From patchwork Tue Jul 3 08:08:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Qu Wenruo X-Patchwork-Id: 10503415 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 355A2601D3 for ; Tue, 3 Jul 2018 08:08:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2896F289C2 for ; Tue, 3 Jul 2018 08:08:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1D02928A82; Tue, 3 Jul 2018 08:08:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A7E17289C2 for ; Tue, 3 Jul 2018 08:08:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932291AbeGCIIg (ORCPT ); Tue, 3 Jul 2018 04:08:36 -0400 Received: from mx2.suse.de ([195.135.220.15]:49554 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932126AbeGCIIe (ORCPT ); Tue, 3 Jul 2018 04:08:34 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 69988AD87 for ; Tue, 3 Jul 2018 08:08:33 +0000 (UTC) From: Qu Wenruo To: linux-btrfs@vger.kernel.org Subject: [PATCH v2 1/2] btrfs: Check each block group has corresponding chunk at mount time Date: Tue, 3 Jul 2018 16:08:29 +0800 Message-Id: <20180703080830.8300-1-wqu@suse.com> X-Mailer: git-send-email 2.18.0 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Reported in https://bugzilla.kernel.org/show_bug.cgi?id=199837, if a crafted btrfs with incorrect chunk<->block group mapping, it could leads to a lot of unexpected behavior. Although the crafted image can be catched by block group item checker added in "[PATCH] btrfs: tree-checker: Verify block_group_item", if one crafted a valid enough block group item which can pass above check but still mismatch with existing chunk, it could cause a lot of undefined behavior. This patch will add extra block group -> chunk mapping check, to ensure we have a completely matching (start, len, flags) chunk for each block group at mount time. Reported-by: Xu Wen Signed-off-by: Qu Wenruo --- changelog: v2: Add better error message for each mismatch case. Rename function name, to co-operate with later patch. Add flags mismatch check. --- fs/btrfs/extent-tree.c | 55 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 3d9fe58c0080..82b446f014b9 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -10003,6 +10003,41 @@ btrfs_create_block_group_cache(struct btrfs_fs_info *fs_info, return cache; } +static int check_exist_chunk(struct btrfs_fs_info *fs_info, u64 start, u64 len, + u64 flags) +{ + struct btrfs_mapping_tree *map_tree = &fs_info->mapping_tree; + struct extent_map *em; + int ret; + + read_lock(&map_tree->map_tree.lock); + em = lookup_extent_mapping(&map_tree->map_tree, start, len); + read_unlock(&map_tree->map_tree.lock); + + if (!em) { + btrfs_err_rl(fs_info, + "block group start=%llu len=%llu doesn't have corresponding chunk", + start, len); + ret = -ENOENT; + goto out; + } + if (em->start != start || em->len != len || + (em->map_lookup->type & BTRFS_BLOCK_GROUP_TYPE_MASK) != + (flags & BTRFS_BLOCK_GROUP_TYPE_MASK)) { + btrfs_err_rl(fs_info, +"block group start=%llu len=%llu flags=0x%llx doesn't match with chunk start=%llu len=%llu flags=0x%llx", + start, len , flags & BTRFS_BLOCK_GROUP_TYPE_MASK, + em->start, em->len, em->map_lookup->type & + BTRFS_BLOCK_GROUP_TYPE_MASK); + ret = -EUCLEAN; + goto out; + } + ret = 0; +out: + free_extent_map(em); + return ret; +} + int btrfs_read_block_groups(struct btrfs_fs_info *info) { struct btrfs_path *path; @@ -10036,6 +10071,9 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info) need_clear = 1; while (1) { + struct btrfs_block_group_item bg; + int slot; + ret = find_first_block_group(info, path, &key); if (ret > 0) break; @@ -10043,7 +10081,20 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info) goto error; leaf = path->nodes[0]; - btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]); + slot = path->slots[0]; + btrfs_item_key_to_cpu(leaf, &found_key, slot); + + read_extent_buffer(leaf, &bg, btrfs_item_ptr_offset(leaf, slot), + sizeof(bg)); + /* + * Chunk and block group must have 1:1 mapping. + * So there must be a chunk for this block group. + */ + ret = check_exist_chunk(info, found_key.objectid, + found_key.offset, + btrfs_block_group_flags(&bg)); + if (ret < 0) + goto error; cache = btrfs_create_block_group_cache(info, found_key.objectid, found_key.offset); @@ -10068,7 +10119,7 @@ int btrfs_read_block_groups(struct btrfs_fs_info *info) } read_extent_buffer(leaf, &cache->item, - btrfs_item_ptr_offset(leaf, path->slots[0]), + btrfs_item_ptr_offset(leaf, slot), sizeof(cache->item)); cache->flags = btrfs_block_group_flags(&cache->item); if (!mixed &&