btrfs-progs/kernel-shared/extent_io.h

149 lines
5.3 KiB
C
Raw Normal View History

/*
* Copyright (C) 2007 Oracle. All rights reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public
* License v2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public
* License along with this program; if not, write to the
* Free Software Foundation, Inc., 59 Temple Place - Suite 330,
* Boston, MA 021110-1307, USA.
*/
#ifndef __BTRFS_EXTENT_IO_H__
#define __BTRFS_EXTENT_IO_H__
#include "kerncompat.h"
#include "kernel-lib/bitops.h"
#include "kernel-lib/list.h"
#include "common/extent-cache.h"
#define EXTENT_BUFFER_UPTODATE (1U << 0)
#define EXTENT_BUFFER_DIRTY (1U << 1)
#define EXTENT_BUFFER_BAD_TRANSID (1U << 2)
#define EXTENT_BUFFER_DUMMY (1U << 3)
#define BLOCK_GROUP_DATA (1U << 1)
#define BLOCK_GROUP_METADATA (1U << 2)
#define BLOCK_GROUP_SYSTEM (1U << 4)
/*
* The extent buffer bitmap operations are done with byte granularity instead of
* word granularity for two reasons:
* 1. The bitmaps must be little-endian on disk.
* 2. Bitmap items are not guaranteed to be aligned to a word and therefore a
* single word in a bitmap may straddle two pages in the extent buffer.
*/
#define BIT_BYTE(nr) ((nr) / BITS_PER_BYTE)
#define BYTE_MASK ((1U << BITS_PER_BYTE) - 1)
#define BITMAP_FIRST_BYTE_MASK(start) \
((BYTE_MASK << ((start) & (BITS_PER_BYTE - 1))) & BYTE_MASK)
#define BITMAP_LAST_BYTE_MASK(nbits) \
(BYTE_MASK >> (-(nbits) & (BITS_PER_BYTE - 1)))
static inline int le_test_bit(int nr, const u8 *addr)
{
return 1U & (addr[BIT_BYTE(nr)] >> (nr & (BITS_PER_BYTE-1)));
}
struct btrfs_fs_info;
struct btrfs_trans_handle;
struct extent_buffer {
struct cache_extent cache_node;
u64 start;
struct list_head lru;
struct list_head recow;
u32 len;
int refs;
u32 flags;
struct btrfs_fs_info *fs_info;
char data[] __attribute__((aligned(8)));
};
static inline void extent_buffer_get(struct extent_buffer *eb)
{
eb->refs++;
}
static inline int set_extent_buffer_uptodate(struct extent_buffer *eb)
{
eb->flags |= EXTENT_BUFFER_UPTODATE;
return 0;
}
static inline int clear_extent_buffer_uptodate(struct extent_buffer *eb)
{
eb->flags &= ~EXTENT_BUFFER_UPTODATE;
return 0;
}
static inline int extent_buffer_uptodate(struct extent_buffer *eb)
{
if (!eb || IS_ERR(eb))
return 0;
if (eb->flags & EXTENT_BUFFER_UPTODATE)
return 1;
return 0;
}
struct extent_buffer *find_extent_buffer(struct btrfs_fs_info *fs_info,
u64 bytenr);
struct extent_buffer *find_first_extent_buffer(struct btrfs_fs_info *fs_info,
u64 start);
struct extent_buffer *alloc_extent_buffer(struct btrfs_fs_info *fs_info,
u64 bytenr, u32 blocksize);
struct extent_buffer *btrfs_clone_extent_buffer(struct extent_buffer *src);
btrfs-progs: disk-io: Verify the bytenr passed in is mapped for read_tree_block() [BUG] For a fuzzed image, `btrfs check` will segfault at open_ctree() stage: $ btrfs check --mode=lowmem issue_207.raw Opening filesystem to check... extent_io.c:665: free_extent_buffer_internal: BUG_ON `eb->refs < 0` triggered, value 1 btrfs(+0x6bf67)[0x56431d278f67] btrfs(+0x6c16e)[0x56431d27916e] btrfs(alloc_extent_buffer+0x45)[0x56431d279db5] btrfs(read_tree_block+0x59)[0x56431d2848f9] btrfs(btrfs_setup_all_roots+0x29c)[0x56431d28535c] btrfs(+0x78903)[0x56431d285903] btrfs(open_ctree_fs_info+0x90)[0x56431d285b60] btrfs(+0x45a01)[0x56431d252a01] btrfs(main+0x94)[0x56431d2220c4] /usr/lib/libc.so.6(__libc_start_main+0xf3)[0x7f6e28519153] btrfs(_start+0x2e)[0x56431d22235e] [CAUSE] The fuzzed image has a strange log root bytenr: log_root 61440 log_root_transid 0 In fact, the log_root seems to be fuzzed, as its transid is 0, which is invalid. Note that range [61440, 77824) covers the physical offset of the primary super block. The bug is caused by the following sequence: 1. cache for tree block [64K, 68K) is created by open_ctree() __open_ctree_fd() |- btrfs_setup_chunk_tree_and_device_map() |- btrfs_read_sys_array() |- sb = btrfs_find_create_tree_block() |- free_extent_buffer(sb) This created an extent buffer [64K, 68K) in fs_info->extent_cache, then reduce the refcount of that eb back to 0, but not freed yet. 2. Try to read that corrupted log root __open_ctree_fd() |- btrfs_setup_chunk_tree_and_device_map() |- btrfs_setup_all_roots() |- find_and_setup_log_root() |- read_tree_block() |- btrfs_find_create_tree_block() |- alloc_extent_buffer() The final alloc_extent_buffer() will try to free that cached eb [64K, 68K), since it doesn't match with current search. And since that cached eb is already released (refcount == 0), the extra free_extent_buffer() will cause above BUG_ON(). [FIX] Here we fix it through a more comprehensive method, instead of simply verifying log_root_transid, here we just don't pollute eb cache when reading sys chunk array. So that we won't have an eb cache [64K, 68K), and will error out at logical mapping phase. Issue: #207 Signed-off-by: Qu Wenruo <wqu@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
2019-12-18 01:19:39 +00:00
struct extent_buffer *alloc_dummy_extent_buffer(struct btrfs_fs_info *fs_info,
u64 bytenr, u32 blocksize);
void free_extent_buffer(struct extent_buffer *eb);
void free_extent_buffer_nocache(struct extent_buffer *eb);
void free_extent_buffer_stale(struct extent_buffer *eb);
int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
unsigned long start, unsigned long len);
void read_extent_buffer(const struct extent_buffer *eb, void *dst,
unsigned long start, unsigned long len);
void write_extent_buffer_fsid(struct extent_buffer *eb, const void *src);
void write_extent_buffer_chunk_tree_uuid(struct extent_buffer *eb,
const void *src);
void write_extent_buffer(struct extent_buffer *eb, const void *src,
unsigned long start, unsigned long len);
void copy_extent_buffer_full(struct extent_buffer *dst,
const struct extent_buffer *src);
void copy_extent_buffer(struct extent_buffer *dst,
const struct extent_buffer *src,
unsigned long dst_offset, unsigned long src_offset,
unsigned long len);
void memcpy_extent_buffer(struct extent_buffer *dst,
unsigned long dst_offset, unsigned long src_offset,
unsigned long len);
void memmove_extent_buffer(struct extent_buffer *dst,
const unsigned long dst_offset,
unsigned long src_offset, unsigned long len);
void memset_extent_buffer(struct extent_buffer *eb, char c,
unsigned long start, unsigned long len);
int extent_buffer_test_bit(const struct extent_buffer *eb, unsigned long start,
unsigned long nr);
int set_extent_buffer_dirty(struct extent_buffer *eb);
int btrfs_clear_buffer_dirty(struct btrfs_trans_handle *trans,
struct extent_buffer *eb);
int read_data_from_disk(struct btrfs_fs_info *info, void *buf, u64 logical,
u64 *len, int mirror);
int write_data_to_disk(struct btrfs_fs_info *info, const void *buf, u64 offset,
u64 bytes);
void extent_buffer_bitmap_clear(struct extent_buffer *eb, unsigned long start,
unsigned long pos, unsigned long len);
void extent_buffer_bitmap_set(struct extent_buffer *eb, unsigned long start,
unsigned long pos, unsigned long len);
void extent_buffer_init_cache(struct btrfs_fs_info *fs_info);
void extent_buffer_free_cache(struct btrfs_fs_info *fs_info);
void btrfs_readahead_node_child(struct extent_buffer *node, int slot);
#endif