On Wed, Nov 23, 2016 at 05:47:15PM +0000, fdman...@kernel.org wrote:
> From: Filipe Manana <fdman...@suse.com>
>
> We can not simply use the owner field from an extent buffer's header to
> get the id of the respective tree when the extent buffer is from a
> relocation tree. When we create the root for a relocation tree we leave
> (on purpose) the owner field with the same value as the subvolume's tree
> root (we do this at ctree.c:btrfs_copy_root()). So we must ignore extent
> buffers from relocation trees, which have the BTRFS_HEADER_FLAG_RELOC
> flag set, because otherwise we will always consider the extent buffer
> as not being the root of the tree (the root of original subvolume tree
> is always different from the root of the respective relocation tree).
>
> This lead to assertion failures when running with the integrity checker
> enabled (CONFIG_BTRFS_FS_CHECK_INTEGRITY=y) such as the following:
>
> [ 643.393409] BTRFS critical (device sdg): corrupt leaf, non-root leaf's
> nritems is 0: block=38506496, root=260, slot=0
> [ 643.397609] BTRFS info (device sdg): leaf 38506496 total ptrs 0 free space
> 3995
> [ 643.407075] assertion failed: 0, file: fs/btrfs/disk-io.c, line: 4078
> [ 643.408425] ------------[ cut here ]------------
> [ 643.409112] kernel BUG at fs/btrfs/ctree.h:3419!
> [ 643.409773] invalid opcode: 0000 [#1] PREEMPT SMP
> [ 643.410447] Modules linked in: dm_flakey dm_mod crc32c_generic btrfs xor
> raid6_pq ppdev psmouse acpi_cpufreq parport_pc evdev parport tpm_tis
> tpm_tis_core pcspkr serio_raw i2c_piix4 sg tpm i2c_core button processor loop
> autofs4 ext4 crc16 jbd2 mbcache sr_mod cdrom sd_mod ata_generic virtio_scsi
> ata_piix libata virtio_pci virtio_ring scsi_mod virtio e1000 floppy
> [ 643.414356] CPU: 11 PID: 32726 Comm: btrfs Not tainted
> 4.8.0-rc8-btrfs-next-35+ #1
> [ 643.414356] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014
> [ 643.414356] task: ffff880145e95b00 task.stack: ffff88014826c000
> [ 643.414356] RIP: 0010:[<ffffffffa0352759>] [<ffffffffa0352759>]
> assfail.constprop.41+0x1c/0x1e [btrfs]
> [ 643.414356] RSP: 0018:ffff88014826fa28 EFLAGS: 00010292
> [ 643.414356] RAX: 0000000000000039 RBX: ffff88014e2d7c38 RCX:
> 0000000000000001
> [ 643.414356] RDX: ffff88023f4d2f58 RSI: ffffffff81806c63 RDI:
> 00000000ffffffff
> [ 643.414356] RBP: ffff88014826fa28 R08: 0000000000000001 R09:
> 0000000000000000
> [ 643.414356] R10: ffff88014826f918 R11: ffffffff82f3c5ed R12:
> ffff880172910000
> [ 643.414356] R13: ffff880233992230 R14: ffff8801a68a3310 R15:
> fffffffffffffff8
> [ 643.414356] FS: 00007f9ca305e8c0(0000) GS:ffff88023f4c0000(0000)
> knlGS:0000000000000000
> [ 643.414356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 643.414356] CR2: 00007f9ca3071000 CR3: 000000015d01b000 CR4:
> 00000000000006e0
> [ 643.414356] Stack:
> [ 643.414356] ffff88014826fa50 ffffffffa02d655a 000000000000000a
> ffff88014e2d7c38
> [ 643.414356] 0000000000000000 ffff88014826faa8 ffffffffa02b72f3
> ffff88014826fab8
> [ 643.414356] 00ffffffa03228e4 0000000000000000 0000000000000000
> ffff8801bbd4e000
> [ 643.414356] Call Trace:
> [ 643.414356] [<ffffffffa02d655a>] btrfs_mark_buffer_dirty+0xdf/0xe5 [btrfs]
> [ 643.414356] [<ffffffffa02b72f3>] btrfs_copy_root+0x18a/0x1d1 [btrfs]
> [ 643.414356] [<ffffffffa0322921>] create_reloc_root+0x72/0x1ba [btrfs]
> [ 643.414356] [<ffffffffa03267c2>] btrfs_init_reloc_root+0x7b/0xa7 [btrfs]
> [ 643.414356] [<ffffffffa02d9e44>] record_root_in_trans+0xdf/0xed [btrfs]
> [ 643.414356] [<ffffffffa02db04e>] btrfs_record_root_in_trans+0x50/0x6a
> [btrfs]
> [ 643.414356] [<ffffffffa030ad2b>] create_subvol+0x472/0x773 [btrfs]
> [ 643.414356] [<ffffffffa030b406>] btrfs_mksubvol+0x3da/0x463 [btrfs]
> [ 643.414356] [<ffffffffa030b406>] ? btrfs_mksubvol+0x3da/0x463 [btrfs]
> [ 643.414356] [<ffffffff810781ac>] ? preempt_count_add+0x65/0x68
> [ 643.414356] [<ffffffff811a6e97>] ? __mnt_want_write+0x62/0x77
> [ 643.414356] [<ffffffffa030b55d>]
> btrfs_ioctl_snap_create_transid+0xce/0x187 [btrfs]
> [ 643.414356] [<ffffffffa030b67d>] btrfs_ioctl_snap_create+0x67/0x81 [btrfs]
> [ 643.414356] [<ffffffffa030ecfd>] btrfs_ioctl+0x508/0x20dd [btrfs]
> [ 643.414356] [<ffffffff81293e39>] ? __this_cpu_preempt_check+0x13/0x15
> [ 643.414356] [<ffffffff81155eca>] ? handle_mm_fault+0x976/0x9ab
> [ 643.414356] [<ffffffff81091300>] ? arch_local_irq_save+0x9/0xc
> [ 643.414356] [<ffffffff8119a2b0>] vfs_ioctl+0x18/0x34
> [ 643.414356] [<ffffffff8119a8e8>] do_vfs_ioctl+0x581/0x600
> [ 643.414356] [<ffffffff814b9552>] ? entry_SYSCALL_64_fastpath+0x5/0xa8
> [ 643.414356] [<ffffffff81093fe9>] ? trace_hardirqs_on_caller+0x17b/0x197
> [ 643.414356] [<ffffffff8119a9be>] SyS_ioctl+0x57/0x79
> [ 643.414356] [<ffffffff814b9565>] entry_SYSCALL_64_fastpath+0x18/0xa8
> [ 643.414356] [<ffffffff81091b08>] ? trace_hardirqs_off_caller+0x3f/0xaa
> [ 643.414356] Code: 89 83 88 00 00 00 31 c0 5b 41 5c 41 5d 5d c3 55 89 f1 48
> c7 c2 98 bc 35 a0 48 89 fe 48 c7 c7 05 be 35 a0 48 89 e5 e8 13 46 dd e0 <0f>
> 0b 55 89 f1 48 c7 c2 9f d3 35 a0 48 89 fe 48 c7 c7 7a d5 35
> [ 643.414356] RIP [<ffffffffa0352759>] assfail.constprop.41+0x1c/0x1e
> [btrfs]
> [ 643.414356] RSP <ffff88014826fa28>
> [ 643.468267] ---[ end trace 6a1b3fb1a9d7d6e3 ]---
>
> This can be easily reproduced by running xfstests with the integrity
> checker enabled.
>
> Fixes: 1ba98d086fe3 (Btrfs: detect corruption when non-root leaf has zero
> item)
> Cc: sta...@vger.kernel.org # 4.8+
> Signed-off-by: Filipe Manana <fdman...@suse.com>
> ---
> fs/btrfs/disk-io.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> index c4e673a..1cd3257 100644
> --- a/fs/btrfs/disk-io.c
> +++ b/fs/btrfs/disk-io.c
> @@ -559,7 +559,15 @@ static noinline int check_leaf(struct btrfs_root *root,
> u32 nritems = btrfs_header_nritems(leaf);
> int slot;
>
> - if (nritems == 0) {
> + /*
> + * Extent buffers from a relocation tree have a owner field that
> + * corresponds to the subvolume tree they are based on. So just from an
> + * extent buffer alone we can not find out what is the id of the
> + * corresponding subvolume tree, so we can not figure out if the extent
> + * buffer corresponds to the root of the relocation tree or not. So skip
> + * this check for relocation trees.
> + */
> + if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) {
Hmm, it seems that we're not able to fetch a reloc root created from
btrfs_reloc_post_snapshot, otherwise we can access the reloc root via
check_root->reloc_root.
Anyway,
Reviewed-by: Liu Bo <bo.li....@oracle.com>
Thanks,
-liubo
> struct btrfs_root *check_root;
>
> key.objectid = btrfs_header_owner(leaf);
> @@ -587,6 +595,9 @@ static noinline int check_leaf(struct btrfs_root *root,
> return 0;
> }
>
> + if (nritems == 0)
> + return 0;
> +
> /* Check the 0 item */
> if (btrfs_item_offset_nr(leaf, 0) + btrfs_item_size_nr(leaf, 0) !=
> BTRFS_LEAF_DATA_SIZE(root)) {
> --
> 2.7.0.rc3
>
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
