Re: [PATCH 4/5] btrfs: Check each block group has corresponding chunk at mount time

[Qu Wenruo]

On 2018年07月04日 13:45, Gu, Jinxiang wrote:
> 
> 
>> -----Original Message-----
>> From: linux-btrfs-ow...@vger.kernel.org 
>> [mailto:linux-btrfs-ow...@vger.kernel.org] On Behalf Of Qu Wenruo
>> Sent: Tuesday, July 03, 2018 5:10 PM
>> To: linux-btrfs@vger.kernel.org
>> Subject: [PATCH 4/5] btrfs: Check each block group has corresponding chunk 
>> at mount time
>>
>> A crafted btrfs with incorrect chunk<->block group mapping, it could leads
>> to a lot of unexpected behavior.
>>
>> Although the crafted image can be catched by block group item checker
>> added in "[PATCH] btrfs: tree-checker: Verify block_group_item", if one
>> crafted a valid enough block group item which can pass above check but
>> still mismatch with existing chunk, it could cause a lot of undefined
>> behavior.
>>
>> This patch will add extra block group -> chunk mapping check, to ensure
>> we have a completely matching (start, len, flags) chunk for each block
>> group at mount time.
>>
>> Link: https://bugzilla.kernel.org/show_bug.cgi?id=199837
>> Reported-by: Xu Wen <wen...@gatech.edu>
>> Signed-off-by: Qu Wenruo <w...@suse.com>
>> ---
>>  fs/btrfs/extent-tree.c | 55 ++++++++++++++++++++++++++++++++++++++++--
>>  1 file changed, 53 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
>> index 3d9fe58c0080..82b446f014b9 100644
>> --- a/fs/btrfs/extent-tree.c
>> +++ b/fs/btrfs/extent-tree.c
>> @@ -10003,6 +10003,41 @@ btrfs_create_block_group_cache(struct btrfs_fs_info 
>> *fs_info,
>>      return cache;
>>  }
>>
>> +static int check_exist_chunk(struct btrfs_fs_info *fs_info, u64 start, u64 
>> len,
>> +                         u64 flags)
>> +{
>> +    struct btrfs_mapping_tree *map_tree = &fs_info->mapping_tree;
>> +    struct extent_map *em;
>> +    int ret;
>> +
>> +    read_lock(&map_tree->map_tree.lock);
>> +    em = lookup_extent_mapping(&map_tree->map_tree, start, len);
>> +    read_unlock(&map_tree->map_tree.lock);
>> +
>> +    if (!em) {
>> +            btrfs_err_rl(fs_info,
>> +    "block group start=%llu len=%llu doesn't have corresponding chunk",
>> +                         start, len);
>> +            ret = -ENOENT;
>> +            goto out;
>> +    }
> 
> This check has been done in find_first_block_group which has been called 
> before
> check_exist_chunk be called.

Oh, yes, find_first_block_group() indeed does this check, so there is no
need for check_exsist_chunk().
> 
>> +    if (em->start != start || em->len != len ||
>> +        (em->map_lookup->type & BTRFS_BLOCK_GROUP_TYPE_MASK) !=
>> +        (flags & BTRFS_BLOCK_GROUP_TYPE_MASK)) {
>> +            btrfs_err_rl(fs_info,
>> +"block group start=%llu len=%llu flags=0x%llx doesn't match with chunk 
>> start=%llu len=%llu flags=0x%llx",
>> +                         start, len , flags & BTRFS_BLOCK_GROUP_TYPE_MASK,
>> +                         em->start, em->len, em->map_lookup->type &
>> +                         BTRFS_BLOCK_GROUP_TYPE_MASK);
>> +            ret = -EUCLEAN;
>> +            goto out;
>> +    }
> Should this check also be added to find_first_block_group?

Yep.

Thanks,
Qu

> 
>> +    ret = 0;
>> +out:
>> +    free_extent_map(em);
>> +    return ret;
>> +}
>> +
>>  int btrfs_read_block_groups(struct btrfs_fs_info *info)
>>  {
>>      struct btrfs_path *path;
>> @@ -10036,6 +10071,9 @@ int btrfs_read_block_groups(struct btrfs_fs_info 
>> *info)
>>              need_clear = 1;
>>
>>      while (1) {
>> +            struct btrfs_block_group_item bg;
>> +            int slot;
>> +
>>              ret = find_first_block_group(info, path, &key);
>>              if (ret > 0)
>>                      break;
>> @@ -10043,7 +10081,20 @@ int btrfs_read_block_groups(struct btrfs_fs_info 
>> *info)
>>                      goto error;
>>
>>              leaf = path->nodes[0];
>> -            btrfs_item_key_to_cpu(leaf, &found_key, path->slots[0]);
>> +            slot = path->slots[0];
>> +            btrfs_item_key_to_cpu(leaf, &found_key, slot);
>> +
>> +            read_extent_buffer(leaf, &bg, btrfs_item_ptr_offset(leaf, slot),
>> +                               sizeof(bg));
>> +            /*
>> +             * Chunk and block group must have 1:1 mapping.
>> +             * So there must be a chunk for this block group.
>> +             */
>> +            ret = check_exist_chunk(info, found_key.objectid,
>> +                                    found_key.offset,
>> +                                    btrfs_block_group_flags(&bg));
>> +            if (ret < 0)
>> +                    goto error;
>>
>>              cache = btrfs_create_block_group_cache(info, found_key.objectid,
>>                                                     found_key.offset);
>> @@ -10068,7 +10119,7 @@ int btrfs_read_block_groups(struct btrfs_fs_info 
>> *info)
>>              }
>>
>>              read_extent_buffer(leaf, &cache->item,
>> -                               btrfs_item_ptr_offset(leaf, path->slots[0]),
>> +                               btrfs_item_ptr_offset(leaf, slot),
>>                                 sizeof(cache->item));
>>              cache->flags = btrfs_block_group_flags(&cache->item);
>>              if (!mixed &&
>> --
>> 2.18.0
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> the body of a message to majord...@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> 
> 
> 
> N嫥叉靣笡y氊b瞂千v豝�)藓{.n�+壏{眓谶�)韰骅w*jg�秹殠娸/侁鋤罐枈�2娹櫒璀�&�)摺玜囤瓽珴閔�鎗:+v墾妛鑶佶
> 

signature.asc
Description: OpenPGP digital signature