2008-01-04 15:36:26 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2007 Oracle. All rights reserved.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public
|
|
|
|
* License v2 as published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public
|
|
|
|
* License along with this program; if not, write to the
|
|
|
|
* Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
|
|
* Boston, MA 021110-1307, USA.
|
|
|
|
*/
|
|
|
|
|
2015-01-21 16:49:26 +00:00
|
|
|
#ifndef __BTRFS_EXTENT_IO_H__
|
|
|
|
#define __BTRFS_EXTENT_IO_H__
|
2013-01-07 22:24:35 +00:00
|
|
|
|
2008-01-04 15:36:26 +00:00
|
|
|
#include "kerncompat.h"
|
2023-08-28 20:12:13 +00:00
|
|
|
#include "kernel-lib/bitops.h"
|
2019-06-20 13:30:57 +00:00
|
|
|
#include "kernel-lib/list.h"
|
2023-08-28 20:12:13 +00:00
|
|
|
#include "common/extent-cache.h"
|
2008-01-04 15:36:26 +00:00
|
|
|
|
2022-11-23 22:37:27 +00:00
|
|
|
#define EXTENT_BUFFER_UPTODATE (1U << 0)
|
|
|
|
#define EXTENT_BUFFER_DIRTY (1U << 1)
|
|
|
|
#define EXTENT_BUFFER_BAD_TRANSID (1U << 2)
|
|
|
|
#define EXTENT_BUFFER_DUMMY (1U << 3)
|
|
|
|
|
2016-07-27 21:27:05 +00:00
|
|
|
#define BLOCK_GROUP_DATA (1U << 1)
|
|
|
|
#define BLOCK_GROUP_METADATA (1U << 2)
|
|
|
|
#define BLOCK_GROUP_SYSTEM (1U << 4)
|
2013-07-03 13:25:17 +00:00
|
|
|
|
2016-07-15 19:12:48 +00:00
|
|
|
/*
|
|
|
|
* The extent buffer bitmap operations are done with byte granularity instead of
|
|
|
|
* word granularity for two reasons:
|
|
|
|
* 1. The bitmaps must be little-endian on disk.
|
|
|
|
* 2. Bitmap items are not guaranteed to be aligned to a word and therefore a
|
|
|
|
* single word in a bitmap may straddle two pages in the extent buffer.
|
|
|
|
*/
|
|
|
|
#define BIT_BYTE(nr) ((nr) / BITS_PER_BYTE)
|
2024-03-12 21:03:36 +00:00
|
|
|
#define BYTE_MASK ((1U << BITS_PER_BYTE) - 1)
|
2016-07-15 19:12:48 +00:00
|
|
|
#define BITMAP_FIRST_BYTE_MASK(start) \
|
|
|
|
((BYTE_MASK << ((start) & (BITS_PER_BYTE - 1))) & BYTE_MASK)
|
|
|
|
#define BITMAP_LAST_BYTE_MASK(nbits) \
|
|
|
|
(BYTE_MASK >> (-(nbits) & (BITS_PER_BYTE - 1)))
|
|
|
|
|
|
|
|
static inline int le_test_bit(int nr, const u8 *addr)
|
|
|
|
{
|
|
|
|
return 1U & (addr[BIT_BYTE(nr)] >> (nr & (BITS_PER_BYTE-1)));
|
|
|
|
}
|
|
|
|
|
2013-04-04 13:57:50 +00:00
|
|
|
struct btrfs_fs_info;
|
2023-08-23 14:32:31 +00:00
|
|
|
struct btrfs_trans_handle;
|
2013-04-04 13:57:50 +00:00
|
|
|
|
2008-01-04 15:36:26 +00:00
|
|
|
struct extent_buffer {
|
|
|
|
struct cache_extent cache_node;
|
|
|
|
u64 start;
|
|
|
|
struct list_head lru;
|
2013-10-01 13:00:19 +00:00
|
|
|
struct list_head recow;
|
btrfs-progs: reorder extent buffer members for better packing
Afther the fs_info was added, the size was over 128 bytes but we still
have 8 bytes of holes, so with minor reordering we get back to that size.
Before:
struct extent_buffer {
struct cache_extent cache_node; /* 0 48 */
u64 start; /* 48 8 */
u64 dev_bytenr; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
u32 len; /* 64 4 */
/* XXX 4 bytes hole, try to pack */
struct extent_io_tree * tree; /* 72 8 */
struct list_head lru; /* 80 16 */
struct list_head recow; /* 96 16 */
int refs; /* 112 4 */
u32 flags; /* 116 4 */
int fd; /* 120 4 */
/* XXX 4 bytes hole, try to pack */
/* --- cacheline 2 boundary (128 bytes) --- */
struct btrfs_fs_info * fs_info; /* 128 8 */
char data[0]; /* 136 0 */
/* size: 136, cachelines: 3, members: 12 */
/* sum members: 128, holes: 2, sum holes: 8 */
/* last cacheline: 8 bytes */
};
After:
struct extent_buffer {
struct cache_extent cache_node; /* 0 48 */
u64 start; /* 48 8 */
u64 dev_bytenr; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
struct extent_io_tree * tree; /* 64 8 */
struct list_head lru; /* 72 16 */
struct list_head recow; /* 88 16 */
u32 len; /* 104 4 */
int refs; /* 108 4 */
u32 flags; /* 112 4 */
int fd; /* 116 4 */
struct btrfs_fs_info * fs_info; /* 120 8 */
/* --- cacheline 2 boundary (128 bytes) --- */
char data[0]; /* 128 0 */
/* size: 128, cachelines: 2, members: 12 */
};
Signed-off-by: David Sterba <dsterba@suse.com>
2018-04-09 15:42:40 +00:00
|
|
|
u32 len;
|
2008-01-04 15:36:26 +00:00
|
|
|
int refs;
|
2016-07-27 21:19:20 +00:00
|
|
|
u32 flags;
|
2018-03-30 05:48:55 +00:00
|
|
|
struct btrfs_fs_info *fs_info;
|
2016-09-12 09:13:24 +00:00
|
|
|
char data[] __attribute__((aligned(8)));
|
2008-01-04 15:36:26 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline void extent_buffer_get(struct extent_buffer *eb)
|
|
|
|
{
|
|
|
|
eb->refs++;
|
|
|
|
}
|
|
|
|
|
2015-01-27 03:12:43 +00:00
|
|
|
static inline int set_extent_buffer_uptodate(struct extent_buffer *eb)
|
|
|
|
{
|
2022-11-23 22:37:27 +00:00
|
|
|
eb->flags |= EXTENT_BUFFER_UPTODATE;
|
2015-01-27 03:12:43 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-28 08:30:04 +00:00
|
|
|
static inline int clear_extent_buffer_uptodate(struct extent_buffer *eb)
|
2015-01-27 03:12:43 +00:00
|
|
|
{
|
2022-11-23 22:37:27 +00:00
|
|
|
eb->flags &= ~EXTENT_BUFFER_UPTODATE;
|
2015-01-27 03:12:43 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int extent_buffer_uptodate(struct extent_buffer *eb)
|
|
|
|
{
|
|
|
|
if (!eb || IS_ERR(eb))
|
|
|
|
return 0;
|
2022-11-23 22:37:27 +00:00
|
|
|
if (eb->flags & EXTENT_BUFFER_UPTODATE)
|
2015-01-27 03:12:43 +00:00
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2022-11-23 22:37:22 +00:00
|
|
|
struct extent_buffer *find_extent_buffer(struct btrfs_fs_info *fs_info,
|
2023-04-19 21:24:02 +00:00
|
|
|
u64 bytenr);
|
2022-11-23 22:37:22 +00:00
|
|
|
struct extent_buffer *find_first_extent_buffer(struct btrfs_fs_info *fs_info,
|
2008-01-04 15:36:26 +00:00
|
|
|
u64 start);
|
2018-03-30 05:48:55 +00:00
|
|
|
struct extent_buffer *alloc_extent_buffer(struct btrfs_fs_info *fs_info,
|
2008-01-04 15:36:26 +00:00
|
|
|
u64 bytenr, u32 blocksize);
|
2014-10-10 20:57:07 +00:00
|
|
|
struct extent_buffer *btrfs_clone_extent_buffer(struct extent_buffer *src);
|
btrfs-progs: disk-io: Verify the bytenr passed in is mapped for read_tree_block()
[BUG]
For a fuzzed image, `btrfs check` will segfault at open_ctree() stage:
$ btrfs check --mode=lowmem issue_207.raw
Opening filesystem to check...
extent_io.c:665: free_extent_buffer_internal: BUG_ON `eb->refs < 0` triggered, value 1
btrfs(+0x6bf67)[0x56431d278f67]
btrfs(+0x6c16e)[0x56431d27916e]
btrfs(alloc_extent_buffer+0x45)[0x56431d279db5]
btrfs(read_tree_block+0x59)[0x56431d2848f9]
btrfs(btrfs_setup_all_roots+0x29c)[0x56431d28535c]
btrfs(+0x78903)[0x56431d285903]
btrfs(open_ctree_fs_info+0x90)[0x56431d285b60]
btrfs(+0x45a01)[0x56431d252a01]
btrfs(main+0x94)[0x56431d2220c4]
/usr/lib/libc.so.6(__libc_start_main+0xf3)[0x7f6e28519153]
btrfs(_start+0x2e)[0x56431d22235e]
[CAUSE]
The fuzzed image has a strange log root bytenr:
log_root 61440
log_root_transid 0
In fact, the log_root seems to be fuzzed, as its transid is 0, which is
invalid.
Note that range [61440, 77824) covers the physical offset of the primary
super block.
The bug is caused by the following sequence:
1. cache for tree block [64K, 68K) is created by open_ctree()
__open_ctree_fd()
|- btrfs_setup_chunk_tree_and_device_map()
|- btrfs_read_sys_array()
|- sb = btrfs_find_create_tree_block()
|- free_extent_buffer(sb)
This created an extent buffer [64K, 68K) in fs_info->extent_cache, then
reduce the refcount of that eb back to 0, but not freed yet.
2. Try to read that corrupted log root
__open_ctree_fd()
|- btrfs_setup_chunk_tree_and_device_map()
|- btrfs_setup_all_roots()
|- find_and_setup_log_root()
|- read_tree_block()
|- btrfs_find_create_tree_block()
|- alloc_extent_buffer()
The final alloc_extent_buffer() will try to free that cached eb
[64K, 68K), since it doesn't match with current search.
And since that cached eb is already released (refcount == 0), the
extra free_extent_buffer() will cause above BUG_ON().
[FIX]
Here we fix it through a more comprehensive method, instead of simply
verifying log_root_transid, here we just don't pollute eb cache when
reading sys chunk array.
So that we won't have an eb cache [64K, 68K), and will error out at
logical mapping phase.
Issue: #207
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2019-12-18 01:19:39 +00:00
|
|
|
struct extent_buffer *alloc_dummy_extent_buffer(struct btrfs_fs_info *fs_info,
|
|
|
|
u64 bytenr, u32 blocksize);
|
2008-01-04 15:36:26 +00:00
|
|
|
void free_extent_buffer(struct extent_buffer *eb);
|
2017-07-25 20:51:34 +00:00
|
|
|
void free_extent_buffer_nocache(struct extent_buffer *eb);
|
2023-04-19 21:23:56 +00:00
|
|
|
void free_extent_buffer_stale(struct extent_buffer *eb);
|
2019-06-17 07:59:33 +00:00
|
|
|
int memcmp_extent_buffer(const struct extent_buffer *eb, const void *ptrv,
|
2008-01-04 15:36:26 +00:00
|
|
|
unsigned long start, unsigned long len);
|
2019-06-17 07:59:33 +00:00
|
|
|
void read_extent_buffer(const struct extent_buffer *eb, void *dst,
|
2008-01-04 15:36:26 +00:00
|
|
|
unsigned long start, unsigned long len);
|
2024-08-07 13:09:38 +00:00
|
|
|
void write_extent_buffer_fsid(struct extent_buffer *eb, const void *src);
|
|
|
|
void write_extent_buffer_chunk_tree_uuid(struct extent_buffer *eb,
|
2023-06-27 15:27:04 +00:00
|
|
|
const void *src);
|
2024-08-07 13:09:38 +00:00
|
|
|
void write_extent_buffer(struct extent_buffer *eb, const void *src,
|
2008-01-04 15:36:26 +00:00
|
|
|
unsigned long start, unsigned long len);
|
2024-08-07 13:09:38 +00:00
|
|
|
void copy_extent_buffer_full(struct extent_buffer *dst,
|
2023-06-27 14:20:30 +00:00
|
|
|
const struct extent_buffer *src);
|
2024-08-07 13:09:38 +00:00
|
|
|
void copy_extent_buffer(struct extent_buffer *dst,
|
2023-04-19 21:20:41 +00:00
|
|
|
const struct extent_buffer *src,
|
2008-01-04 15:36:26 +00:00
|
|
|
unsigned long dst_offset, unsigned long src_offset,
|
|
|
|
unsigned long len);
|
2024-08-07 13:09:38 +00:00
|
|
|
void memcpy_extent_buffer(struct extent_buffer *dst,
|
2023-08-23 14:32:38 +00:00
|
|
|
unsigned long dst_offset, unsigned long src_offset,
|
|
|
|
unsigned long len);
|
2024-08-07 13:09:38 +00:00
|
|
|
void memmove_extent_buffer(struct extent_buffer *dst,
|
2023-04-19 21:20:41 +00:00
|
|
|
const unsigned long dst_offset,
|
2008-01-04 15:36:26 +00:00
|
|
|
unsigned long src_offset, unsigned long len);
|
2024-08-07 13:09:38 +00:00
|
|
|
void memset_extent_buffer(struct extent_buffer *eb, char c,
|
2008-01-04 15:36:26 +00:00
|
|
|
unsigned long start, unsigned long len);
|
2023-04-19 21:20:41 +00:00
|
|
|
int extent_buffer_test_bit(const struct extent_buffer *eb, unsigned long start,
|
2015-09-30 03:51:45 +00:00
|
|
|
unsigned long nr);
|
2008-01-04 15:36:26 +00:00
|
|
|
int set_extent_buffer_dirty(struct extent_buffer *eb);
|
2023-08-23 14:32:31 +00:00
|
|
|
int btrfs_clear_buffer_dirty(struct btrfs_trans_handle *trans,
|
|
|
|
struct extent_buffer *eb);
|
2022-04-05 12:48:27 +00:00
|
|
|
int read_data_from_disk(struct btrfs_fs_info *info, void *buf, u64 logical,
|
|
|
|
u64 *len, int mirror);
|
2023-05-09 11:48:39 +00:00
|
|
|
int write_data_to_disk(struct btrfs_fs_info *info, const void *buf, u64 offset,
|
2022-08-02 07:52:41 +00:00
|
|
|
u64 bytes);
|
2018-10-01 14:46:13 +00:00
|
|
|
void extent_buffer_bitmap_clear(struct extent_buffer *eb, unsigned long start,
|
|
|
|
unsigned long pos, unsigned long len);
|
|
|
|
void extent_buffer_bitmap_set(struct extent_buffer *eb, unsigned long start,
|
|
|
|
unsigned long pos, unsigned long len);
|
2022-11-23 22:37:25 +00:00
|
|
|
void extent_buffer_init_cache(struct btrfs_fs_info *fs_info);
|
|
|
|
void extent_buffer_free_cache(struct btrfs_fs_info *fs_info);
|
2023-04-19 21:24:03 +00:00
|
|
|
void btrfs_readahead_node_child(struct extent_buffer *node, int slot);
|
2018-10-01 14:46:13 +00:00
|
|
|
|
2008-01-04 15:36:26 +00:00
|
|
|
#endif
|