New upstream release.

11 files changed, 164 insertions, 0 deletions

diff --git a/tests/fuzz-tests/001-simple-unmounted/test.sh b/tests/fuzz-tests/001-simple-check-unmounted/test.sh
index 98fe7b0c..98fe7b0c 100755
--- a/tests/fuzz-tests/001-simple-unmounted/test.sh
+++ b/tests/fuzz-tests/001-simple-check-unmounted/test.sh
diff --git a/tests/fuzz-tests/002-simple-image/test.sh b/tests/fuzz-tests/002-simple-image/test.sh
new file mode 100755
index 00000000..42470ecc
--- /dev/null
+++ b/tests/fuzz-tests/002-simple-image/test.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# iterate over all fuzzed images and run 'btrfs-image'
+
+source $TOP/tests/common
+
+setup_root_helper
+check_prereq btrfs-image
+
+# redefine the one provided by common
+check_image() {
+	local image
+
+	image=$1
+	truncate -s0 target
+	run_mayfail $TOP/btrfs-image "$image" target
+	truncate -s0 target
+}
+
+check_all_images $TOP/tests/fuzz-tests/images
+
+rm -- target
+
+exit 0
diff --git a/tests/fuzz-tests/003-multi-check-unmounted/test.sh b/tests/fuzz-tests/003-multi-check-unmounted/test.sh
new file mode 100755
index 00000000..9fd7b8aa
--- /dev/null
+++ b/tests/fuzz-tests/003-multi-check-unmounted/test.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# iterate over all fuzzed images and run 'btrfs check', try various options to
+# get more code coverage
+
+source $TOP/tests/common
+
+setup_root_helper
+check_prereq btrfs
+
+# redefine the one provided by common
+check_image() {
+	local image
+
+	image=$1
+	run_mayfail $TOP/btrfs check -s 1 "$image"
+	run_mayfail $TOP/btrfs check --init-csum-tree "$image"
+	run_mayfail $TOP/btrfs check --init-extent-tree "$image"
+	run_mayfail $TOP/btrfs check --check-data-csum "$image"
+	run_mayfail $TOP/btrfs check --subvol-extents "$image"
+	run_mayfail $TOP/btrfs check --repair "$image"
+}
+
+check_all_images $TOP/tests/fuzz-tests/images
+
+exit 0
diff --git a/tests/fuzz-tests/images/bko-155151-bad-block-group-offset.raw.txt b/tests/fuzz-tests/images/bko-155151-bad-block-group-offset.raw.txt
new file mode 100644
index 00000000..4971f13e
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-155151-bad-block-group-offset.raw.txt
@@ -0,0 +1,5 @@
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=155151
+Lukas Lueg 2016-08-27 20:19:24 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to enter what
+seems to be an endless loop; using btrfs-progs v4.7-42-g56e9586.
diff --git a/tests/fuzz-tests/images/bko-155151-bad-block-group-offset.raw.xz b/tests/fuzz-tests/images/bko-155151-bad-block-group-offset.raw.xz
new file mode 100644
index 00000000..377b4d80
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-155151-bad-block-group-offset.raw.xz
diff --git a/tests/fuzz-tests/images/bko-155181-bad-backref.raw.txt b/tests/fuzz-tests/images/bko-155181-bad-backref.raw.txt
new file mode 100644
index 00000000..440641e9
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-155181-bad-backref.raw.txt
@@ -0,0 +1,22 @@
+ULR: https://bugzilla.kernel.org/show_bug.cgi?id=155181
+Lukas Lueg 2016-08-28 10:52:32 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to reach abort()
+in in cmds-check.c:add_tree_backref(); using btrfs-progs v4.7-42-g56e9586.
+
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+Checking filesystem on crash2.bin
+UUID: 5cb33553-6f6d-4ce8-83fd-20af5a2f8181
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#0  0x00007ffff6fae6f5 in raise () from /lib64/libc.so.6
+#1  0x00007ffff6fb02fa in abort () from /lib64/libc.so.6
+#2  0x000000000041fbe1 in add_tree_backref (extent_cache=extent_cache@entry=0x7fffffffdd20, bytenr=bytenr@entry=131200, parent=parent@entry=0, root=3, found_ref=found_ref@entry=0) at cmds-check.c:4869
+#3  0x0000000000423538 in process_extent_item (root=root@entry=0x6b2cf0, extent_cache=extent_cache@entry=0x7fffffffdd20, eb=eb@entry=0x6af7c0, slot=slot@entry=1) at cmds-check.c:5452
+#4  0x000000000042a605 in run_next_block (root=root@entry=0x6b2cf0, bits=bits@entry=0x6b4ff0, bits_nr=bits_nr@entry=1024, last=last@entry=0x7fffffffd878, pending=pending@entry=0x7fffffffdd00, seen=seen@entry=0x7fffffffdd10, reada=0x7fffffffdcf0, nodes=0x7fffffffdce0, extent_cache=0x7fffffffdd20, chunk_cache=0x7fffffffdd80, dev_cache=0x7fffffffdd90, block_group_cache=0x7fffffffdd60, dev_extent_cache=0x7fffffffdd30, ri=0x6b9000) at cmds-check.c:6280
+#5  0x000000000042afb6 in deal_root_from_list (list=list@entry=0x7fffffffda10, root=root@entry=0x6b2cf0, bits=bits@entry=0x6b4ff0, bits_nr=bits_nr@entry=1024, pending=pending@entry=0x7fffffffdd00, seen=seen@entry=0x7fffffffdd10, reada=0x7fffffffdcf0, nodes=0x7fffffffdce0, extent_cache=0x7fffffffdd20, chunk_cache=0x7fffffffdd80, dev_cache=0x7fffffffdd90, block_group_cache=0x7fffffffdd60, dev_extent_cache=0x7fffffffdd30) at cmds-check.c:8338
+#6  0x000000000042bb15 in check_chunks_and_extents (root=root@entry=0x6b2cf0) at cmds-check.c:8505
+#7  0x000000000042e3cb in cmd_check (argc=<optimized out>, argv=<optimized out>) at cmds-check.c:11430
+#8  0x000000000040a416 in main (argc=2, argv=0x7fffffffe218) at btrfs.c:243
diff --git a/tests/fuzz-tests/images/bko-155181-bad-backref.raw.xz b/tests/fuzz-tests/images/bko-155181-bad-backref.raw.xz
new file mode 100644
index 00000000..ff5fe859
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-155181-bad-backref.raw.xz
diff --git a/tests/fuzz-tests/images/bko-155621-bad-block-group-offset.raw.txt b/tests/fuzz-tests/images/bko-155621-bad-block-group-offset.raw.txt
new file mode 100644
index 00000000..e28d73fc
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-155621-bad-block-group-offset.raw.txt
@@ -0,0 +1,25 @@
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=155621
+Lukas Lueg 2016-08-30 16:07:36 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to enter what
+seems to be an endless loop; using btrfs-progs v4.7-42-g56e9586.
+
+Starting program: /home/lukas/dev/btrfsfuzz/bin/bin/btrfsck hang17.img
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib64/libthread_db.so.1".
+
+Program received signal SIGINT, Interrupt.
+__find_space_info (info=info@entry=0x6ab3a0, flags=0, flags@entry=8589934592) at extent-tree.c:1796
+1796		list_for_each_entry(found, &info->space_info, list) {
+#0  __find_space_info (info=info@entry=0x6ab3a0, flags=0, flags@entry=8589934592) at extent-tree.c:1796
+#1  0x000000000044c66d in update_space_info (info=info@entry=0x6ab3a0, flags=8589934592, total_bytes=total_bytes@entry=0, bytes_used=17592186044416, space_info=space_info@entry=0x7fffffffdbd8)
+    at extent-tree.c:1835
+#2  0x0000000000451622 in btrfs_read_block_groups (root=0x6ab850) at extent-tree.c:3278
+#3  0x000000000044b157 in btrfs_setup_all_roots (fs_info=fs_info@entry=0x6ab3a0, root_tree_bytenr=<optimized out>, root_tree_bytenr@entry=0, flags=flags@entry=64) at disk-io.c:1055
+#4  0x000000000044b484 in __open_ctree_fd (fp=fp@entry=3, path=path@entry=0x7fffffffe4eb "hang17.img", sb_bytenr=65536, sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, 
+    chunk_root_bytenr=chunk_root_bytenr@entry=0, flags=flags@entry=64) at disk-io.c:1317
+#5  0x000000000044b611 in open_ctree_fs_info (filename=0x7fffffffe4eb "hang17.img", sb_bytenr=sb_bytenr@entry=0, root_tree_bytenr=root_tree_bytenr@entry=0, chunk_root_bytenr=chunk_root_bytenr@entry=0, 
+    flags=64) at disk-io.c:1363
+#6  0x000000000042deca in cmd_check (argc=<optimized out>, argv=0x7fffffffe218) at cmds-check.c:11320
+#7  0x000000000040a416 in main (argc=2, argv=0x7fffffffe218) at btrfs.c:243
+quit
diff --git a/tests/fuzz-tests/images/bko-155621-bad-block-group-offset.raw.xz b/tests/fuzz-tests/images/bko-155621-bad-block-group-offset.raw.xz
new file mode 100644
index 00000000..2456780d
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-155621-bad-block-group-offset.raw.xz
diff --git a/tests/fuzz-tests/images/bko-156471-ubsan-trigger-crc32c-unaligned.raw.txt b/tests/fuzz-tests/images/bko-156471-ubsan-trigger-crc32c-unaligned.raw.txt
new file mode 100644
index 00000000..c8279633
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-156471-ubsan-trigger-crc32c-unaligned.raw.txt
@@ -0,0 +1,62 @@
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=156471
+Lukas Lueg 2016-09-09 18:58:27 UTC
+
+More news from the fuzzer and (up to now) the only news from UBSAN using
+btrfs-progs v4.7-42-g56e9586. The attached image causes btrfsck to trigger
+undefined behavior by dereferencing a ptr to a long unsigned int that was cast
+from an uchar with no alignment guarantees.
+
+UBSAN complains:
+crc32c.c:75:19: runtime error: load of misaligned address 0x000001b3736c for
+type 'long unsigned int', which requires 8 byte alignment
+
+I've attached an image and a log, the behavior is triggered all the time and
+unspecific, though.
+
+AFAIC the problem is that *ptmp is cast from *data. This may actually not cause
+the CPU to fault due to how *data is de-facto aligned by it's callers. The code
+may still cause nose demons as the pure act of having *ptmp is undefined
+behavior.
+
+crc32c.c:75:19: runtime error: load of misaligned address 0x000001b3736c for type 'long unsigned int', which requires 8 byte alignment
+0x000001b3736c: note: pointer points here
+  00 00 00 00 b7 0e 65 6c  64 61 40 4b a5 0d 0f ba  33 0c 75 27 00 00 02 00  00 00 00 00 01 00 00 00
+              ^ 
+    #0 0x4f4308 in crc32c_intel /home/lukas/dev/btrfsfuzz/src-ubsan/crc32c.c:75
+    #1 0x4f43f3 in crc32c_le /home/lukas/dev/btrfsfuzz/src-ubsan/crc32c.c:221
+    #2 0x486c39 in __csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:139
+    #3 0x486c39 in csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:159
+    #4 0x486d48 in csum_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:174
+    #5 0x48ba29 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:348
+    #6 0x48d48d in read_tree_block /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.h:112
+    #7 0x48d48d in btrfs_setup_chunk_tree_and_device_map /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1210
+    #8 0x48d95b in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1322
+    #9 0x48dd80 in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1381
+    #10 0x45011a in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11449
+    #11 0x40a799 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243
+    #12 0x7fdf11c96730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+    #13 0x40a1e8 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x40a1e8)
+
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+parent transid verify failed on 4227072 wanted 3472328296227680304 found 4
+Ignoring transid failure
+checking extents
+Checking filesystem on ubsan_logs/id:000990,src:000816,op:flip1,pos:3845.img
+UUID: b70e656c-6461-404b-a50d-0fba330c7527
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+Invalid key type(ROOT_ITEM) found in root(3472328296227680304)
+ignoring invalid key
+Invalid key type(ROOT_ITEM) found in root(3472328296227680304)
+ignoring invalid key
+Invalid key type(ROOT_ITEM) found in root(3472328296227680304)
+ignoring invalid key
+Invalid key type(ROOT_ITEM) found in root(3472328296227680304)
+ignoring invalid key
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
+bad block 4202496
+Errors found in extent allocation tree or chunk allocation
+key (3472328296227680304 INODE_EXTREF 3472328296227680304)slot end outside of leaf 12360 > 3995
diff --git a/tests/fuzz-tests/images/bko-156471-ubsan-trigger-crc32c-unaligned.raw.xz b/tests/fuzz-tests/images/bko-156471-ubsan-trigger-crc32c-unaligned.raw.xz
new file mode 100644
index 00000000..ee5778a5
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-156471-ubsan-trigger-crc32c-unaligned.raw.xz