From: Liu Bo <bo.li.liu@oracle.com>
To: dsterba@suse.cz
Cc: linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 7/7] Btrfs: fix memory leak due to invalid btree height
Date: Tue, 6 Sep 2016 15:04:01 -0700 [thread overview]
Message-ID: <20160906220401.GC31641@localhost.localdomain> (raw)
In-Reply-To: <20160906165019.GE16983@twin.jikos.cz>
On Tue, Sep 06, 2016 at 06:50:19PM +0200, David Sterba wrote:
> On Fri, May 13, 2016 at 05:07:02PM -0700, Liu Bo wrote:
> > Thanks to fuzz testing, we can have invalid btree root node height.
>
> Shouldn't we do this kind of sanity checks earlier? Not at the search
> slot time but when it's read from disk. The check that you're adding can
> stay, but without the early check we could hit it very often thus making
> it very noisy.
We do have such an early check when it's read from disk
(btree_readpage_end_io_hook) and this can protect us from 99.9% cases,
the only corner case is that the fuzz image changes our chunk root node
to superblock bytenr, so we firstly reads superblock into a dummy eb, and when
we get to read chunk root, we firstly search eb tree and find one eb
matching the bytenr, then we take this invalid eb to do
btrfs_search_slot() and we come cross this surprise.
Anyway, this patch was made before I found we could actually free
superblock's eb immediately after use. Now with freeing that eb I don't
think we can have the above problem.
Thanks,
-liubo
>
> > Btrfs limits btree height to 7 and if the given height is 9, then btrfs
> > will have problems in both releasing root node's lock and freeing the node.
>
>
> >
> > Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> > ---
> > fs/btrfs/ctree.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
> > index ec7928a..3fccbcc 100644
> > --- a/fs/btrfs/ctree.c
> > +++ b/fs/btrfs/ctree.c
> > @@ -2756,6 +2756,13 @@ again:
> > }
> > }
> > }
> > + if (level > BTRFS_MAX_LEVEL - 1 || level < 0) {
> > + WARN_ONCE(1, KERN_WARNING "Invalid btree height %d\n", level);
> > + if (!p->skip_locking)
> > + btrfs_tree_unlock_rw(b, root_lock);
> > + free_extent_buffer(b);
> > + return -EINVAL;
> > + }
> > p->nodes[level] = b;
> > if (!p->skip_locking)
> > p->locks[level] = root_lock;
> > --
> > 2.5.5
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-09-06 22:04 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-14 0:06 [PATCH 1/7] Btrfs: replace BUG() with WARN_ONCE in raid56 Liu Bo
2016-05-14 0:06 ` [PATCH 2/7] Btrfs: replace BUG_ON with WARN_ONCE in cow_file_range Liu Bo
2016-05-14 0:06 ` [PATCH 3/7] Btrfs: check if extent buffer is aligned to sectorsize Liu Bo
2016-05-14 10:30 ` Qu Wenruo
2016-05-16 18:01 ` Liu Bo
2016-05-17 9:39 ` David Sterba
2016-05-17 17:38 ` Liu Bo
2016-05-14 0:06 ` [PATCH 4/7] Btrfs: free sys_array eb as soon as possible Liu Bo
2016-05-16 8:45 ` David Sterba
2016-05-14 0:07 ` [PATCH 5/7] Btrfs: replace BUG_ON with WARN in merge_bio Liu Bo
2016-05-16 8:44 ` David Sterba
2016-05-16 17:24 ` Liu Bo
2016-05-17 9:55 ` David Sterba
2016-05-17 17:30 ` Liu Bo
2016-05-18 13:54 ` David Sterba
2016-05-14 0:07 ` [PATCH 6/7] Btrfs: fix eb memory leak due to readpage failure Liu Bo
2016-05-18 19:38 ` Josef Bacik
2016-05-14 0:07 ` [PATCH 7/7] Btrfs: fix memory leak due to invalid btree height Liu Bo
2016-09-06 16:50 ` David Sterba
2016-09-06 22:04 ` Liu Bo [this message]
2016-05-14 10:42 ` [PATCH 1/7] Btrfs: replace BUG() with WARN_ONCE in raid56 Qu Wenruo
2016-05-15 14:19 ` Holger Hoffstätte
2016-05-16 8:32 ` David Sterba
2016-10-12 15:06 ` David Sterba
2016-10-12 19:14 ` Liu Bo
2016-06-30 0:57 ` [PATCH v2] Btrfs: remove BUG() " Liu Bo
2016-07-26 16:58 ` David Sterba
2016-07-27 5:11 ` Liu Bo
2016-07-27 18:56 ` [PATCH v3] " Liu Bo
2016-07-29 16:53 ` David Sterba
2016-07-29 17:57 ` [PATCH v4] " Liu Bo
2016-08-24 12:11 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160906220401.GC31641@localhost.localdomain \
--to=bo.li.liu@oracle.com \
--cc=dsterba@suse.cz \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).