Btrfs: add more validation checks for superblock

This adds validation checks for super_total_bytes, super_bytes_used and super_stripesize, super_num_devices. Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Reported-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Signed-off-by: David Sterba <dsterba@suse.com>
author: Liu Bo <bo.li.liu@oracle.com> 2016-06-03 15:05:14 -0400
committer: David Sterba <dsterba@suse.com> 2016-06-06 04:41:53 -0400
commit: 99e3ecfcb9f4ca35192d20a5bea158b81f600062 (patch)
tree: 41a481ff46b66e463f8824c66834c4402ea836e7
parent: d865177a5e749827f248f6363f5100d3a2f66b0f (diff)
2 files changed, 35 insertions, 0 deletions
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 6628fca9f4ed..2bd5f5e975cc 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4130,6 +4130,17 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
         * Hint to catch really bogus numbers, bitflips or so, more exact checks are
         * done later
         */
+        if (btrfs_super_bytes_used(sb) < 6 * btrfs_super_nodesize(sb)) {
+                btrfs_err(fs_info, "bytes_used is too small %llu",
+                       btrfs_super_bytes_used(sb));
+                ret = -EINVAL;
+        }
+        if (!is_power_of_2(btrfs_super_stripesize(sb)) ||
+            btrfs_super_stripesize(sb) != sectorsize) {
+                btrfs_err(fs_info, "invalid stripesize %u",
+                       btrfs_super_stripesize(sb));
+                ret = -EINVAL;
+        }
        if (btrfs_super_num_devices(sb) > (1UL << 31))
                printk(KERN_WARNING "BTRFS: suspicious number of devices: %llu\n",
                                btrfs_super_num_devices(sb));
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 42ccde43053b..fd5c9e69894a 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -6651,6 +6651,7 @@ int btrfs_read_chunk_tree(struct btrfs_root *root)
        struct btrfs_key found_key;
        int ret;
        int slot;
+        u64 total_dev = 0;
        root = root->fs_info->chunk_root;
@@ -6692,6 +6693,7 @@ int btrfs_read_chunk_tree(struct btrfs_root *root)
                        ret = read_one_dev(root, leaf, dev_item);
                        if (ret)
                                goto error;
+                        total_dev++;
                } else if (found_key.type == BTRFS_CHUNK_ITEM_KEY) {
                        struct btrfs_chunk *chunk;
                        chunk = btrfs_item_ptr(leaf, slot, struct btrfs_chunk);
@@ -6701,6 +6703,28 @@ int btrfs_read_chunk_tree(struct btrfs_root *root)
                }
                path->slots[0]++;
        }
+        /*
+         * After loading chunk tree, we've got all device information,
+         * do another round of validation checks.
+         */
+        if (total_dev != root->fs_info->fs_devices->total_devices) {
+                btrfs_err(root->fs_info,
+           "super_num_devices %llu mismatch with num_devices %llu found here",
+                          btrfs_super_num_devices(root->fs_info->super_copy),
+                          total_dev);
+                ret = -EINVAL;
+                goto error;
+        }
+        if (btrfs_super_total_bytes(root->fs_info->super_copy) <
+            root->fs_info->fs_devices->total_rw_bytes) {
+                btrfs_err(root->fs_info,
+        "super_total_bytes %llu mismatch with fs_devices total_rw_bytes %llu",
+                          btrfs_super_total_bytes(root->fs_info->super_copy),
+                          root->fs_info->fs_devices->total_rw_bytes);
+                ret = -EINVAL;
+                goto error;
+        }
        ret = 0;
 error:
        unlock_chunks(root);
author	Liu Bo <bo.li.liu@oracle.com>	2016-06-03 15:05:14 -0400
committer	David Sterba <dsterba@suse.com>	2016-06-06 04:41:53 -0400
commit	99e3ecfcb9f4ca35192d20a5bea158b81f600062 (patch)
tree	41a481ff46b66e463f8824c66834c4402ea836e7
parent	d865177a5e749827f248f6363f5100d3a2f66b0f (diff)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 6628fca9f4ed..2bd5f5e975cc 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c
@@ -4130,6 +4130,17 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
4130	* Hint to catch really bogus numbers, bitflips or so, more exact checks are	4130	* Hint to catch really bogus numbers, bitflips or so, more exact checks are
4131	* done later	4131	* done later
4132	*/	4132	*/
		4133	if (btrfs_super_bytes_used(sb) < 6 * btrfs_super_nodesize(sb)) {
		4134	btrfs_err(fs_info, "bytes_used is too small %llu",
		4135	btrfs_super_bytes_used(sb));
		4136	ret = -EINVAL;
		4137	}
		4138	if (!is_power_of_2(btrfs_super_stripesize(sb)) \|\|
		4139	btrfs_super_stripesize(sb) != sectorsize) {
		4140	btrfs_err(fs_info, "invalid stripesize %u",
		4141	btrfs_super_stripesize(sb));
		4142	ret = -EINVAL;
		4143	}
4133	if (btrfs_super_num_devices(sb) > (1UL << 31))	4144	if (btrfs_super_num_devices(sb) > (1UL << 31))
4134	printk(KERN_WARNING "BTRFS: suspicious number of devices: %llu\n",	4145	printk(KERN_WARNING "BTRFS: suspicious number of devices: %llu\n",
4135	btrfs_super_num_devices(sb));	4146	btrfs_super_num_devices(sb));


diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 42ccde43053b..fd5c9e69894a 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c
@@ -6651,6 +6651,7 @@ int btrfs_read_chunk_tree(struct btrfs_root *root)
6651	struct btrfs_key found_key;	6651	struct btrfs_key found_key;
6652	int ret;	6652	int ret;
6653	int slot;	6653	int slot;
		6654	u64 total_dev = 0;
6654		6655
6655	root = root->fs_info->chunk_root;	6656	root = root->fs_info->chunk_root;
6656		6657
@@ -6692,6 +6693,7 @@ int btrfs_read_chunk_tree(struct btrfs_root *root)
6692	ret = read_one_dev(root, leaf, dev_item);	6693	ret = read_one_dev(root, leaf, dev_item);
6693	if (ret)	6694	if (ret)
6694	goto error;	6695	goto error;
		6696	total_dev++;
6695	} else if (found_key.type == BTRFS_CHUNK_ITEM_KEY) {	6697	} else if (found_key.type == BTRFS_CHUNK_ITEM_KEY) {
6696	struct btrfs_chunk *chunk;	6698	struct btrfs_chunk *chunk;
6697	chunk = btrfs_item_ptr(leaf, slot, struct btrfs_chunk);	6699	chunk = btrfs_item_ptr(leaf, slot, struct btrfs_chunk);
@@ -6701,6 +6703,28 @@ int btrfs_read_chunk_tree(struct btrfs_root *root)
6701	}	6703	}
6702	path->slots[0]++;	6704	path->slots[0]++;
6703	}	6705	}
		6706
		6707	/*
		6708	* After loading chunk tree, we've got all device information,
		6709	* do another round of validation checks.
		6710	*/
		6711	if (total_dev != root->fs_info->fs_devices->total_devices) {
		6712	btrfs_err(root->fs_info,
		6713	"super_num_devices %llu mismatch with num_devices %llu found here",
		6714	btrfs_super_num_devices(root->fs_info->super_copy),
		6715	total_dev);
		6716	ret = -EINVAL;
		6717	goto error;
		6718	}
		6719	if (btrfs_super_total_bytes(root->fs_info->super_copy) <
		6720	root->fs_info->fs_devices->total_rw_bytes) {
		6721	btrfs_err(root->fs_info,
		6722	"super_total_bytes %llu mismatch with fs_devices total_rw_bytes %llu",
		6723	btrfs_super_total_bytes(root->fs_info->super_copy),
		6724	root->fs_info->fs_devices->total_rw_bytes);
		6725	ret = -EINVAL;
		6726	goto error;
		6727	}
6704	ret = 0;	6728	ret = 0;
6705	error:	6729	error:
6706	unlock_chunks(root);	6730	unlock_chunks(root);