diff options
author | Lu Fengqi <lufq.fnst@cn.fujitsu.com> | 2017-05-02 15:36:09 +0800 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2017-05-02 16:29:38 +0200 |
commit | 528ba342acfcce93457708ee5bdec98dee52645a (patch) | |
tree | 507344a62723606e2398099a83731494227b8ad8 /disk-io.c | |
parent | f80b1f1db66216aeca06be03d0269b2e2946974b (diff) |
btrfs-progs: tests: Fix fuzz-test for bko-161821.raw.txt
Fuzzed image bko-161821.raw causes btrfs check to get segmentation fault.
The function check_owner_ref attempts to access a non-exist quota tree
when dealing with extent_item [4198400 4096] in the corrupted filesystem.
The function btrfs_new_fs_info always allocates memory for
fs_info->quota_root regardless of whether quota_tree exists or not.
Additionally, the function btrfs_read_fs_root will directly return
fs_info->quota_root if location->objectid == BTRFS_QUOTA_TREE_OBJECTID.
This patch does the following things:
1. Do extra check and return ENOENT if quota tree does not exist in the
function btrfs_read_fs_root.
2. Free useless fs_info->quota_root in the function btrfs_setup_all_roots
to reduce confusion.
3. free_extent_buffer even if check_child_node failed in the function
walk_down_tree.
Signed-off-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'disk-io.c')
-rw-r--r-- | disk-io.c | 13 |
1 files changed, 10 insertions, 3 deletions
@@ -815,7 +815,8 @@ struct btrfs_root *btrfs_read_fs_root(struct btrfs_fs_info *fs_info, if (location->objectid == BTRFS_CSUM_TREE_OBJECTID) return fs_info->csum_root; if (location->objectid == BTRFS_QUOTA_TREE_OBJECTID) - return fs_info->quota_root; + return fs_info->quota_enabled ? fs_info->quota_root : + ERR_PTR(-ENOENT); BUG_ON(location->objectid == BTRFS_TREE_RELOC_OBJECTID || location->offset != (u64)-1); @@ -837,12 +838,14 @@ struct btrfs_root *btrfs_read_fs_root(struct btrfs_fs_info *fs_info, void btrfs_free_fs_info(struct btrfs_fs_info *fs_info) { + if (fs_info->quota_root) + free(fs_info->quota_root); + free(fs_info->tree_root); free(fs_info->extent_root); free(fs_info->chunk_root); free(fs_info->dev_root); free(fs_info->csum_root); - free(fs_info->quota_root); free(fs_info->free_space_root); free(fs_info->super_copy); free(fs_info->log_root_tree); @@ -1057,8 +1060,12 @@ int btrfs_setup_all_roots(struct btrfs_fs_info *fs_info, u64 root_tree_bytenr, ret = find_and_setup_root(root, fs_info, BTRFS_QUOTA_TREE_OBJECTID, fs_info->quota_root); - if (ret == 0) + if (ret) { + free(fs_info->quota_root); + fs_info->quota_root = NULL; + } else { fs_info->quota_enabled = 1; + } if (btrfs_fs_compat_ro(fs_info, FREE_SPACE_TREE)) { ret = find_and_setup_root(root, fs_info, BTRFS_FREE_SPACE_TREE_OBJECTID, |