Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2343953ybz; Thu, 23 Apr 2020 16:24:36 -0700 (PDT) X-Google-Smtp-Source: APiQypJgMNAzgh+KR4vx+gaTsufXsTKkxU47Hgfc3i1sZ7bncZgzVlzqVFGYjbpalZc82LXjO7CJ X-Received: by 2002:aa7:d606:: with SMTP id c6mr5076643edr.107.1587684275931; Thu, 23 Apr 2020 16:24:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587684275; cv=none; d=google.com; s=arc-20160816; b=kzPgiCfoLrO9nLOfNyaXBFD1WvxkGxnXRA+aeEnG3mTpYXA41gHu/JMo4XlfOCKiAj paUAp4FdXJJfDhzt2FK5wWPmbNrQMMCeALllHmtj0iJRLTvmo+gmXPUF8qGcdAU1xApm w8j+q52TngfsQwBiyQ1Uzzz6u4sxe7YQNfbjbLsYPxriCDGoNcyJrajtIyVerQrhNNpi dImBcorpfnp8zAwwtuglaVcr3/MrPJmOrLxmHQnA/dJOuqC+VJ6vbwhISCnto/e/4GKR bFeBv5dSaajf0f7n7J9nC4b+ZCpFh4bLHRa6gvUfCZmfJGsXCRmh5Qq2/NEq4WmtHkAG 3CoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=0rIivzmntgKwO27BLJeQeU8zumOm3jJRLolhRlKc2n4=; b=KqFtBcR5YJc04OhQ0pinYB2r1eCoz/Wd1/xgYbx2d3sQmBJRBoiVSGJk1dAT5wBZpX gN3woTYrnkJAa8XrotyouxZo4NeeJdhbdNhNzg9lyp3ylNe74q/qXhC3IKnVrWpQW+IC SQNZ/9LKnpFc3Lk53ASIPZmIQkfh4E7/z29BQBormEfTD4aqDvLLaKAfRN8uTWvNj0Bw ZrFSbdhLSooO7gZD2Q6lAUuc/r4WQpx81Xq0BuJEuBeZW5nOT0cqlo588sf0jCw7YsFc XsyI5iTsvorFfUP5M9/fu7bOOWME6dDJYTXpaGokm93+OkfhZGewRVQNGYULIs+Qfkjp +Mkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dn15si1986731edb.555.2020.04.23.16.24.12; Thu, 23 Apr 2020 16:24:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729760AbgDWXVk (ORCPT + 99 others); Thu, 23 Apr 2020 19:21:40 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:48524 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728197AbgDWXGc (ORCPT ); Thu, 23 Apr 2020 19:06:32 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvL-0004bF-0G; Fri, 24 Apr 2020 00:06:27 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvJ-00E6i3-Ih; Fri, 24 Apr 2020 00:06:25 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Greg Kroah-Hartman" , "Xu Wen" , "David Sterba" , "Gu Jinxiang" , "Qu Wenruo" , "Ben Hutchings" Date: Fri, 24 Apr 2020 00:04:36 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 049/245] btrfs: tree-checker: Detect invalid and empty essential trees In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Qu Wenruo commit ba480dd4db9f1798541eb2d1c423fc95feee8d36 upstream. A crafted image has empty root tree block, which will later cause NULL pointer dereference. The following trees should never be empty: 1) Tree root Must contain at least root items for extent tree, device tree and fs tree 2) Chunk tree Or we can't even bootstrap as it contains the mapping. 3) Fs tree At least inode item for top level inode (.). 4) Device tree Dev extents for chunks 5) Extent tree Must have corresponding extent for each chunk. If any of them is empty, we are sure the fs is corrupted and no need to mount it. Link: https://bugzilla.kernel.org/show_bug.cgi?id=199847 Reported-by: Xu Wen Signed-off-by: Qu Wenruo Tested-by: Gu Jinxiang Reviewed-by: David Sterba Signed-off-by: David Sterba [bwh: Backported to 4.4: Pass root instead of fs_info to generic_err()] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- fs/btrfs/tree-checker.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -456,9 +456,22 @@ static int check_leaf(struct btrfs_root * skip this check for relocation trees. */ if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) { + u64 owner = btrfs_header_owner(leaf); struct btrfs_root *check_root; - key.objectid = btrfs_header_owner(leaf); + /* These trees must never be empty */ + if (owner == BTRFS_ROOT_TREE_OBJECTID || + owner == BTRFS_CHUNK_TREE_OBJECTID || + owner == BTRFS_EXTENT_TREE_OBJECTID || + owner == BTRFS_DEV_TREE_OBJECTID || + owner == BTRFS_FS_TREE_OBJECTID || + owner == BTRFS_DATA_RELOC_TREE_OBJECTID) { + generic_err(root, leaf, 0, + "invalid root, root %llu must never be empty", + owner); + return -EUCLEAN; + } + key.objectid = owner; key.type = BTRFS_ROOT_ITEM_KEY; key.offset = (u64)-1;