* [PATCH 0/5] Fuzzer test fix
@ 2016-08-30 7:22 Qu Wenruo
2016-08-30 7:22 ` [PATCH 1/5] btrfs-progs: fsck: Check drop level before walking through fs tree Qu Wenruo
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Qu Wenruo @ 2016-08-30 7:22 UTC (permalink / raw)
To: linux-btrfs; +Cc: Lukas Lueg
Cc: Lukas Lueg <lukas.lueg@gmail.com>
Thanks for the fuzz test from Lukas, quite a lot of bugs are exposed.
The full fixes can be fetched from my github:
https://github.com/adam900710/btrfs-progs/tree/fuzz_fix_160830
The branch has go through fuzz and mkfs tests.
For full low-memory mode checker, I'll push it to David first, so for
low-memory mode fuzzer test, it will need some time.
Test cases uses the same image submitted by Lukas.
Although all these root causes are pinned, it still need quite a lot of
work to make corrupt-block able to create minimal image.
So I choose to directly use his images as test cases.
And special notes for the BUG_ON fix:
The fix just fixes a small corner, while tons of BUG_ON()/abort() are
still here and there.
We need quite a lot of boring work to handle them later.
While the good news is, new low memory mode(at least for extent and
chunk tree check part) is quite safe against such things.
I can't wait to see how the full low-memory mode works under fuzzer
tests.
Lukas Lueg (2):
btrfs-progs: fuzz-test: Add test case for invalid drop level
btrfs-progs: fuzz-test: Add test case for unaligned extent item
Qu Wenruo (3):
btrfs-progs: fsck: Check drop level before walking through fs tree
btrfs-progs: fsck: Check bytenr alignment for extent item
btrfs-progs: fsck: Avoid abort and BUG_ON in add_tree_backref
cmds-check.c | 95 ++++++++++++++++-----
tests/fuzz-tests/images/invalid-drop-level.raw.txt | 30 +++++++
tests/fuzz-tests/images/invalid-drop-level.raw.xz | Bin 0 -> 3788 bytes
.../images/unaligned-extent-item.raw.txt | 8 ++
.../fuzz-tests/images/unaligned-extent-item.raw.xz | Bin 0 -> 3684 bytes
5 files changed, 111 insertions(+), 22 deletions(-)
create mode 100644 tests/fuzz-tests/images/invalid-drop-level.raw.txt
create mode 100644 tests/fuzz-tests/images/invalid-drop-level.raw.xz
create mode 100644 tests/fuzz-tests/images/unaligned-extent-item.raw.txt
create mode 100644 tests/fuzz-tests/images/unaligned-extent-item.raw.xz
--
2.9.3
^ permalink raw reply [flat|nested] 8+ messages in thread* [PATCH 1/5] btrfs-progs: fsck: Check drop level before walking through fs tree 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo @ 2016-08-30 7:22 ` Qu Wenruo 2016-08-30 7:22 ` [PATCH 2/5] btrfs-progs: fuzz-test: Add test case for invalid drop level Qu Wenruo ` (4 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: Qu Wenruo @ 2016-08-30 7:22 UTC (permalink / raw) To: linux-btrfs Exposed by fuzzed image from Lukas, which contains invalid drop level (16), causing segfault when accessing path->nodes[drop_level]. This patch will check drop level against fs tree level and BTRFS_MAX_LEVEL to avoid such problem. Reported-by: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> --- cmds-check.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cmds-check.c b/cmds-check.c index 1e1f7c9..2aa0a7b 100644 --- a/cmds-check.c +++ b/cmds-check.c @@ -3742,6 +3742,11 @@ static int check_fs_root(struct btrfs_root *root, btrfs_disk_key_to_cpu(&key, &root_item->drop_progress); level = root_item->drop_level; path.lowest_level = level; + if (level > btrfs_header_level(root->node) || + level >= BTRFS_MAX_LEVEL) { + error("ignoring invalid drop level: %u", level); + goto skip_walking; + } wret = btrfs_search_slot(NULL, root, &key, &path, 0, 0); if (wret < 0) goto skip_walking; -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/5] btrfs-progs: fuzz-test: Add test case for invalid drop level 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo 2016-08-30 7:22 ` [PATCH 1/5] btrfs-progs: fsck: Check drop level before walking through fs tree Qu Wenruo @ 2016-08-30 7:22 ` Qu Wenruo 2016-08-30 7:22 ` [PATCH 3/5] btrfs-progs: fsck: Check bytenr alignment for extent item Qu Wenruo ` (3 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: Qu Wenruo @ 2016-08-30 7:22 UTC (permalink / raw) To: linux-btrfs; +Cc: Lukas Lueg From: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> --- tests/fuzz-tests/images/invalid-drop-level.raw.txt | 30 +++++++++++++++++++++ tests/fuzz-tests/images/invalid-drop-level.raw.xz | Bin 0 -> 3788 bytes 2 files changed, 30 insertions(+) create mode 100644 tests/fuzz-tests/images/invalid-drop-level.raw.txt create mode 100644 tests/fuzz-tests/images/invalid-drop-level.raw.xz diff --git a/tests/fuzz-tests/images/invalid-drop-level.raw.txt b/tests/fuzz-tests/images/invalid-drop-level.raw.txt new file mode 100644 index 0000000..dab91dc --- /dev/null +++ b/tests/fuzz-tests/images/invalid-drop-level.raw.txt @@ -0,0 +1,30 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=154021 +Lukas Lueg 2016-08-26 22:53:42 UTC + +Created attachment 230361 [details] +Image triggering btrfsck to segv + +The fuzzer hit again: + +==32522==ERROR: AddressSanitizer: SEGV on unknown address 0x00027fff801c (pc +0x0000004a952e bp 0x7fff5222ce70 sp 0x7fff5222c600 T0) + #0 0x4a952d in __asan_memcpy +(/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x4a952d) + #1 0x66a323 in read_extent_buffer +/home/lukas/dev/btrfsfuzz/src-asan/extent_io.c:867:2 + #2 0x55ad25 in btrfs_node_key +/home/lukas/dev/btrfsfuzz/src-asan/./ctree.h:1668:2 + #3 0x58573b in check_fs_root +/home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3748:3 + #4 0x544136 in check_fs_roots +/home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:3896:10 + #5 0x53d8c5 in cmd_check +/home/lukas/dev/btrfsfuzz/src-asan/cmds-check.c:11470:8 + #6 0x4f105f in main /home/lukas/dev/btrfsfuzz/src-asan/btrfs.c:243:8 + #7 0x7fea1bcb7730 in __libc_start_main (/lib64/libc.so.6+0x20730) + #8 0x421238 in _start +(/home/lukas/dev/btrfsfuzz/bin-asan/bin/btrfs+0x421238) + + +See the attached image to reproduce using btrfs-progs btrfs-progs +v4.7-42-g56e9586. diff --git a/tests/fuzz-tests/images/invalid-drop-level.raw.xz b/tests/fuzz-tests/images/invalid-drop-level.raw.xz new file mode 100644 index 0000000000000000000000000000000000000000..76c58dce433dc6939c35d25cd4c2f2165be3c94c GIT binary patch literal 3788 zcmeH~=|2>T8pp>rOk7JTgJxt4Lt`gQ*2CB<BqrI%Qd!c-5*lfgW|FZCISiA1hLf?h zVVaPV&{Skihp~hvjID6y++N<#=f0?W&$;(af5G!S-{*OL&+pkWPV_<n0D?1vO?LbM zMZSFi005&sUB=@@3ACREco(rGSm|?ND8m;vD0|KTIinoEwiP~g9ax>^^nl&V!aLzI z@0jC7ai7WK7!5Tr{LL$kd&tn#5c(071;%nA5O#be2iJ)jDeLZ*AUR(PJ8YwA4!I3$ zTpdI@RKC`Yxssl+H&OY9Hrq-6GTl|V4x+X#s3G;?A=8m?^YJdYIPJx2VFvt3`A6$) zbFc+!VFWSadFqZ1VmvcIKef|;?3cDy`_{s?GW@7B(Ex|nkC6#iqSykX37G9Ug~#WP z%6x4!yjQ$&Npr@x!b5Tv((=S{)}`|}(rg2fE(rPBVmo?fUidm$7C}KFN^K}O`%*N* zm#DVVwLK**cnmyCx!@JFD1CqS%#^7VKf0!sIBB=F9AB^QAS>wg#X$ItOle?MEZsey zEu5fG2YH#`&@w%HnnmcLVkX2BefrqmAvV9MpZM(Nl$%=l%st10G&UmKVJfIaLa9=B zH=W%`=09o4T8Zy5S>Pbeuv$qr%@^HI-ouYQMzd%AFBu(|_+uFq;a_`y*z542{kJVM zhkuVtVq9^Jd9$uy6CCecX?RsVoX>$iMX`1Stp|dvFxS+u%zj$h>_O$~O(1@F?egG1 z<SmlpXlc@lk*tA4uDP^(;Kf>R_Vg(skuT3i>bAGsG%>x<QwOZSjJqG%)CdNdVS8Zb zCYsHbI@{oWR0(sZ5bLZx;ylTm&GYfzo1(qEJas#Xn(d_bTZKAsPv$KgH!YQk?o@T( z<QUDpWenL=!`}pYYAL~Jq=+>!)Ky>Nyk_a{!iGbrjvQ!<Rq$5VUXRFPIopf%hcry1 zM`!w(PlsIxnlD&TO{G317Gl~&tNysUFlY084cxwpz$hJ1XftN7iPZLSCS$JXSa|#B zBNN*_$<D^bktugJJLRNd%CEum(??SyqCna%h$jR*rbx2{W9)P&titX@nMO?wWCVJ` zkr#A;g4f9;XV5ZbZ)D99umTFyyovO;mfV^aLtt(t<H5(4Y9X}R&?q#%!~Vc#gZd<* z-t}1rNwG=GWu9KJ!?Fy7Ys-OXjeaWy8fUwPs5KuP3}og6ZmulR^i4LyfEKQnNVF$3 zyx}lq{Gx7HrRH7F2@I=GpS|b#_;bZ_7N+4^%6Yr<BFcObdrlf0g_baWOVX7qxqnkP zGMZea?6;`igJb0t+(>~DSJYxRWSPJMmx7(4y8~Gg-{`IpjdX=7>N!zQqFs<;ETR;( z&L8rqkFEyx@lO93;^xKp_^*w%oN!bq;Yspo0Y0gfd9R0njT%x9BpHq5<gdTo+tc1- z&~iqP{y)v=uN$==hVfmYMR~FjCA>L-Y=HUvzWDH+Bb<D<f>ocQLrevcT1f@<r}9Lr zY}mux{&ygQle-?;e&U88ndFZJS-U$Z!cS?ngLkzq<rVRX2fR|umBXsO?>&L7m)Yp% z${lxGAV6LrilDnD(5qw++wggntXL(%{=&fvuIHq=Qqw-4hr;M1pW2j~jfObhQFd)H z5fv1JQY8Igi4YtxP~$1tB+;8e)NRMEmHQ=}f8bWjCnxYKAZi6CRkn&wX?~&C9O19j z0{d#7v74l=kZ|fl*G|3dfC(5dOO6{g5J`C1*WJ^~xLrIQ7auG(b<TxAPfL)6ZZ6fK z+kGAH2TC7)X-umrwqJ7>2vXrA`A=}+%e_Gv;XQH3YR8Vg+s~f}^{pcn|0<5+fMC~) zmDeTey9NZ!aIlqyTA+m}s9*JFGYhx*H5AyVn4Bn;;uj->^yCDYiES0y#hOGYWo|wA z(#iu`ouPxK<lj>QW-1qpKxD-`Dx_qtdTHHYc@rcup81a7@)DDv-lsP>NtxN=%6sq~ zR0D_Jt+z=Fi;7tYCON94R9HJArGoMwoeI&?%*tcXgSmn0g_(xeX(`)>Cy36}O1Td$ z@V5OX)Hh2Y;^VA)Y3YTi(xQwHF8<`5WI{W<Bp~!LJ3TDD%RF6lyD=ijh!ddQ-S2^Z zbb3X+tT?i+y^tP<@MrycTQ$$fB$t6tjC8^Zne=*Z+s^5YnGVztWq~?vF;Eq&)?usi z@P4_H3Uui^gYH|=+$JX>#duTT{UG~DXi~I7@=T%Uz6VI3lLQU%++Nyb^!hme3&ptQ z<e^Z#ZbNob-nD{iPJW$x$BnBgaoL&N2=gwmyBhASxbI@@W%4iN$=7VVb&sX%v06H# z?Z-TbO8GzmzwT%=X{MfWLB(Fain%fnY>~=C9juKJ+m~I%FuA4j``@A?-?cj5bs+xJ ztre!kANi(ant;U%?o~T~vu^(X>;129@o@=@hM&NGz`Xnf_JeNkC$OKu{=Mz|tK{?B wgkgb}03ks6RK`Pjfcze2ZzF}24B)GVV6j+{yEVS~^v=*N{(t_g06}lmpA;lkoB#j- literal 0 HcmV?d00001 -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/5] btrfs-progs: fsck: Check bytenr alignment for extent item 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo 2016-08-30 7:22 ` [PATCH 1/5] btrfs-progs: fsck: Check drop level before walking through fs tree Qu Wenruo 2016-08-30 7:22 ` [PATCH 2/5] btrfs-progs: fuzz-test: Add test case for invalid drop level Qu Wenruo @ 2016-08-30 7:22 ` Qu Wenruo 2016-08-30 7:22 ` [PATCH 4/5] btrfs-progs: fsck: Avoid abort and BUG_ON in add_tree_backref Qu Wenruo ` (2 subsequent siblings) 5 siblings, 0 replies; 8+ messages in thread From: Qu Wenruo @ 2016-08-30 7:22 UTC (permalink / raw) To: linux-btrfs Check bytenr alignment for extent item to filter invalid items early. Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> --- cmds-check.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cmds-check.c b/cmds-check.c index 2aa0a7b..c56b176 100644 --- a/cmds-check.c +++ b/cmds-check.c @@ -5422,6 +5422,11 @@ static int process_extent_item(struct btrfs_root *root, num_bytes = key.offset; } + if (!IS_ALIGNED(key.objectid, root->sectorsize)) { + error("ignoring invalid extent, bytenr %llu is not aligned to %u", + key.objectid, root->sectorsize); + return -EIO; + } if (item_size < sizeof(*ei)) { #ifdef BTRFS_COMPAT_EXTENT_TREE_V0 struct btrfs_extent_item_v0 *ei0; @@ -5448,6 +5453,16 @@ static int process_extent_item(struct btrfs_root *root, metadata = 1; else metadata = 0; + if (metadata && num_bytes != root->nodesize) { + error("ignore invalid metadata extent, length %llu does not equal to %u", + num_bytes, root->nodesize); + return -EIO; + } + if (!metadata && !IS_ALIGNED(num_bytes, root->sectorsize)) { + error("ignore invalid data extent, length %llu is not aligned to %u", + num_bytes, root->sectorsize); + return -EIO; + } memset(&tmpl, 0, sizeof(tmpl)); tmpl.start = key.objectid; -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/5] btrfs-progs: fsck: Avoid abort and BUG_ON in add_tree_backref 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo ` (2 preceding siblings ...) 2016-08-30 7:22 ` [PATCH 3/5] btrfs-progs: fsck: Check bytenr alignment for extent item Qu Wenruo @ 2016-08-30 7:22 ` Qu Wenruo 2016-08-30 7:22 ` [PATCH 5/5] btrfs-progs: fuzz-test: Add test case for unaligned extent item Qu Wenruo 2016-08-30 14:40 ` [PATCH 0/5] Fuzzer test fix David Sterba 5 siblings, 0 replies; 8+ messages in thread From: Qu Wenruo @ 2016-08-30 7:22 UTC (permalink / raw) To: linux-btrfs Add_tree_backref() can cause BUG_ON() and abort() in quite a lot of cases, from the ENOMEM to existing tree backref records. Change all these BUG_ON() and abort() to return proper values. And modify all callers to handle such problems. Reported-by: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> --- cmds-check.c | 75 ++++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 53 insertions(+), 22 deletions(-) diff --git a/cmds-check.c b/cmds-check.c index c56b176..ef3e3a1 100644 --- a/cmds-check.c +++ b/cmds-check.c @@ -4864,20 +4864,25 @@ static int add_tree_backref(struct cache_tree *extent_cache, u64 bytenr, add_extent_rec_nolookup(extent_cache, &tmpl); + /* really a bug in cache_extent implement now */ cache = lookup_cache_extent(extent_cache, bytenr, 1); if (!cache) - abort(); + return -ENOENT; } rec = container_of(cache, struct extent_record, cache); if (rec->start != bytenr) { - abort(); + /* + * Several cause, from unaligned bytenr to over lapping extents + */ + return -EEXIST; } back = find_tree_backref(rec, parent, root); if (!back) { back = alloc_tree_backref(rec, parent, root); - BUG_ON(!back); + if (!back) + return -ENOMEM; } if (found_ref) { @@ -5154,16 +5159,18 @@ static int process_extent_ref_v0(struct cache_tree *extent_cache, { struct btrfs_extent_ref_v0 *ref0; struct btrfs_key key; + int ret; btrfs_item_key_to_cpu(leaf, &key, slot); ref0 = btrfs_item_ptr(leaf, slot, struct btrfs_extent_ref_v0); if (btrfs_ref_objectid_v0(leaf, ref0) < BTRFS_FIRST_FREE_OBJECTID) { - add_tree_backref(extent_cache, key.objectid, key.offset, 0, 0); + ret = add_tree_backref(extent_cache, key.objectid, key.offset, + 0, 0); } else { - add_data_backref(extent_cache, key.objectid, key.offset, 0, - 0, 0, btrfs_ref_count_v0(leaf, ref0), 0, 0); + ret = add_data_backref(extent_cache, key.objectid, key.offset, + 0, 0, 0, btrfs_ref_count_v0(leaf, ref0), 0, 0); } - return 0; + return ret; } #endif @@ -5406,6 +5413,7 @@ static int process_extent_item(struct btrfs_root *root, struct extent_record tmpl; unsigned long end; unsigned long ptr; + int ret; int type; u32 item_size = btrfs_item_size_nr(eb, slot); u64 refs = 0; @@ -5485,12 +5493,18 @@ static int process_extent_item(struct btrfs_root *root, offset = btrfs_extent_inline_ref_offset(eb, iref); switch (type) { case BTRFS_TREE_BLOCK_REF_KEY: - add_tree_backref(extent_cache, key.objectid, - 0, offset, 0); + ret = add_tree_backref(extent_cache, key.objectid, + 0, offset, 0); + if (ret < 0) + error("add_tree_backref failed: %s", + strerror(-ret)); break; case BTRFS_SHARED_BLOCK_REF_KEY: - add_tree_backref(extent_cache, key.objectid, - offset, 0, 0); + ret = add_tree_backref(extent_cache, key.objectid, + offset, 0, 0); + if (ret < 0) + error("add_tree_backref failed: %s", + strerror(-ret)); break; case BTRFS_EXTENT_DATA_REF_KEY: dref = (struct btrfs_extent_data_ref *)(&iref->offset); @@ -6413,13 +6427,19 @@ static int run_next_block(struct btrfs_root *root, } if (key.type == BTRFS_TREE_BLOCK_REF_KEY) { - add_tree_backref(extent_cache, key.objectid, 0, - key.offset, 0); + ret = add_tree_backref(extent_cache, + key.objectid, 0, key.offset, 0); + if (ret < 0) + error("add_tree_backref failed: %s", + strerror(-ret)); continue; } if (key.type == BTRFS_SHARED_BLOCK_REF_KEY) { - add_tree_backref(extent_cache, key.objectid, - key.offset, 0, 0); + ret = add_tree_backref(extent_cache, + key.objectid, key.offset, 0, 0); + if (ret < 0) + error("add_tree_backref failed: %s", + strerror(-ret)); continue; } if (key.type == BTRFS_EXTENT_DATA_REF_KEY) { @@ -6517,9 +6537,16 @@ static int run_next_block(struct btrfs_root *root, tmpl.metadata = 1; tmpl.max_size = size; ret = add_extent_rec(extent_cache, &tmpl); - BUG_ON(ret); + if (ret < 0) + goto out; - add_tree_backref(extent_cache, ptr, parent, owner, 1); + ret = add_tree_backref(extent_cache, ptr, parent, + owner, 1); + if (ret < 0) { + error("add_tree_backref failed: %s", + strerror(-ret)); + continue; + } if (level > 1) { add_pending(nodes, seen, ptr, size); @@ -6553,6 +6580,7 @@ static int add_root_to_pending(struct extent_buffer *buf, u64 objectid) { struct extent_record tmpl; + int ret; if (btrfs_header_level(buf) > 0) add_pending(nodes, seen, buf->start, buf->len); @@ -6570,11 +6598,12 @@ static int add_root_to_pending(struct extent_buffer *buf, if (objectid == BTRFS_TREE_RELOC_OBJECTID || btrfs_header_backref_rev(buf) < BTRFS_MIXED_BACKREF_REV) - add_tree_backref(extent_cache, buf->start, buf->start, - 0, 1); + ret = add_tree_backref(extent_cache, buf->start, buf->start, + 0, 1); else - add_tree_backref(extent_cache, buf->start, 0, objectid, 1); - return 0; + ret = add_tree_backref(extent_cache, buf->start, 0, objectid, + 1); + return ret; } /* as we fix the tree, we might be deleting blocks that @@ -8425,8 +8454,10 @@ static int deal_root_from_list(struct list_head *list, ret = -EIO; break; } - add_root_to_pending(buf, extent_cache, pending, + ret = add_root_to_pending(buf, extent_cache, pending, seen, nodes, rec->objectid); + if (ret < 0) + break; /* * To rebuild extent tree, we need deal with snapshot * one by one, otherwise we deal with node firstly which -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/5] btrfs-progs: fuzz-test: Add test case for unaligned extent item 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo ` (3 preceding siblings ...) 2016-08-30 7:22 ` [PATCH 4/5] btrfs-progs: fsck: Avoid abort and BUG_ON in add_tree_backref Qu Wenruo @ 2016-08-30 7:22 ` Qu Wenruo 2016-08-30 14:40 ` [PATCH 0/5] Fuzzer test fix David Sterba 5 siblings, 0 replies; 8+ messages in thread From: Qu Wenruo @ 2016-08-30 7:22 UTC (permalink / raw) To: linux-btrfs; +Cc: Lukas Lueg From: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Lukas Lueg <lukas.lueg@gmail.com> Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com> --- tests/fuzz-tests/images/unaligned-extent-item.raw.txt | 8 ++++++++ tests/fuzz-tests/images/unaligned-extent-item.raw.xz | Bin 0 -> 3684 bytes 2 files changed, 8 insertions(+) create mode 100644 tests/fuzz-tests/images/unaligned-extent-item.raw.txt create mode 100644 tests/fuzz-tests/images/unaligned-extent-item.raw.xz diff --git a/tests/fuzz-tests/images/unaligned-extent-item.raw.txt b/tests/fuzz-tests/images/unaligned-extent-item.raw.txt new file mode 100644 index 0000000..7f0b804 --- /dev/null +++ b/tests/fuzz-tests/images/unaligned-extent-item.raw.txt @@ -0,0 +1,8 @@ +URL: https://bugzilla.kernel.org/show_bug.cgi?id=155181 +Lukas Lueg 2016-08-28 10:52:32 UTC + +Created attachment 230891 [details] +BTRFS-image that reaches abort() in btrfsck + +More news from the fuzzer. The attached image causes btrfsck to reach abort() +in in cmds-check.c:add_tree_backref(); using btrfs-progs v4.7-42-g56e9586. diff --git a/tests/fuzz-tests/images/unaligned-extent-item.raw.xz b/tests/fuzz-tests/images/unaligned-extent-item.raw.xz new file mode 100644 index 0000000000000000000000000000000000000000..c401f2e575467fd33118e3e0dacc2e35636065f2 GIT binary patch literal 3684 zcmeH~X*ApU8pr>!t0fF_acgVr)V`}|)!0&7wKUe+6GenjgK8)yRBI<S)~2eoQZcsH zIzn+`sj*y3DYvn;DKlyb5xIBHy|3?S=bkw;FZ%j<@tpJdeV@<s{8+{b*E|7$Yi*|4 zh67LlK>z^2YOfO6Y&2(w4*;N9Y&NltZ40xLh&J_iZO>O-BWCa(ZqZ~@C$$I6&Vk_M z<l(F=M{T0e-0jEjvZ11G%LvJV*sOovWV9CE77XiM!rBLUKcwlyDWdugCnFeVWRR!U zOA{fYYKj}U)9aN%uq%;V8ESE@QGQ4}W;r)-fLnf7vcR{@l@U`*5r0Y^my1R`Q9;H5 zKwzWqK2YZa*~%)fio9{x&Ev`U9OikJXP6wl=YC%2|2b-7msbww9&E^UqC-+X(?iy! zr%>p9r$C*&)9LmK1RuX%4HDhg6seITpP@?8b>1*(J>ou_n<hsM8d7!=omY6yEX*gM zX2C)lV&;ebl(+Bx5t091KVAk-V~&GH^$y?=qddhnK@<4C)*(H@_TD%cQ31>6wYl*2 zyzmLu;9cb$qBPTnOcE-)l&J>Gaeg7sbHm<9u~|q+->gZJAq+WzgwIOtuqF?7tsC}! zG-`Ge<h)>-`=(r4^yR7UM1&UPRt1CSE!ty~&$~|MSMJfu?0{jP8e=a>(aiSi?t$+q zkB?fF78d6|+6B_yJE(-PPi%eRDCl4$ndNffYFn|#vsT9ylnj~)$BTqpQSp}EK+bEY z=gO*u7&(g^#g(XvTBsjgm6|?LM94~3&)ZRnJ&@|<Avh9Pv(Kk<!Tm~ZjJ-S~UGAF3 zE%Z-Oj<$jmd7||V*JWOgkyRwU5gD5ym#=ki#yvyOR=v3S4hQEOj+w6gTE$^1TP2%{ z#*owlHuTg%rx5uDZ_swNUzr1eZ1~hSH8?nS)LFbU46BEwusDj{Y}nRdudGjM>?K=i z|Aplq{HgxBlELCsO-R%WCBk>5gL9H<ZP%I1W^R|%06mWh;YK7>V6tVc%jh(x<HLyw zgQmN+A192)DF_%SQJ-4AGgqABFV{iNK0*@}c)17*W~2DdTgin*TEvn5y3=@>R%+z^ z+vS-_9ZIF?By>-?`h&G<=se?MHEaFi^vt#{af*EbV|L5Tg>=ILrto@lEnO!bNtft1 zoRpf6O#$9ufNwudPwji7v}J|E@BLItG7oQ;QT@AShIa1o%#oP9*!Pp?Lbqw*AWGFu z`Zo*?mo2BNk5tf+HN*Jq^~Dd-O*EVRE5G1lHFXyHT(0DuDdFMt8;&v;@6|IV)JTA8 zHi-P{^m?|Z^0R0`NPca%>HqUsFSL&fE7>9-P2i&n5wRa4Y1EV=pJX&&P_jQILG7a& zbcE@VlQA|JJ}4+c%)`K0wz8X)q$^$7c276*4~fWS4eY3_m%P>CqMHRnEr{P7M^z7h z+hYDpf0veDJs1WLvC0(_W{VUsF!2b6z$m*&)dpO5oV3I&)zNbA%}M`sC#5&|cct^Q zS_`nHA}ZM%oM!<T&5Euqu*!(d>8`QTakGq=oOTw=n%2%{s%wF_{ARxSfycpGh{nH) z*Tjug)*?5a#;pp#%o&@=gTRAL>|E#ot=>OUX7O^%r3d*XGqkl3{1a2F_AphB-FnK8 zefOifnsoxf(n+BUBI3mMilK0{D8Y2gdZ_}5TJ(QBzxtsI%0kDw{7tW|*W~30;SN2m zgCr82fC3{Oo-&Jl_GGFLJFl)Zq`7if`^<EpayJ_vhp`Uh_O7@GnQ;zH!EIO<1AW)$ zHr0+@%}rWYN!T(KyPNt6>jL6X-^ncdD=pi+nJ2N9hK;fvy2<v2cR7*mWqMeFSoK2P z(Zvg{3Rrpf;%b;sNulKZS8(Y#+48E9aaV{*p2Jlfj}Croc?{Y&AXj#C0d@NMu}kv( z#3Ut>U7W`wi5(AKE;{4*k+Gl!+FqF-rDs-`X70&uc8s%S4(4U*U<^e7uA$9j5iWr@ z?*bfysaqRnC(Bx%Wj%%hVEb<mj5Ra~@t#TwImi**ILUU*U#?cRe0triVr;NI(V(1w zo|4Yr!GULKCl>Ria~O}HysE)&re1Mm%JNQvcf){eh!dlcPd&pbfznleq8(wqp)!)j z!GR0$AFj{lCr8eR%sPz~9IH?RqKafzldWm-1(D6Xrtc+;4?RgUF$a>xKZGo{sXpjK z?b)p;(b0zf3PYEY6wd^FxA5z$ePWr%5(=EtBISA2bfxPd%sn{SZud3T{Z1KI<Ve@t zMpi?~S+>@P(*Nnn&r0H-I0RqTy6G;S{vXNEW87+4e-VKc#fWBLgxGR_urIz0)qfYM zaN+^xH)0yVUy0bCrQFXz=nA%M`U>m|*5g-TUwBV^1@=3D;dssi+`yyt^zHNi{w@N` hbsEqIst!E>sOvNihvPFAQ#vH~hcY>SD{>(`{{>VdBPRd= literal 0 HcmV?d00001 -- 2.9.3 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 0/5] Fuzzer test fix 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo ` (4 preceding siblings ...) 2016-08-30 7:22 ` [PATCH 5/5] btrfs-progs: fuzz-test: Add test case for unaligned extent item Qu Wenruo @ 2016-08-30 14:40 ` David Sterba 2016-08-30 17:42 ` Lukas Lueg 5 siblings, 1 reply; 8+ messages in thread From: David Sterba @ 2016-08-30 14:40 UTC (permalink / raw) To: Qu Wenruo; +Cc: linux-btrfs, Lukas Lueg On Tue, Aug 30, 2016 at 03:22:12PM +0800, Qu Wenruo wrote: > Cc: Lukas Lueg <lukas.lueg@gmail.com> > > Thanks for the fuzz test from Lukas, quite a lot of bugs are exposed. > > The full fixes can be fetched from my github: > https://github.com/adam900710/btrfs-progs/tree/fuzz_fix_160830 > > The branch has go through fuzz and mkfs tests. > > For full low-memory mode checker, I'll push it to David first, so for > low-memory mode fuzzer test, it will need some time. > > Test cases uses the same image submitted by Lukas. > Although all these root causes are pinned, it still need quite a lot of > work to make corrupt-block able to create minimal image. That's not necessary to create a minimal image, but the extended functionality of corrupt-block would help us to extend the testing. > So I choose to directly use his images as test cases. > > And special notes for the BUG_ON fix: > The fix just fixes a small corner, while tons of BUG_ON()/abort() are > still here and there. > We need quite a lot of boring work to handle them later. Yeah yeah, that's been neglected for a very long time. The kernel has the abort_transaction infrastructure, the userspace hasn't been updated in the same way. Long way to go, but every removed bug_on counts. > While the good news is, new low memory mode(at least for extent and > chunk tree check part) is quite safe against such things. > I can't wait to see how the full low-memory mode works under fuzzer > tests. > > > Lukas Lueg (2): > btrfs-progs: fuzz-test: Add test case for invalid drop level > btrfs-progs: fuzz-test: Add test case for unaligned extent item > > Qu Wenruo (3): > btrfs-progs: fsck: Check drop level before walking through fs tree > btrfs-progs: fsck: Check bytenr alignment for extent item > btrfs-progs: fsck: Avoid abort and BUG_ON in add_tree_backref All applied, thanks. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 0/5] Fuzzer test fix 2016-08-30 14:40 ` [PATCH 0/5] Fuzzer test fix David Sterba @ 2016-08-30 17:42 ` Lukas Lueg 0 siblings, 0 replies; 8+ messages in thread From: Lukas Lueg @ 2016-08-30 17:42 UTC (permalink / raw) To: dsterba, Qu Wenruo, linux-btrfs >> And special notes for the BUG_ON fix: >> The fix just fixes a small corner, while tons of BUG_ON()/abort() are >> still here and there. >> We need quite a lot of boring work to handle them later. > > Yeah yeah, that's been neglected for a very long time. The kernel has > the abort_transaction infrastructure, the userspace hasn't been updated > in the same way. Long way to go, but every removed bug_on counts. I've been holding back more images that reach abort() as their coming is pretty clear and actually don't need any fuzzing: Every code path that eventually leads to abort() will get executed sooner or later. As of now, there are 50 unique code paths that reach abort(). Somebody has to bite the bullet and add some error paths :-) ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-08-30 17:43 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-08-30 7:22 [PATCH 0/5] Fuzzer test fix Qu Wenruo 2016-08-30 7:22 ` [PATCH 1/5] btrfs-progs: fsck: Check drop level before walking through fs tree Qu Wenruo 2016-08-30 7:22 ` [PATCH 2/5] btrfs-progs: fuzz-test: Add test case for invalid drop level Qu Wenruo 2016-08-30 7:22 ` [PATCH 3/5] btrfs-progs: fsck: Check bytenr alignment for extent item Qu Wenruo 2016-08-30 7:22 ` [PATCH 4/5] btrfs-progs: fsck: Avoid abort and BUG_ON in add_tree_backref Qu Wenruo 2016-08-30 7:22 ` [PATCH 5/5] btrfs-progs: fuzz-test: Add test case for unaligned extent item Qu Wenruo 2016-08-30 14:40 ` [PATCH 0/5] Fuzzer test fix David Sterba 2016-08-30 17:42 ` Lukas Lueg
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).