diff options
Diffstat (limited to 'tests')
23 files changed, 751 insertions, 14 deletions
diff --git a/tests/README.md b/tests/README.md index d14d727c..94c5533d 100644 --- a/tests/README.md +++ b/tests/README.md @@ -170,7 +170,7 @@ how to do mkfs, mount, unmount, check, loop device management etc. and join by dashes `-`. This will become the directory name, eg. `012-subvolume-sync-must-wait`. 3. Write a short description of the bug and how it's tested to the comment at the -begining of `test.sh`. You don't need to add the file to git yet. Don't forget +beginning of `test.sh`. You don't need to add the file to git yet. Don't forget to make the file executable, otherwise it's not going to be executed by the infrastructure. @@ -194,7 +194,7 @@ $ TEST=012\* ./misc-tests.sh # from tests/ Most tests should be able to create the test images from scratch, using regular commands and file operation. The commands also document the testcase and use -the teste code and kernel of the environment. +the test code and kernel of the environment. In other cases, a pre-created image may be the right way if the above does not work (eg. comparing output, requesting an exact layout or some intermediate @@ -244,7 +244,7 @@ There are some utilities that are not distributed but are necessary for the tests. They are in the top level directory of the testsuite and their path cannot be set. -The tests assume write acesss to their directories. +The tests assume write access to their directories. # Coding style, best practices diff --git a/tests/cli-tests/007-check-force/test.sh b/tests/cli-tests/007-check-force/test.sh index 597f2d60..deee96c8 100755 --- a/tests/cli-tests/007-check-force/test.sh +++ b/tests/cli-tests/007-check-force/test.sh @@ -10,7 +10,7 @@ check_prereq btrfs setup_root_helper # we need to use a real block device, because the check opens the device in -# exclusive mode, that unfortunatelly behaves differently for direct file +# exclusive mode, that unfortunately behaves differently for direct file # access and for the real /dev/loop0 device setup_loopdevs 1 prepare_loopdevs diff --git a/tests/common b/tests/common index 7e4e09df..1575ae38 100644 --- a/tests/common +++ b/tests/common @@ -171,7 +171,7 @@ run_check_stdout() } # same as run_check but does not fail the test if it's handled gracefully by -# the tool, unexpected failure like segfault or abor will exit forcibly +# the tool, unexpected failure like segfault or abort will exit forcibly # output is logged run_mayfail() { diff --git a/tests/fsck-tests/020-extent-ref-cases/keyed_data_ref_with_reloc_leaf.img b/tests/fsck-tests/020-extent-ref-cases/keyed_data_ref_with_reloc_leaf.img Binary files differnew file mode 100644 index 00000000..80345cf9 --- /dev/null +++ b/tests/fsck-tests/020-extent-ref-cases/keyed_data_ref_with_reloc_leaf.img diff --git a/tests/fsck-tests/025-file-extents/test.sh b/tests/fsck-tests/025-file-extents/test.sh index 95707596..db066ee1 100755 --- a/tests/fsck-tests/025-file-extents/test.sh +++ b/tests/fsck-tests/025-file-extents/test.sh @@ -15,7 +15,7 @@ prepare_test_dev 128M # Do some write into a large prealloc range # Lowmem mode can report missing csum due to wrong csum range -test_paritical_write_into_prealloc() +test_partial_write_into_prealloc() { run_check $SUDO_HELPER "$TOP/mkfs.btrfs" -f "$TEST_DEV" run_check_mount_test_dev @@ -55,6 +55,6 @@ test_hole_extent_with_no_holes_flag() run_check "$TOP/btrfs" check "$TEST_DEV" } -test_paritical_write_into_prealloc +test_partial_write_into_prealloc test_compressed_inline_extent test_hole_extent_with_no_holes_flag diff --git a/tests/fsck-tests/031-metadatadump-check-data-csum/test.sh b/tests/fsck-tests/031-metadatadump-check-data-csum/test.sh index e9b2d5c6..7f3872e6 100755 --- a/tests/fsck-tests/031-metadatadump-check-data-csum/test.sh +++ b/tests/fsck-tests/031-metadatadump-check-data-csum/test.sh @@ -1,5 +1,5 @@ #!/bin/bash -# To check if "btrfs check" can detect metadata dump (restored by btrfs-iamge) +# To check if "btrfs check" can detect metadata dump (restored by btrfs-image) # and ignore --check-data-csum option source "$TEST_TOP/common" @@ -21,7 +21,7 @@ chmod a+w restored_image run_check $SUDO_HELPER "$TOP/btrfs-image" "$TEST_DEV" "restored_image" # use prepare_test_dev() to wipe all existing data on $TEST_DEV -# so there is no way that restored image could have mathcing data csum +# so there is no way that restored image could have matching data csum prepare_test_dev run_check $SUDO_HELPER "$TOP/btrfs-image" -r "restored_image" "$TEST_DEV" diff --git a/tests/fsck-tests/035-inline-bad-ram-bytes/offset_by_one.img b/tests/fsck-tests/035-inline-bad-ram-bytes/offset_by_one.img Binary files differnew file mode 100644 index 00000000..2f58208e --- /dev/null +++ b/tests/fsck-tests/035-inline-bad-ram-bytes/offset_by_one.img diff --git a/tests/fsck-tests/035-inline-bad-ram-bytes/test.sh b/tests/fsck-tests/035-inline-bad-ram-bytes/test.sh new file mode 100755 index 00000000..6f6e2a5e --- /dev/null +++ b/tests/fsck-tests/035-inline-bad-ram-bytes/test.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Around 2014, btrfs kernel has a regression that create inline extent +# with ram_bytes offset by one. +# This old regression could be caught by tree-check code. +# This test case will check if btrfs check could detect and repair it. + +source "$TEST_TOP/common" + +check_prereq btrfs + +check_all_images diff --git a/tests/fsck-tests/036-rescan-not-kicked-in/no_rescan_kicked_in.img b/tests/fsck-tests/036-rescan-not-kicked-in/no_rescan_kicked_in.img Binary files differnew file mode 100644 index 00000000..b855a72f --- /dev/null +++ b/tests/fsck-tests/036-rescan-not-kicked-in/no_rescan_kicked_in.img diff --git a/tests/fsck-tests/036-rescan-not-kicked-in/test.sh b/tests/fsck-tests/036-rescan-not-kicked-in/test.sh new file mode 100755 index 00000000..eafd599d --- /dev/null +++ b/tests/fsck-tests/036-rescan-not-kicked-in/test.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Under certain power loss case, btrfs quota tree can be initialized but +# rescan not kicked in. Can be also reproduced by fstests/btrfs/166 but with +# low probability. +# +# This test case verifies a special case when 'btrfs check' does not report +# qgroup accounting difference as an error, thus no false alert for btrfs/166. + +source "$TEST_TOP/common" + +check_prereq btrfs + +check_image() { + run_check "$TOP/btrfs" check "$1" +} + +check_all_images diff --git a/tests/fsck-tests/037-freespacetree-repair/test.sh b/tests/fsck-tests/037-freespacetree-repair/test.sh new file mode 100755 index 00000000..261d7ccb --- /dev/null +++ b/tests/fsck-tests/037-freespacetree-repair/test.sh @@ -0,0 +1,81 @@ +#!/bin/bash +# Corrupt a filesystem that is using freespace tree and then ensure that +# btrfs check is able to repair it. This tests correct detection/repair of +# both a FREE_SPACE_EXTENT based FST and a FREE_SPACE_BITMAP based FST. + +source "$TEST_TOP/common" + +setup_root_helper +prepare_test_dev 256M + +check_prereq btrfs +check_prereq mkfs.btrfs +check_global_prereq grep +check_global_prereq tail +check_global_prereq head +check_global_prereq cut + +# wrapper for btrfs-corrupt-item +# $1: Type of item we want to corrupt - extent or bitmap +corrupt_fst_item() +{ + local type + local objectid + local offset + type="$1" + + if [[ $type == "bitmap" ]]; then + type=200 + objectid=$("$TOP/btrfs" inspect-internal dump-tree -t 10 "$TEST_DEV" | \ + grep -o "[[:digit:]]* FREE_SPACE_BITMAP [[:digit:]]*" | \ + cut -d' ' -f1 | tail -2 | head -1) + offset=$("$TOP/btrfs" inspect-internal dump-tree -t 10 "$TEST_DEV" | \ + grep -o "[[:digit:]]* FREE_SPACE_BITMAP [[:digit:]]*" | \ + cut -d' ' -f3 | tail -2 | head -1) + echo "Corrupting $objectid,FREE_SPACE_BITMAP,$offset" >> "$RESULTS" + elif [[ $type == "extent" ]]; then + type=199 + objectid=$("$TOP/btrfs" inspect-internal dump-tree -t 10 "$TEST_DEV" | \ + grep -o "[[:digit:]]* FREE_SPACE_EXTENT [[:digit:]]*" | \ + cut -d' ' -f1 | tail -2 | head -1) + offset=$("$TOP/btrfs" inspect-internal dump-tree -t 10 "$TEST_DEV" | \ + grep -o "[[:digit:]]* FREE_SPACE_EXTENT [[:digit:]]*" | \ + cut -d' ' -f3 | tail -2 | head -1) + echo "Corrupting $objectid,FREE_SPACE_EXTENT,$offset" >> "$RESULTS" + else + _fail "Unknown item type for corruption" + fi + + run_check "$TOP/btrfs-corrupt-block" -r 10 -K "$objectid,$type,$offset" \ + -f offset "$TEST_DEV" +} + +if ! [ -f "/sys/fs/btrfs/features/free_space_tree" ]; then + _not_run "kernel does not support free-space-tree feature" + exit +fi + +run_check "$TOP/mkfs.btrfs" -n 4k -f "$TEST_DEV" +run_check_mount_test_dev -oclear_cache,space_cache=v2 + +# create files which will populate the FST +for i in {1..3000}; do + run_check $SUDO_HELPER fallocate -l 4k "$TEST_MNT/file.$i" +done + +run_check_umount_test_dev + +# now corrupt one of the bitmap items +corrupt_fst_item "bitmap" +check_image "$TEST_DEV" + +# change the freespace such that we now have at least one free_space_extent +# object +run_check_mount_test_dev +rm -rf "$TEST_MNT/file.*" +run_check $SUDO_HELPER fallocate -l 50m "$TEST_MNT/file" +run_check_umount_test_dev + +# now corrupt an extent +corrupt_fst_item "extent" +check_image "$TEST_DEV" diff --git a/tests/fuzz-tests/images/bko-199833-reloc-recovery-crash.raw.xz b/tests/fuzz-tests/images/bko-199833-reloc-recovery-crash.raw.xz Binary files differnew file mode 100644 index 00000000..7d291041 --- /dev/null +++ b/tests/fuzz-tests/images/bko-199833-reloc-recovery-crash.raw.xz diff --git a/tests/fuzz-tests/images/bko-199833-reloc-recovery-crash.txt b/tests/fuzz-tests/images/bko-199833-reloc-recovery-crash.txt new file mode 100644 index 00000000..a54992ee --- /dev/null +++ b/tests/fuzz-tests/images/bko-199833-reloc-recovery-crash.txt @@ -0,0 +1,113 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=199833 +Wen Xu 2018-05-26 02:27:26 UTC + +The (compressed) crafted image which causes crash + +- Overview +Invalid pointer dereference in __del_reloc_root() when mounting a crafted btrfs image + +- Reproduce +# mkdir mnt +# mount -t btrfs 82.img mnt +(Reproduced on Linux 4.17-rc5) + +- Comment +https://elixir.bootlin.com/linux/v4.17-rc5/source/fs/btrfs/relocation.c#L1324 + +static void __del_reloc_root(struct btrfs_root *root) +{ + struct btrfs_fs_info *fs_info = root->fs_info; + struct rb_node *rb_node; + struct mapping_node *node = NULL; + struct reloc_control *rc = fs_info->reloc_ctl; + + spin_lock(&rc->reloc_root_tree.lock); + +rc can be NULL, which means that reloc_ctl may be not initialized + +- Kernel message +[ 208.623313] BUG: unable to handle kernel NULL pointer dereference at 0000000000000570 +[ 208.624890] PGD 80000001e9495067 P4D 80000001e9495067 PUD 1f0d81067 PMD 0 +[ 208.626285] Oops: 0002 [#1] SMP KASAN PTI +[ 208.632054] BTRFS info (device loop0): delayed_refs has NO entry +[ 208.636502] CPU: 1 PID: 1330 Comm: mount Tainted: G B W 4.17.0-rc5+ #6 +[ 208.639306] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 208.641177] RIP: 0010:_raw_spin_lock+0x1e/0x40 +[ 208.642200] RSP: 0018:ffff8801df437338 EFLAGS: 00010246 +[ 208.643240] RAX: 0000000000000000 RBX: 0000000000000570 RCX: 0000000000000000 +[ 208.644643] RDX: 0000000000000001 RSI: 0000000000000297 RDI: 0000000000000297 +[ 208.646058] RBP: ffff8801df437340 R08: ffffed003ee23ebb R09: ffffed003ee23ebb +[ 208.647464] R10: 0000000000000001 R11: ffffed003ee23eba R12: ffff8801f2e8c400 +[ 208.648870] R13: 0000000000000000 R14: ffff8801e3a28000 R15: 0000000000000568 +[ 208.650286] FS: 00007fd41a0a7840(0000) GS:ffff8801f7100000(0000) knlGS:0000000000000000 +[ 208.651872] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 208.653006] CR2: 0000000000000570 CR3: 00000001e16e6000 CR4: 00000000000006e0 +[ 208.654449] Call Trace: +[ 208.654961] __del_reloc_root+0x5a/0x190 +[ 208.655755] free_reloc_roots+0x40/0xb0 +[ 208.656531] btrfs_recover_relocation+0x2fa/0x750 +[ 208.657487] ? btrfs_cleanup_fs_roots+0x351/0x3b0 +[ 208.658428] ? btrfs_relocate_block_group+0x370/0x370 +[ 208.659433] ? qgroup_reserve+0x650/0x650 +[ 208.660237] ? migrate_swap_stop+0x2e0/0x2e0 +[ 208.661090] ? btrfs_check_rw_degradable+0xb0/0x240 +[ 208.662077] open_ctree+0x37c4/0x3ce9 +[ 208.662822] ? close_ctree+0x4a0/0x4a0 +[ 208.663580] ? bdi_register_va+0x44/0x50 +[ 208.664371] ? super_setup_bdi_name+0x11b/0x1a0 +[ 208.665302] ? kill_block_super+0x80/0x80 +[ 208.666111] ? snprintf+0x96/0xd0 +[ 208.666787] btrfs_mount_root+0xae6/0xc60 +[ 208.667596] ? btrfs_mount_root+0xae6/0xc60 +[ 208.668449] ? pcpu_block_update_hint_alloc+0x1f5/0x2a0 +[ 208.669505] ? btrfs_decode_error+0x40/0x40 +[ 208.670345] ? find_next_bit+0x57/0x90 +[ 208.671101] ? cpumask_next+0x1a/0x20 +[ 208.671837] ? pcpu_alloc+0x449/0x8c0 +[ 208.672577] ? pcpu_free_area+0x410/0x410 +[ 208.673393] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 208.674267] ? memcpy+0x45/0x50 +[ 208.674905] mount_fs+0x60/0x1a0 +[ 208.675562] ? btrfs_decode_error+0x40/0x40 +[ 208.676399] ? mount_fs+0x60/0x1a0 +[ 208.677088] ? alloc_vfsmnt+0x309/0x360 +[ 208.677880] vfs_kern_mount+0x6b/0x1a0 +[ 208.678634] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 208.679671] btrfs_mount+0x209/0xb71 +[ 208.680390] ? pcpu_block_update_hint_alloc+0x1f5/0x2a0 +[ 208.681442] ? btrfs_remount+0x8e0/0x8e0 +[ 208.682247] ? find_next_zero_bit+0x2c/0xa0 +[ 208.683119] ? find_next_bit+0x57/0x90 +[ 208.683876] ? cpumask_next+0x1a/0x20 +[ 208.684619] ? pcpu_alloc+0x449/0x8c0 +[ 208.685371] ? pcpu_free_area+0x410/0x410 +[ 208.686177] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 208.687046] ? memcpy+0x45/0x50 +[ 208.687685] mount_fs+0x60/0x1a0 +[ 208.688337] ? btrfs_remount+0x8e0/0x8e0 +[ 208.689121] ? mount_fs+0x60/0x1a0 +[ 208.689828] ? alloc_vfsmnt+0x309/0x360 +[ 208.690599] vfs_kern_mount+0x6b/0x1a0 +[ 208.691352] do_mount+0x34a/0x18a0 +[ 208.692039] ? lockref_put_or_lock+0xcf/0x160 +[ 208.692909] ? copy_mount_string+0x20/0x20 +[ 208.693742] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 208.694615] ? kasan_check_write+0x14/0x20 +[ 208.695437] ? _copy_from_user+0x6a/0x90 +[ 208.696226] ? memdup_user+0x42/0x60 +[ 208.696948] ksys_mount+0x83/0xd0 +[ 208.697631] __x64_sys_mount+0x67/0x80 +[ 208.698385] do_syscall_64+0x78/0x170 +[ 208.699122] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 208.700124] RIP: 0033:0x7fd419987b9a +[ 208.700842] RSP: 002b:00007fff30668b88 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 208.702345] RAX: ffffffffffffffda RBX: 0000000001829030 RCX: 00007fd419987b9a +[ 208.703742] RDX: 0000000001829210 RSI: 000000000182af30 RDI: 0000000001831ec0 +[ 208.705134] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014 +[ 208.706533] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001831ec0 +[ 208.707931] R13: 0000000001829210 R14: 0000000000000000 R15: 0000000000000003 +[ 208.713050] RIP: _raw_spin_lock+0x1e/0x40 RSP: ffff8801df437338 +[ 208.714238] CR2: 0000000000000570 +[ 208.714985] ---[ end trace be56bf4112c4e5e3 ]--- + +Found by Wen Xu and Po-Ning Tseng from SSLab, Gatech. diff --git a/tests/fuzz-tests/images/bko-199839.raw.txt b/tests/fuzz-tests/images/bko-199839.raw.txt new file mode 100644 index 00000000..3e4b273d --- /dev/null +++ b/tests/fuzz-tests/images/bko-199839.raw.txt @@ -0,0 +1,198 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=199839 +Wen Xu 2018-05-26 04:18:45 UTC + +Created attachment 276197 [details] +The (compressed) crafted image which causes crash + +- Overview +use-after-free in try_merge_free_space() when mounting a crafted btrfs image + +- Reproduce (4.17 KASAN build) +# mkdir mnt +# mount -t btrfs 8.img mnt + +- Kernel Message +[ 449.751861] BTRFS: device fsid 12b338de-a2e9-40fa-a4b0-90e53b7c5773 devid 1 transid 8 /dev/loop0 +[ 449.757216] BTRFS info (device loop0): disk space caching is enabled +[ 449.757221] BTRFS info (device loop0): has skinny extents +[ 449.785096] BTRFS error (device loop0): bad tree block start 0 29396992 +[ 449.788629] BTRFS info (device loop0): read error corrected: ino 0 off 29396992 (dev /dev/loop0 sector 73800) +[ 449.792965] BTRFS error (device loop0): bad fsid on block 29409280 +[ 449.795193] BTRFS info (device loop0): read error corrected: ino 0 off 29409280 (dev /dev/loop0 sector 73824) +[ 449.795401] BTRFS info (device loop0): creating UUID tree +[ 449.883426] ================================================================== +[ 449.886228] BUG: KASAN: use-after-free in try_merge_free_space+0xc0/0x2e0 +[ 449.888344] Read of size 8 at addr ffff8801ed10f030 by task mount/1291 + +[ 449.889947] CPU: 1 PID: 1291 Comm: mount Not tainted 4.17.0-rc5+ #6 +[ 449.889951] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 449.889953] Call Trace: +[ 449.889976] dump_stack+0x7b/0xb5 +[ 449.890274] print_address_description+0x70/0x290 +[ 449.890286] kasan_report+0x291/0x390 +[ 449.890296] ? try_merge_free_space+0xc0/0x2e0 +[ 449.890303] __asan_load8+0x54/0x90 +[ 449.890310] try_merge_free_space+0xc0/0x2e0 +[ 449.890318] __btrfs_add_free_space+0x96/0x5e0 +[ 449.890324] ? kasan_check_write+0x14/0x20 +[ 449.890331] ? btrfs_get_block_group+0x1e/0x30 +[ 449.890337] ? block_group_cache_tree_search+0xef/0x150 +[ 449.890343] unpin_extent_range+0x376/0x670 +[ 449.890350] ? __exclude_logged_extent+0x160/0x160 +[ 449.890358] btrfs_finish_extent_commit+0x15b/0x490 +[ 449.890371] ? __find_get_block+0x106/0x400 +[ 449.890378] ? btrfs_prepare_extent_commit+0x1a0/0x1a0 +[ 449.890384] ? write_all_supers+0x714/0x1420 +[ 449.890394] btrfs_commit_transaction+0xaf4/0xfa0 +[ 449.890402] ? btrfs_apply_pending_changes+0xa0/0xa0 +[ 449.890407] ? start_transaction+0x153/0x640 +[ 449.890414] btrfs_create_uuid_tree+0x6a/0x170 +[ 449.890419] open_ctree+0x3b26/0x3ce9 +[ 449.890429] ? close_ctree+0x4a0/0x4a0 +[ 449.890441] ? bdi_register_va+0x44/0x50 +[ 449.890451] ? super_setup_bdi_name+0x11b/0x1a0 +[ 449.890457] ? kill_block_super+0x80/0x80 +[ 449.890468] ? snprintf+0x96/0xd0 +[ 449.890479] btrfs_mount_root+0xae6/0xc60 +[ 449.890485] ? btrfs_mount_root+0xae6/0xc60 +[ 449.890491] ? pcpu_block_update_hint_alloc+0x1f5/0x2a0 +[ 449.890498] ? btrfs_decode_error+0x40/0x40 +[ 449.890510] ? find_next_bit+0x57/0x90 +[ 449.890517] ? cpumask_next+0x1a/0x20 +[ 449.890522] ? pcpu_alloc+0x449/0x8c0 +[ 449.890528] ? pcpu_free_area+0x410/0x410 +[ 449.890534] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 449.890540] ? memcpy+0x45/0x50 +[ 449.890547] mount_fs+0x60/0x1a0 +[ 449.890553] ? btrfs_decode_error+0x40/0x40 +[ 449.890558] ? mount_fs+0x60/0x1a0 +[ 449.890565] ? alloc_vfsmnt+0x309/0x360 +[ 449.890570] vfs_kern_mount+0x6b/0x1a0 +[ 449.890576] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 449.890583] btrfs_mount+0x209/0xb71 +[ 449.890589] ? pcpu_block_update_hint_alloc+0x1f5/0x2a0 +[ 449.890595] ? btrfs_remount+0x8e0/0x8e0 +[ 449.890601] ? find_next_zero_bit+0x2c/0xa0 +[ 449.890608] ? find_next_bit+0x57/0x90 +[ 449.890613] ? cpumask_next+0x1a/0x20 +[ 449.890617] ? pcpu_alloc+0x449/0x8c0 +[ 449.890624] ? pcpu_free_area+0x410/0x410 +[ 449.890629] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 449.890634] ? memcpy+0x45/0x50 +[ 449.890641] mount_fs+0x60/0x1a0 +[ 449.890646] ? btrfs_remount+0x8e0/0x8e0 +[ 449.890652] ? mount_fs+0x60/0x1a0 +[ 449.890656] ? alloc_vfsmnt+0x309/0x360 +[ 449.890662] vfs_kern_mount+0x6b/0x1a0 +[ 449.890668] do_mount+0x34a/0x18a0 +[ 449.890673] ? lockref_put_or_lock+0xcf/0x160 +[ 449.890680] ? copy_mount_string+0x20/0x20 +[ 449.890685] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 449.890691] ? kasan_check_write+0x14/0x20 +[ 449.890696] ? _copy_from_user+0x6a/0x90 +[ 449.890702] ? memdup_user+0x42/0x60 +[ 449.890708] ksys_mount+0x83/0xd0 +[ 449.890714] __x64_sys_mount+0x67/0x80 +[ 449.890723] do_syscall_64+0x78/0x170 +[ 449.890729] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 449.890734] RIP: 0033:0x7fc36964fb9a +[ 449.890737] RSP: 002b:00007ffd268892f8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 449.890744] RAX: ffffffffffffffda RBX: 0000000000e7f030 RCX: 00007fc36964fb9a +[ 449.890747] RDX: 0000000000e7f210 RSI: 0000000000e80f30 RDI: 0000000000e87ec0 +[ 449.890750] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014 +[ 449.890753] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 0000000000e87ec0 +[ 449.890756] R13: 0000000000e7f210 R14: 0000000000000000 R15: 0000000000000003 + +[ 449.891109] Allocated by task 1291: +[ 449.891832] save_stack+0x46/0xd0 +[ 449.891838] kasan_kmalloc+0xad/0xe0 +[ 449.891843] kasan_slab_alloc+0x11/0x20 +[ 449.891848] kmem_cache_alloc+0xd1/0x1e0 +[ 449.891854] __btrfs_add_free_space+0x43/0x5e0 +[ 449.891859] add_new_free_space+0x22b/0x240 +[ 449.891864] btrfs_read_block_groups+0xae3/0xc60 +[ 449.891868] open_ctree+0x2cfc/0x3ce9 +[ 449.891873] btrfs_mount_root+0xae6/0xc60 +[ 449.891878] mount_fs+0x60/0x1a0 +[ 449.891883] vfs_kern_mount+0x6b/0x1a0 +[ 449.891888] btrfs_mount+0x209/0xb71 +[ 449.891893] mount_fs+0x60/0x1a0 +[ 449.891897] vfs_kern_mount+0x6b/0x1a0 +[ 449.891902] do_mount+0x34a/0x18a0 +[ 449.891906] ksys_mount+0x83/0xd0 +[ 449.891911] __x64_sys_mount+0x67/0x80 +[ 449.891916] do_syscall_64+0x78/0x170 +[ 449.891921] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 449.892235] Freed by task 1291: +[ 449.892866] save_stack+0x46/0xd0 +[ 449.892872] __kasan_slab_free+0x13c/0x1a0 +[ 449.892877] kasan_slab_free+0xe/0x10 +[ 449.892882] kmem_cache_free+0x89/0x1e0 +[ 449.892888] try_merge_free_space+0x274/0x2e0 +[ 449.892894] __btrfs_add_free_space+0x96/0x5e0 +[ 449.892898] unpin_extent_range+0x376/0x670 +[ 449.892904] btrfs_finish_extent_commit+0x15b/0x490 +[ 449.892909] btrfs_commit_transaction+0xaf4/0xfa0 +[ 449.892913] btrfs_create_uuid_tree+0x6a/0x170 +[ 449.892917] open_ctree+0x3b26/0x3ce9 +[ 449.892922] btrfs_mount_root+0xae6/0xc60 +[ 449.892927] mount_fs+0x60/0x1a0 +[ 449.892932] vfs_kern_mount+0x6b/0x1a0 +[ 449.892937] btrfs_mount+0x209/0xb71 +[ 449.892942] mount_fs+0x60/0x1a0 +[ 449.892946] vfs_kern_mount+0x6b/0x1a0 +[ 449.892951] do_mount+0x34a/0x18a0 +[ 449.892955] ksys_mount+0x83/0xd0 +[ 449.892960] __x64_sys_mount+0x67/0x80 +[ 449.892965] do_syscall_64+0x78/0x170 +[ 449.892970] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 449.893286] The buggy address belongs to the object at ffff8801ed10f000 + which belongs to the cache btrfs_free_space of size 72 +[ 449.895793] The buggy address is located 48 bytes inside of + 72-byte region [ffff8801ed10f000, ffff8801ed10f048) +[ 449.898035] The buggy address belongs to the page: +[ 449.898979] page:ffffea0007b443c0 count:1 mapcount:0 mapping:0000000000000000 index:0x0 +[ 449.900562] flags: 0x2ffff0000000100(slab) +[ 449.901379] raw: 02ffff0000000100 0000000000000000 0000000000000000 0000000180270027 +[ 449.902881] raw: dead000000000100 dead000000000200 ffff8801e0a676c0 0000000000000000 +[ 449.904396] page dumped because: kasan: bad access detected + +[ 449.905800] Memory state around the buggy address: +[ 449.906748] ffff8801ed10ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 449.908165] ffff8801ed10ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 449.909577] >ffff8801ed10f000: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc +[ 449.910969] ^ +[ 449.911933] ffff8801ed10f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 449.913328] ffff8801ed10f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 449.914720] ================================================================== +[ 449.916119] Disabling lock debugging due to kernel taint + +No kernel crash on plain kernel. + +- Reason +https://elixir.bootlin.com/linux/v4.17-rc5/source/fs/btrfs/free-space-cache.c#L2161 + + if (left_info && !left_info->bitmap && + left_info->offset + left_info->bytes == offset) { + if (update_stat) + unlink_free_space(ctl, left_info); + else + __unlink_free_space(ctl, left_info); + info->offset = left_info->offset; + info->bytes += left_info->bytes; + kmem_cache_free(btrfs_free_space_cachep, left_info); + merged = true; + } + + return merged; + +Regarding KASAN report, left_info is already freed but referenced (->bitmap). It is in fact freed just several lines after, namely kmem_cache_free(btrfs_free_space_cachep, left_info); + +Found by Wen Xu and Po-Ning Tseng from SSLab, Gatech. + +===== Extra info for btrfs-progs ===== +This image could cause btrfs-progs to BUG_ON() when opening the image. +Fixed by "btrfs-progs: Don't BUG_ON() if we failed to load one device or one +chunk". diff --git a/tests/fuzz-tests/images/bko-199839.raw.xz b/tests/fuzz-tests/images/bko-199839.raw.xz Binary files differnew file mode 100644 index 00000000..c06d9540 --- /dev/null +++ b/tests/fuzz-tests/images/bko-199839.raw.xz diff --git a/tests/fuzz-tests/images/bko-200403.raw.txt b/tests/fuzz-tests/images/bko-200403.raw.txt new file mode 100644 index 00000000..aae8ea48 --- /dev/null +++ b/tests/fuzz-tests/images/bko-200403.raw.txt @@ -0,0 +1,93 @@ +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200403 +Wen Xu 2018-07-04 17:21:58 UTC + +Created attachment 277167 [details] +The (compressed) crafted image which causes crash + +- Reproduce +# mkdir mnt +# mount -t btrfs 0.img mnt +# gcc -o poc poc.c +# ./poc ./mnt +# umount mnt + +- Kernel message +[ 230.611533] BTRFS: device fsid 3381d111-94a3-4ac7-8f39-611bbbdab7e6 devid 1 transid 8 /dev/loop0 +[ 230.632922] BTRFS info (device loop0): disk space caching is enabled +[ 230.632935] BTRFS info (device loop0): has skinny extents +[ 230.647496] BTRFS info (device loop0): creating UUID tree +[ 237.692643] ------------[ cut here ]------------ +[ 237.692654] kernel BUG at fs/btrfs/volumes.c:1625! +[ 237.693822] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 237.694867] CPU: 1 PID: 1387 Comm: umount Not tainted 4.18.0-rc1+ #8 +[ 237.696177] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 237.698177] RIP: 0010:btrfs_remove_chunk+0x37a/0xd60 +[ 237.699209] Code: e0 48 39 85 28 ff ff ff 77 20 0f b6 85 27 ff ff ff 4d 89 6f 80 4c 89 f7 4d 89 67 89 41 88 47 88 e8 0b 01 f7 ff e9 f5 fe ff ff <0f> 0b 0f 85 5c 08 00 00 4d 8d 66 40 4c 89 f7 e8 42 f9 b6 ff 4c 89 +[ 237.703034] RSP: 0018:ffff8801f0b0fad8 EFLAGS: 00010206 +[ 237.704122] RAX: 0000000008000000 RBX: ffff8801ef4d7c38 RCX: 0000000000000000 +[ 237.705572] RDX: ffffed003e161f30 RSI: 0000000000000e70 RDI: ffff8801f2a6ae70 +[ 237.707035] RBP: ffff8801f0b0fc38 R08: ffff8801f0b0f9e0 R09: ffff8801f0b0fa20 +[ 237.708485] R10: 0000000000000003 R11: ffffed003e161f7c R12: 0000000007400000 +[ 237.709929] R13: 0000000000000001 R14: ffff8801f2bf0a50 R15: ffff8801f0b0fc10 +[ 237.711391] FS: 00007f691b770840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 237.713034] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 237.714206] CR2: 0000000000cb0348 CR3: 00000001f26f8000 CR4: 00000000000006e0 +[ 237.719741] Call Trace: +[ 237.720274] ? btrfs_grow_device+0x240/0x240 +[ 237.721193] ? kasan_check_read+0x11/0x20 +[ 237.722080] ? mutex_lock+0x99/0xf0 +[ 237.722854] btrfs_delete_unused_bgs+0x4b6/0x5c0 +[ 237.723836] close_ctree+0x40a/0x460 +[ 237.724586] ? transaction_kthread+0x250/0x250 +[ 237.725523] ? dispose_list+0xa0/0xa0 +[ 237.726303] btrfs_put_super+0x25/0x30 +[ 237.727110] generic_shutdown_super+0xb9/0x1c0 +[ 237.728032] kill_anon_super+0x24/0x40 +[ 237.728814] btrfs_kill_super+0x31/0x220 +[ 237.729630] deactivate_locked_super+0x6f/0xa0 +[ 237.730548] deactivate_super+0x5e/0x80 +[ 237.731352] cleanup_mnt+0x61/0xa0 +[ 237.732060] __cleanup_mnt+0x12/0x20 +[ 237.732835] task_work_run+0xc8/0xf0 +[ 237.733605] exit_to_usermode_loop+0x125/0x130 +[ 237.734530] do_syscall_64+0x138/0x170 +[ 237.735331] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 237.736676] RIP: 0033:0x7f691b050487 +[ 237.737457] Code: 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 c9 2b 00 f7 d8 64 89 01 48 +[ 237.741327] RSP: 002b:00007ffdf3a06d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 +[ 237.742889] RAX: 0000000000000000 RBX: 0000000000ca7030 RCX: 00007f691b050487 +[ 237.744351] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000cae1e0 +[ 237.745814] RBP: 0000000000cae1e0 R08: 0000000000000000 R09: 0000000000000015 +[ 237.747289] R10: 00000000000006b2 R11: 0000000000000246 R12: 00007f691b55983c +[ 237.748750] R13: 0000000000000000 R14: 0000000000ca7210 R15: 00007ffdf3a07020 +[ 237.750224] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy +[ 237.760666] ---[ end trace 2e85051acb5f6dc1 ]--- +[ 237.761718] RIP: 0010:btrfs_remove_chunk+0x37a/0xd60 +[ 237.762827] Code: e0 48 39 85 28 ff ff ff 77 20 0f b6 85 27 ff ff ff 4d 89 6f 80 4c 89 f7 4d 89 67 89 41 88 47 88 e8 0b 01 f7 ff e9 f5 fe ff ff <0f> 0b 0f 85 5c 08 00 00 4d 8d 66 40 4c 89 f7 e8 42 f9 b6 ff 4c 89 +[ 237.766977] RSP: 0018:ffff8801f0b0fad8 EFLAGS: 00010206 +[ 237.768157] RAX: 0000000008000000 RBX: ffff8801ef4d7c38 RCX: 0000000000000000 +[ 237.769672] RDX: ffffed003e161f30 RSI: 0000000000000e70 RDI: ffff8801f2a6ae70 +[ 237.771147] RBP: ffff8801f0b0fc38 R08: ffff8801f0b0f9e0 R09: ffff8801f0b0fa20 +[ 237.772650] R10: 0000000000000003 R11: ffffed003e161f7c R12: 0000000007400000 +[ 237.774119] R13: 0000000000000001 R14: ffff8801f2bf0a50 R15: ffff8801f0b0fc10 +[ 237.775598] FS: 00007f691b770840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 237.777297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 237.778496] CR2: 0000000000cb0348 CR3: 00000001f26f8000 CR4: 00000000000006e0 + + +===== Extra info for btrfs-progs ====== +It has one corrupted root item, (41 ROOT_ITEM 0) referring tree block +29364224, which is also UUID tree root. +It would cause original mode to hit BUG_ON(). +Checking filesystem on /home/adam/btrfs/crafted_images/runtime/0.img +UUID: 3381d111-94a3-4ac7-8f39-611bbbdab7e6 +checking extents +check/main.c:3677: check_owner_ref: BUG_ON `rec->is_root` triggered, value 1 +btrfs(+0x572c2)[0x562d65da72c2] +btrfs(+0x6098d)[0x562d65db098d] +btrfs(+0x60bb6)[0x562d65db0bb6] +btrfs(+0x6179b)[0x562d65db179b] +btrfs(cmd_check+0x1199)[0x562d65db5589] +btrfs(main+0x88)[0x562d65d62768] +/usr/lib/libc.so.6(__libc_start_main+0xeb)[0x7f4fcbb1b06b] +btrfs(_start+0x2a)[0x562d65d6288a] diff --git a/tests/fuzz-tests/images/bko-200403.raw.xz b/tests/fuzz-tests/images/bko-200403.raw.xz Binary files differnew file mode 100644 index 00000000..56959457 --- /dev/null +++ b/tests/fuzz-tests/images/bko-200403.raw.xz diff --git a/tests/fuzz-tests/images/bko-200409.raw.txt b/tests/fuzz-tests/images/bko-200409.raw.txt new file mode 100644 index 00000000..7df79243 --- /dev/null +++ b/tests/fuzz-tests/images/bko-200409.raw.txt @@ -0,0 +1,125 @@ +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200409 +Wen Xu 2018-07-04 17:47:09 UTC + +Created attachment 277173 [details] +The (compressed) crafted image which causes crash + +- Reproduce +# mkdir mnt +# mount -t btrfs 5.img mnt + +- Kernel message +[ 333.770743] BTRFS: device fsid 3381d111-94a3-4ac7-8f39-611bbbdab7e6 devid 1 transid 8 /dev/loop0 +[ 333.779221] BTRFS info (device loop0): disk space caching is enabled +[ 333.779234] BTRFS info (device loop0): has skinny extents +[ 333.798081] ------------[ cut here ]------------ +[ 333.798090] kernel BUG at fs/btrfs/volumes.c:6564! +[ 333.799293] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 333.800355] CPU: 0 PID: 1353 Comm: mount Not tainted 4.18.0-rc1+ #8 +[ 333.801652] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 333.803658] RIP: 0010:read_one_chunk+0x77c/0x880 +[ 333.804630] Code: e8 a9 82 fd ff 48 8b 95 70 ff ff ff 48 8b bd 60 ff ff ff b9 01 00 00 00 4c 89 f6 e8 2e 14 ff ff b8 fe ff ff ff e9 cb fe ff ff <0f> 0b 48 8b bd 38 ff ff ff e8 76 82 fd ff e9 35 ff ff ff 48 8b 95 +[ 333.808462] RSP: 0018:ffff8801eedf7230 EFLAGS: 00010282 +[ 333.809542] RAX: ffff8801f2df2100 RBX: 00000000ffffffef RCX: ffffffffa5839143 +[ 333.810991] RDX: 1ffff1003e5be444 RSI: e300000001c00000 RDI: ffff8801f2df2220 +[ 333.812451] RBP: ffff8801eedf7310 R08: ffffed003e5be445 R09: ffffed003e5be445 +[ 333.813905] R10: 0000000000000001 R11: ffffed003e5be444 R12: ffff8801e6788158 +[ 333.815357] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8801f2df2220 +[ 333.846990] FS: 00007f2013519840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 333.848645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 333.849816] CR2: 00007f88a3c6b760 CR3: 00000001e655e000 CR4: 00000000000006f0 +[ 333.851304] Call Trace: +[ 333.851864] ? add_missing_dev+0xc0/0xc0 +[ 333.852715] ? read_extent_buffer+0xe9/0x130 +[ 333.853604] btrfs_read_chunk_tree+0x957/0xd20 +[ 333.854551] ? free_root_pointers+0xb0/0xb0 +[ 333.855435] ? btrfs_check_rw_degradable+0x240/0x240 +[ 333.856491] ? btree_read_extent_buffer_pages+0x1e0/0x3b0 +[ 333.857617] ? run_one_async_done+0xb0/0xb0 +[ 333.858498] ? cache_state.part.32+0x10/0x40 +[ 333.859430] ? unlock_page+0x16/0x40 +[ 333.860202] ? alloc_extent_buffer+0x4a1/0x4e0 +[ 333.861149] ? memcpy+0x45/0x50 +[ 333.861818] ? read_extent_buffer+0xe9/0x130 +[ 333.862711] open_ctree+0x246c/0x35c6 +[ 333.863488] ? close_ctree+0x460/0x460 +[ 333.864302] ? bdi_register_va+0x44/0x50 +[ 333.865142] ? super_setup_bdi_name+0x11b/0x1a0 +[ 333.866089] ? kill_block_super+0x80/0x80 +[ 333.866970] ? snprintf+0x96/0xd0 +[ 333.867704] btrfs_mount_root+0xae6/0xc60 +[ 333.868550] ? btrfs_mount_root+0xae6/0xc60 +[ 333.869419] ? pcpu_block_update_hint_alloc+0x1d2/0x2a0 +[ 333.870492] ? btrfs_decode_error+0x40/0x40 +[ 333.871389] ? find_next_bit+0x57/0x90 +[ 333.872206] ? cpumask_next+0x1a/0x20 +[ 333.872986] ? pcpu_alloc+0x449/0x8c0 +[ 333.873761] ? pcpu_free_area+0x410/0x410 +[ 333.874614] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 333.875531] ? memcpy+0x45/0x50 +[ 333.876209] mount_fs+0x60/0x1a0 +[ 333.876892] ? btrfs_decode_error+0x40/0x40 +[ 333.877763] ? mount_fs+0x60/0x1a0 +[ 333.878492] ? alloc_vfsmnt+0x309/0x360 +[ 333.879303] vfs_kern_mount+0x6b/0x1a0 +[ 333.880121] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 333.881209] btrfs_mount+0x209/0xb71 +[ 333.881962] ? pcpu_block_update_hint_alloc+0x1d2/0x2a0 +[ 333.883044] ? btrfs_remount+0x8e0/0x8e0 +[ 333.883878] ? find_next_zero_bit+0x2c/0xa0 +[ 333.884753] ? find_next_bit+0x57/0x90 +[ 333.885538] ? cpumask_next+0x1a/0x20 +[ 333.886307] ? pcpu_alloc+0x449/0x8c0 +[ 333.887078] ? pcpu_free_area+0x410/0x410 +[ 333.887930] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 333.888836] ? memcpy+0x45/0x50 +[ 333.889500] mount_fs+0x60/0x1a0 +[ 333.890182] ? btrfs_remount+0x8e0/0x8e0 +[ 333.891001] ? mount_fs+0x60/0x1a0 +[ 333.891728] ? alloc_vfsmnt+0x309/0x360 +[ 333.892533] vfs_kern_mount+0x6b/0x1a0 +[ 333.893323] do_mount+0x34a/0x18c0 +[ 333.894042] ? copy_mount_string+0x20/0x20 +[ 333.894898] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 333.895832] ? kasan_check_write+0x14/0x20 +[ 333.896704] ? _copy_from_user+0x6a/0x90 +[ 333.897542] ? memdup_user+0x42/0x60 +[ 333.898300] ksys_mount+0x83/0xd0 +[ 333.899003] __x64_sys_mount+0x67/0x80 +[ 333.899831] do_syscall_64+0x78/0x170 +[ 333.900610] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 333.901682] RIP: 0033:0x7f2012df9b9a +[ 333.902430] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 333.906311] RSP: 002b:00007ffd77e261b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 333.907874] RAX: ffffffffffffffda RBX: 00000000019e7030 RCX: 00007f2012df9b9a +[ 333.909341] RDX: 00000000019e7210 RSI: 00000000019e8f30 RDI: 00000000019efec0 +[ 333.910804] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000014 +[ 333.912281] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 00000000019efec0 +[ 333.913747] R13: 00000000019e7210 R14: 0000000000000000 R15: 0000000000000003 +[ 333.915224] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too qxl drm_kms_helper crct10dif_pclmul syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crc32_pclmul aesni_intel drm aes_x86_64 crypto_simd cryptd glue_helper 8139cp mii pata_acpi floppy +[ 333.932460] ---[ end trace 2e85051acb5f6dc1 ]--- +[ 333.933448] RIP: 0010:read_one_chunk+0x77c/0x880 +[ 333.934397] Code: e8 a9 82 fd ff 48 8b 95 70 ff ff ff 48 8b bd 60 ff ff ff b9 01 00 00 00 4c 89 f6 e8 2e 14 ff ff b8 fe ff ff ff e9 cb fe ff ff <0f> 0b 48 8b bd 38 ff ff ff e8 76 82 fd ff e9 35 ff ff ff 48 8b 95 +[ 333.938283] RSP: 0018:ffff8801eedf7230 EFLAGS: 00010282 +[ 333.939361] RAX: ffff8801f2df2100 RBX: 00000000ffffffef RCX: ffffffffa5839143 +[ 333.940846] RDX: 1ffff1003e5be444 RSI: e300000001c00000 RDI: ffff8801f2df2220 +[ 333.942318] RBP: ffff8801eedf7310 R08: ffffed003e5be445 R09: ffffed003e5be445 +[ 333.943878] R10: 0000000000000001 R11: ffffed003e5be444 R12: ffff8801e6788158 +[ 333.945371] R13: 0000000000000001 R14: 0000000000000001 R15: ffff8801f2df2220 +[ 333.946839] FS: 00007f2013519840(0000) GS:ffff8801f6e00000(0000) knlGS:0000000000000000 +[ 333.948526] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 333.949711] CR2: 00007f88a3c6b760 CR3: 00000001e655e000 CR4: 00000000000006f0 + +- Location +https://elixir.bootlin.com/linux/v4.18-rc3/source/fs/btrfs/volumes.c#L6564 + write_lock(&map_tree->map_tree.lock); + ret = add_extent_mapping(&map_tree->map_tree, em, 0); + write_unlock(&map_tree->map_tree.lock); + BUG_ON(ret); /* Tree corruption */ <--- + free_extent_map(em); + +Found by Wen Xu and Po-Ning Tseng from SSLab at Gatech. + +====== Extra info for btrfs-progs ====== +Btrfs-progs has the exact BUG_ON() in read_one_chunk(). +Fixed by "btrfs-progs: Exit gracefully when overlap chunks are detected". diff --git a/tests/fuzz-tests/images/bko-200409.raw.xz b/tests/fuzz-tests/images/bko-200409.raw.xz Binary files differnew file mode 100644 index 00000000..8ec29cfd --- /dev/null +++ b/tests/fuzz-tests/images/bko-200409.raw.xz diff --git a/tests/misc-tests/006-image-on-missing-device/test.sh b/tests/misc-tests/006-image-on-missing-device/test.sh index 2b222340..8c81e6fb 100755 --- a/tests/misc-tests/006-image-on-missing-device/test.sh +++ b/tests/misc-tests/006-image-on-missing-device/test.sh @@ -1,7 +1,7 @@ #!/bin/bash # test btrfs-image with a missing device (uses loop devices) # -# - btrfs-image must not loop indefinetelly +# - btrfs-image must not loop indefinitely # - btrfs-image will expectedly fail to produce the dump source "$TEST_TOP/common" diff --git a/tests/misc-tests/011-delete-missing-device/test.sh b/tests/misc-tests/011-delete-missing-device/test.sh index 4c976421..a6b2e29c 100755 --- a/tests/misc-tests/011-delete-missing-device/test.sh +++ b/tests/misc-tests/011-delete-missing-device/test.sh @@ -44,6 +44,22 @@ test_delete_missing() run_check_umount_test_dev } +test_missing_error() +{ + local out + + run_check $SUDO_HELPER "$TOP/mkfs.btrfs" -f "$TEST_DEV" + run_check_mount_test_dev + out=$(run_mustfail_stdout "device remove succeeded" \ + $SUDO_HELPER "$TOP/btrfs" device remove missing "$TEST_MNT") + + if ! echo "$out" | grep -q "no missing devices found to remove"; then + _fail "IOCTL returned unexpected error value" + fi + + run_check_umount_test_dev +} + setup_loopdevs 4 prepare_loopdevs dev1=${loopdevs[1]} @@ -53,5 +69,6 @@ TEST_DEV=$dev1 test_do_mkfs -m raid1 -d raid1 test_wipefs test_delete_missing +test_missing_error cleanup_loopdevs diff --git a/tests/misc-tests/029-send-p-different-mountpoints/test.sh b/tests/misc-tests/029-send-p-different-mountpoints/test.sh index 0b42b772..a59a585e 100755 --- a/tests/misc-tests/029-send-p-different-mountpoints/test.sh +++ b/tests/misc-tests/029-send-p-different-mountpoints/test.sh @@ -10,11 +10,11 @@ check_prereq mkfs.btrfs setup_root_helper prepare_test_dev -# we need two mount points, cannot nest the subvoolume under TEST_MNT +# we need two mount points, cannot nest the subvolume under TEST_MNT SUBVOL_MNT="$TEST_MNT/subvol" TOPLEVEL_MNT="$TEST_MNT/toplevel" TEST_MNT="$TOPLEVEL_MNT" -mkdir -p "$TOPLEVEL_MNT" "$SUBVOL_MNT" +run_check $SUDO_HELPER mkdir -p "$TOPLEVEL_MNT" "$SUBVOL_MNT" run_check $SUDO_HELPER "$TOP/mkfs.btrfs" -f "$TEST_DEV" run_check_mount_test_dev @@ -47,5 +47,5 @@ run_mustfail_stdout "send -p on 2 mount points" \ run_check_umount_test_dev "$SUBVOL_MNT" run_check_umount_test_dev "$TOPLEVEL_MNT" -rmdir "$SUBVOL_MNT" -rmdir "$TOPLEVEL_MNT" +run_check $SUDO_HELPER rmdir "$SUBVOL_MNT" +run_check $SUDO_HELPER rmdir "$TOPLEVEL_MNT" diff --git a/tests/misc-tests/033-filename-length-limit/test.sh b/tests/misc-tests/033-filename-length-limit/test.sh new file mode 100755 index 00000000..673138e2 --- /dev/null +++ b/tests/misc-tests/033-filename-length-limit/test.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# test file name length limits for subvolumes + +source "$TEST_TOP/common" + +check_prereq mkfs.btrfs +check_prereq btrfs + +setup_root_helper +prepare_test_dev + +run_check "$TOP/mkfs.btrfs" -f "$TEST_DEV" +run_check_mount_test_dev +run_check $SUDO_HELPER chmod a+rw "$TEST_MNT" + +cd "$TEST_MNT" + +longname=\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +0123456789\ +\ +01234 + +# subvolume name length limit test + +# short name test +run_check $SUDO_HELPER "$TOP/btrfs" subvolume create subvol +# 255 +run_check $SUDO_HELPER "$TOP/btrfs" subvolume create "$longname" +# 256, must fail +run_mustfail "subvolume with name 256 bytes long succeeded" \ + $SUDO_HELPER "$TOP/btrfs" subvolume create "$longname"5 +# 255*2, must fail +run_mustfail "subvolume with name 2 * 255 bytes long succeeded" \ + $SUDO_HELPER "$TOP/btrfs" subvolume create "$longname$longname" + +# snapshot name length limit test + +run_check $SUDO_HELPER mkdir snaps + +# short name test +run_check $SUDO_HELPER "$TOP/btrfs" subvolume snapshot subvol snaps/snap +# 255 +run_check $SUDO_HELPER "$TOP/btrfs" subvolume snapshot subvol snaps/"$longname" +# 256, must fail +run_mustfail "snapshot with name 256 bytes long succeeded" \ + $SUDO_HELPER "$TOP/btrfs" subvolume snapshot subvol snaps/"$longname"5 +# 255*2, must fail +run_mustfail "subvolume with name 2 * 255 bytes long succeeded" \ + $SUDO_HELPER "$TOP/btrfs" subvolume snapshot subvol snaps/"$longname$longname" + +cd .. + +run_check_umount_test_dev |