From patchwork Fri Jun 19 16:31:16 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Sandino_Araico_S=C3=A1nchez?= X-Patchwork-Id: 6646171 Return-Path: X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 3CFE49F326 for ; Fri, 19 Jun 2015 16:32:41 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 5A7FD20941 for ; Fri, 19 Jun 2015 16:32:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9AC5120920 for ; Fri, 19 Jun 2015 16:32:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752412AbbFSQbU (ORCPT ); Fri, 19 Jun 2015 12:31:20 -0400 Received: from a.smtp.srvr.mx ([75.126.210.127]:37427 "EHLO a.smtp.srvr.mx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751648AbbFSQbS (ORCPT ); Fri, 19 Jun 2015 12:31:18 -0400 Received: from a.smtp.srvr.mx (localhost [127.0.0.1]) by a.smtp.srvr.mx (Postfix) with ESMTP id 51E34126 for ; Fri, 19 Jun 2015 11:31:16 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sandino.net; h=message-id :date:from:mime-version:to:subject:content-type; s=smtp; bh=1RRX cZbcHvYtsr6ZFT8U0AnuYu8=; b=BsXyvwMDh8JpkLrZiISqypDAZCUxNneKI0ki mfpz+23qK90UDxxda7g61uGmGzjfPDumy00TkEY6IEBdY/Ue0qDKvLHfofAwlSoQ QXxUeT/nMu8zL8g47rY9VjGx5eB/PrTymvI44oQ8da01TV/H/I28J6DZUQ7hp+gy dbSR3yc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=sandino.net; h=message-id :date:from:mime-version:to:subject:content-type; q=dns; s=smtp; b= j+bXimYRwJefMzWnWAK1ndy6VsSENqqUIj4B6BFjpG2fResaqWOyFVtO81WQ83Ad XthVMcmcBQFQVEZ4JW9mmLmkQtwGOoS4wfDwtR3H+Xnk2cyvKQrSHEOorBTmzlFN NcWLVmGelyKTvFrZbidVrpHLdv9SrMgwlWAjg3Yf8S8= Received: from carpaccio.sandino.net (carpaccio.i.sandino.net [192.168.4.8]) by a.smtp.srvr.mx (Postfix) with ESMTP id F199BCB for ; Fri, 19 Jun 2015 11:31:15 -0500 (CDT) Received: from [127.0.0.1] (localhost [127.0.0.1]) by carpaccio.sandino.net (Postfix) with ESMTP id 171B980B09 for ; Fri, 19 Jun 2015 11:31:17 -0500 (CDT) Message-ID: <558443D4.3050506@sandino.net> Date: Fri, 19 Jun 2015 11:31:16 -0500 From: =?windows-1252?Q?Sandino_Araico_S=E1nchez?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: linux-btrfs@vger.kernel.org Subject: [PATCH] Integer underflow in ctree.c Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org X-Spam-Status: No, score=-3.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,T_TVD_MIME_EPI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP :btrfs check crashed while trying to fix my corrupted filesystem. btrfs check --repair /dev/sdd3 enabling repair mode Checking filesystem on /dev/sdd3 UUID: 58222ebc-79ca-4dc4-891f-129aae342313 checking extents bad key ordering 0 1 bad block 3535142326272 Errors found in extent allocation tree or chunk allocation Fixed 0 roots. checking free space cache cache and super generation don't match, space cache will be invalidated checking fs roots bad key ordering 0 1 bad key ordering 0 1 The following tree block(s) is corrupted in tree 814: tree block bytenr: 3535142346752, level: 0, node key: (1270098042880, 168, 4096) Try to repair the btree for root 814 Segmentation fault What I found on the gdb backtrace: (gdb) bt #0Â 0x00006fc5cb578411 in ?? () #1Â 0x000009d5fe028bab in memmove_extent_buffer (dst=0x9d76942cf30, dst_offset=1586, src_offset=1619, len=141733920735) at extent_io.c:880 #2Â 0x000009d5fe002e1b in btrfs_del_ptr (trans=0x9d7669ec990, root=0x9d7648891c0, path=0x9d7669f69f0, level=0, slot=45) at ctree.c:2592 #3Â 0x000009d5fdfd467a in repair_btree (root=0x9d7648891c0, corrupt_blocks=0x70f1b0905030) at cmds-check.c:3267 #4Â 0x000009d5fdfd4e40 in check_fs_root (root=0x9d7648891c0, root_cache=0x70f1b0905380, wc=0x70f1b0905240) at cmds-check.c:3422 #5Â 0x000009d5fdfd52e6 in check_fs_roots (root=0x9d5ffdf0d10, root_cache=0x70f1b0905380) at cmds-check.c:3523 #6Â 0x000009d5fdfe4ce6 in cmd_check (argc=1, argv=0x70f1b0905560) at cmds-check.c:9470 #7Â 0x000009d5fdfad8a1 in main (argc=3, argv=0x70f1b0905560) at btrfs.c:245 (gdb) select-frame 2 (gdb) info locals parent = 0x9d76942cf30 nritems = 45 ret = 0 __func__ = "btrfs_del_ptr" function btrfs_del_ptr parameter is called with slot=45 and in line 2590Â btrfs_header_nritems(parent) returns 45 for variable nritems; in line 2596 the result of (nritems - slot - 1) equals to 0x00000000 - 1 and memmove_extent_buffer gets called with a huge value for parameter len. After the patch btrfs check is not crashing anymore. diff -uri btrfs-progs-v4.0.1.orig/ctree.c btrfs-progs-v4.0.1/ctree.c --- btrfs-progs-v4.0.1.orig/ctree.c 2015-06-19 03:43:12.000000000 -0500 +++ btrfs-progs-v4.0.1/ctree.c 2015-06-19 03:43:49.000000000 -0500 @@ -2588,7 +2588,7 @@ int ret = 0; nritems = btrfs_header_nritems(parent); - if (slot != nritems -1) { + if (slot < nritems -1) { memmove_extent_buffer(parent, btrfs_node_key_ptr_offset(slot), btrfs_node_key_ptr_offset(slot + 1),