| Message ID | 20190725061222.9581-1-wqu@suse.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | btrfs: Enhanced runtime defence against fuzzed images | expand |
On 25.07.19 г. 9:12 ч., Qu Wenruo wrote: > Another wave of defence enhancment, including: > > - Enhanced eb accessors > Not really needed for the fuzzed images, as 448de471cd4c > ("btrfs: Check the first key and level for cached extent buffer") > already fixed half of the reported images. > Just add a final layer of safe net. > > Just to complain here, two experienced btrfs developer have got > confused by @start, @len in functions like read_extent_buffer() with > logical address. > The best example to solve the confusion is to check the > read_extent_buffer() call in btree_read_extent_buffer_pages(). > > I'm not sure why this confusion happens or even get spread. > My guess is the extent_buffer::start naming causing the problem. > > If so, I would definitely rename extent_buffer::start to > extent_buffer::bytenr at any cost. > Hopes the new commend will address the problem for now. it should either be bytenr or disk_bytenr or disk_addr or address. Looking at the code base though, it seems there is already a convention that bytenr means the byte number in the logical address space. So indeed, bytenr should be ok. > > - BUG_ON() hunt in __btrfs_free_extent() > Kill BUG_ON()s in __btrfs_free_extent(), replace with error reporting > and why it shouldn't happen. > > Also add comment on what __btrfs_free_extent() is designed to do, with > two dump-tree examples for newcomers. > > - BUG_ON() hunt in __btrfs_inc_extent_ref() > Just like __btrfs_free_extent(), but less comment as > comment for __btrfs_free_extent() should also work for > __btrfs_inc_extent_ref(), and __btrfs_inc_extent_ref() has a better > structure than __btrfs_free_extent(). > > - Defence against unbalanced empty leaf > > - Defence against bad key order across two tree blocks > > The last two cases can't be rejected by tree-checker and they are all > cross-eb cases. > Thankfully we can reuse existing first_key check against unbalanced > empty leaf, but needs extra check deep into ctree.c for tree block > merging time check. > > Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com> > [ Not to mail bombarding the report, thus only RB tag in cover letter ] > > Changelog: > v2: > - Remove duplicated error message in WARN() call. > Changed to WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG)) > Also move WARN() after btrfs error message. > > - Fix a comment error in __btrfs_free_extent() > It's not adding refs to a tree block, but adding the same refs > to an existing tree block ref. > It's impossible a btrfs tree owning the same tree block directly twice. > > - Add comment for eb accessors about @start and @len > If anyone could tell me why such confusion between @start @len and > logical address is here, I will definitely solve the root cause no > matter how many codes need to be modified. > > - Use bool to replace int where only two values are returned > Also rename to follow the bool type. > > - Remove one unrelated change for the error handler in > btrfs_inc_extent_ref() > > - Add Reviewed-by tag > > Qu Wenruo (5): > btrfs: extent_io: Do extra check for extent buffer read write > functions > btrfs: extent-tree: Kill BUG_ON() in __btrfs_free_extent() and do > better comment > btrfs: Detect unbalanced tree with empty leaf before crashing btree > operations > btrfs: extent-tree: Kill the BUG_ON() in > insert_inline_extent_backref() > btrfs: ctree: Checking key orders before merged tree blocks > > fs/btrfs/ctree.c | 68 +++++++++++++++++ > fs/btrfs/disk-io.c | 8 ++ > fs/btrfs/extent-tree.c | 164 ++++++++++++++++++++++++++++++++++++---- > fs/btrfs/extent_io.c | 76 ++++++++++--------- > fs/btrfs/tree-checker.c | 6 ++ > 5 files changed, 271 insertions(+), 51 deletions(-) >
Another wave of defence enhancment, including: - Enhanced eb accessors Not really needed for the fuzzed images, as 448de471cd4c ("btrfs: Check the first key and level for cached extent buffer") already fixed half of the reported images. Just add a final layer of safe net. Just to complain here, two experienced btrfs developer have got confused by @start, @len in functions like read_extent_buffer() with logical address. The best example to solve the confusion is to check the read_extent_buffer() call in btree_read_extent_buffer_pages(). I'm not sure why this confusion happens or even get spread. My guess is the extent_buffer::start naming causing the problem. If so, I would definitely rename extent_buffer::start to extent_buffer::bytenr at any cost. Hopes the new commend will address the problem for now. - BUG_ON() hunt in __btrfs_free_extent() Kill BUG_ON()s in __btrfs_free_extent(), replace with error reporting and why it shouldn't happen. Also add comment on what __btrfs_free_extent() is designed to do, with two dump-tree examples for newcomers. - BUG_ON() hunt in __btrfs_inc_extent_ref() Just like __btrfs_free_extent(), but less comment as comment for __btrfs_free_extent() should also work for __btrfs_inc_extent_ref(), and __btrfs_inc_extent_ref() has a better structure than __btrfs_free_extent(). - Defence against unbalanced empty leaf - Defence against bad key order across two tree blocks The last two cases can't be rejected by tree-checker and they are all cross-eb cases. Thankfully we can reuse existing first_key check against unbalanced empty leaf, but needs extra check deep into ctree.c for tree block merging time check. Reported-by: Jungyeon Yoon <jungyeon.yoon@gmail.com> [ Not to mail bombarding the report, thus only RB tag in cover letter ] Changelog: v2: - Remove duplicated error message in WARN() call. Changed to WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG)) Also move WARN() after btrfs error message. - Fix a comment error in __btrfs_free_extent() It's not adding refs to a tree block, but adding the same refs to an existing tree block ref. It's impossible a btrfs tree owning the same tree block directly twice. - Add comment for eb accessors about @start and @len If anyone could tell me why such confusion between @start @len and logical address is here, I will definitely solve the root cause no matter how many codes need to be modified. - Use bool to replace int where only two values are returned Also rename to follow the bool type. - Remove one unrelated change for the error handler in btrfs_inc_extent_ref() - Add Reviewed-by tag Qu Wenruo (5): btrfs: extent_io: Do extra check for extent buffer read write functions btrfs: extent-tree: Kill BUG_ON() in __btrfs_free_extent() and do better comment btrfs: Detect unbalanced tree with empty leaf before crashing btree operations btrfs: extent-tree: Kill the BUG_ON() in insert_inline_extent_backref() btrfs: ctree: Checking key orders before merged tree blocks fs/btrfs/ctree.c | 68 +++++++++++++++++ fs/btrfs/disk-io.c | 8 ++ fs/btrfs/extent-tree.c | 164 ++++++++++++++++++++++++++++++++++++---- fs/btrfs/extent_io.c | 76 ++++++++++--------- fs/btrfs/tree-checker.c | 6 ++ 5 files changed, 271 insertions(+), 51 deletions(-)