17:00:31 +0800
Message-Id: <20190716090034.11641-1-wqu@suse.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk

Series

btrfs: Part 2 of enhanced defence against fuzzed images | expand

Message

Qu Wenruo July 16, 2019, 9 a.m. UTC

This wave has the following features:
- Hunt down BUG_ON() in btrfs_delete_delayed_dir_index()
  EEXIST can cause BUG_ON(). And all callers of this function has
  already handled error by aborting transacation.

- Only allocate extents from the same block group type
  This is a very tricky bug, needs MIXED_GROUP super flag with regular
  block groups (separate META and DATA) and corrupted extent tree.

- ROOT_ITEM check for tree checker
  This kills the unaligned bytenr, invalid level and incorrect reloc
  tree.

Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com>

Qu Wenruo (3):
  btrfs: delayed-inode: Kill the BUG_ON() in
    btrfs_delete_delayed_dir_index()
  btrfs: extent-tree: Make sure we only allocate extents from block
    groups with the same type
  btrfs: tree-checker: Add ROOT_ITEM check

 fs/btrfs/delayed-inode.c | 14 +++++-
 fs/btrfs/extent-tree.c   |  9 ++++
 fs/btrfs/tree-checker.c  | 92 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+), 2 deletions(-)

Comments

David Sterba July 31, 2019, 3:58 p.m. UTC | #1

On Tue, Jul 16, 2019 at 05:00:31PM +0800, Qu Wenruo wrote:
> This wave has the following features:
> - Hunt down BUG_ON() in btrfs_delete_delayed_dir_index()
>   EEXIST can cause BUG_ON(). And all callers of this function has
>   already handled error by aborting transacation.
> 
> - Only allocate extents from the same block group type
>   This is a very tricky bug, needs MIXED_GROUP super flag with regular
>   block groups (separate META and DATA) and corrupted extent tree.
> 
> - ROOT_ITEM check for tree checker
>   This kills the unaligned bytenr, invalid level and incorrect reloc
>   tree.
> 
> Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com>
> 
> Qu Wenruo (3):
>   btrfs: delayed-inode: Kill the BUG_ON() in
>     btrfs_delete_delayed_dir_index()
>   btrfs: extent-tree: Make sure we only allocate extents from block
>     groups with the same type
>   btrfs: tree-checker: Add ROOT_ITEM check

Added to misc-next, with some minor updates, thanks.