| Message ID | 1466645539-27296-1-git-send-email-bo.li.liu@oracle.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On Wed, Jun 22, 2016 at 06:32:19PM -0700, Liu Bo wrote: > With btrfs-corrupt-block, one can set btree node/leaf's field, if > we assign a negative value to node/leaf, we can get various hangs, > eg. if extent_root's nritems is -2ULL, then we get stuck in > btrfs_read_block_groups() because it has a while loop and > btrfs_search_slot() on extent_root will always return the first > child. > > This lets us know what's happening and returns a EINVAL to callers > instead of returning the first item. > > Signed-off-by: Liu Bo <bo.li.liu@oracle.com> > --- > fs/btrfs/ctree.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c > index c49a500..915d224 100644 > --- a/fs/btrfs/ctree.c > +++ b/fs/btrfs/ctree.c > @@ -1770,6 +1770,14 @@ static noinline int generic_bin_search(struct extent_buffer *eb, > unsigned long map_len = 0; > int err; > > + if (low > high) { > + btrfs_err(eb->fs_info, > + "%s: low (%d) < high (%d) eb %llu owner %llu level %d", Why is it '<' in the error message? -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jun 23, 2016 at 10:51:52AM +0200, David Sterba wrote: > On Wed, Jun 22, 2016 at 06:32:19PM -0700, Liu Bo wrote: > > With btrfs-corrupt-block, one can set btree node/leaf's field, if > > we assign a negative value to node/leaf, we can get various hangs, > > eg. if extent_root's nritems is -2ULL, then we get stuck in > > btrfs_read_block_groups() because it has a while loop and > > btrfs_search_slot() on extent_root will always return the first > > child. > > > > This lets us know what's happening and returns a EINVAL to callers > > instead of returning the first item. > > > > Signed-off-by: Liu Bo <bo.li.liu@oracle.com> > > --- > > fs/btrfs/ctree.c | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c > > index c49a500..915d224 100644 > > --- a/fs/btrfs/ctree.c > > +++ b/fs/btrfs/ctree.c > > @@ -1770,6 +1770,14 @@ static noinline int generic_bin_search(struct extent_buffer *eb, > > unsigned long map_len = 0; > > int err; > > > > + if (low > high) { > > + btrfs_err(eb->fs_info, > > + "%s: low (%d) < high (%d) eb %llu owner %llu level %d", > > Why is it '<' in the error message? Err, my typo error. Thanks, -liubo -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index c49a500..915d224 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -1770,6 +1770,14 @@ static noinline int generic_bin_search(struct extent_buffer *eb, unsigned long map_len = 0; int err; + if (low > high) { + btrfs_err(eb->fs_info, + "%s: low (%d) < high (%d) eb %llu owner %llu level %d", + __func__, low, high, eb->start, + btrfs_header_owner(eb), btrfs_header_level(eb)); + return -EINVAL; + } + while (low < high) { mid = (low + high) / 2; offset = p + mid * item_size;
With btrfs-corrupt-block, one can set btree node/leaf's field, if we assign a negative value to node/leaf, we can get various hangs, eg. if extent_root's nritems is -2ULL, then we get stuck in btrfs_read_block_groups() because it has a while loop and btrfs_search_slot() on extent_root will always return the first child. This lets us know what's happening and returns a EINVAL to callers instead of returning the first item. Signed-off-by: Liu Bo <bo.li.liu@oracle.com> --- fs/btrfs/ctree.c | 8 ++++++++ 1 file changed, 8 insertions(+)