Thanks for the report from Yoon Jungyeon <jungyeon@xxxxxxxxxx>, we have more fuzzed image to torture btrfs. Those images exposed the following problems: - Chunk check is not comprehensive nor early enough Chunk item check lacks profile bits check (e.g RAID|DUP profile is invalid). And for certain fuzzed image, the other copy can be valid, current check timming is after tree block read, so no way to retry the other copy. Address the check timing in the 1st patch, while for the profile bits, check it in the 4th patch. - Lack of device item check Address it in the 2nd patch. - First key and level check be exploited by cached extent buffer Cached bad extent buffer can avoid first key and level check. This is addressed in the 3rd patch. - Inode type mismatch can lead to NULL dereference in endio function If an inode claims itself as symlink but still has regular file extent, then endio function will cause NULL pointer dereference. Fix it by do extra inode mode and dir item type cross check, at get_extent() time and inode lookup time. Addressed in the 5th and 6th patch. Qu Wenruo (6): btrfs: tree-checker: Verify chunk items btrfs: tree-checker: Verify dev item btrfs: Check the first key and level for cached extent buffer btrfs: tree-checker: Enhance chunk checker to validate chunk profiler btrfs: tree-checker: Verify inode item btrfs: inode: Verify inode mode to avoid NULL pointer dereference fs/btrfs/ctree.c | 10 + fs/btrfs/ctree.h | 2 + fs/btrfs/disk-io.c | 10 +- fs/btrfs/disk-io.h | 3 + fs/btrfs/inode.c | 38 +++- fs/btrfs/tests/inode-tests.c | 1 + fs/btrfs/tree-checker.c | 342 +++++++++++++++++++++++++++++++++++ fs/btrfs/tree-checker.h | 3 + fs/btrfs/volumes.c | 103 +---------- fs/btrfs/volumes.h | 9 + 10 files changed, 406 insertions(+), 115 deletions(-) -- 2.21.0
