1. 14 Feb, 2011 4 commits
    • Dan Rosenberg's avatar
      btrfs: prevent heap corruption in btrfs_ioctl_space_info() · 51788b1b
      Dan Rosenberg authored
      Commit bf5fc093 refactored
      btrfs_ioctl_space_info() and introduced several security issues.
      
      space_args.space_slots is an unsigned 64-bit type controlled by a
      possibly unprivileged caller.  The comparison as a signed int type
      allows providing values that are treated as negative and cause the
      subsequent allocation size calculation to wrap, or be truncated to 0.
      By providing a size that's truncated to 0, kmalloc() will return
      ZERO_SIZE_PTR.  It's also possible to provide a value smaller than the
      slot count.  The subsequent loop ignores the allocation size when
      copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.
      
      The fix changes the slot count type and comparison typecast to u64,
      which prevents truncation or signedness errors, and also ensures that we
      don't copy more data than we've allocated in the subsequent loop.  Note
      that zero-size allocations are no longer possible since there is already
      an explicit check for space_args.space_slots being 0 and truncation of
      this value is no longer an issue.
      Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
      Signed-off-by: default avatarJosef Bacik <josef@redhat.com>
      Reviewed-by: default avatarJosef Bacik <josef@redhat.com>
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      51788b1b
    • Yan, Zheng's avatar
      Btrfs: Fix balance panic · 6848ad64
      Yan, Zheng authored
      Mark the cloned backref_node as checked in clone_backref_node()
      Signed-off-by: default avatarYan, Zheng <zheng.z.yan@intel.com>
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      6848ad64
    • Chris Mason's avatar
      Btrfs: don't release pages when we can't clear the uptodate bits · e3f24cc5
      Chris Mason authored
      Btrfs tracks uptodate state in an rbtree as well as in the
      page bits.  This is supposed to enable us to use block sizes other than
      the page size, but there are a few parts still missing before that
      completely works.
      
      But, our readpage routine trusts this additional range based tracking
      of uptodateness, much in the same way the buffer head up to date bits
      are trusted for the other filesystems.
      
      The problem is that sometimes we need to allocate memory in order to
      split records in the rbtree, even when we are just clearing bits.  This
      can be difficult when our clearing function is called GFP_ATOMIC, which
      can happen in the releasepage path.
      
      So, what happens today looks like this:
      
      releasepage called with GFP_ATOMIC
      btrfs_releasepage calls clear_extent_bit
      clear_extent_bit fails to allocate ram, leaving the up to date bit set
      btrfs_releasepage returns success
      
      The end result is the page being gone, but btrfs thinking the range is
      up to date.   Later on if someone tries to read that same page, the
      btrfs readpage code will return immediately thinking the page is already
      up to date.
      
      This commit fixes things to fail the releasepage when we can't clear the
      extent state bits.  It covers both data pages and metadata tree blocks.
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      e3f24cc5
    • Chris Mason's avatar
      Btrfs: fix page->private races · eb14ab8e
      Chris Mason authored
      There is a race where btrfs_releasepage can drop the
      page->private contents just as alloc_extent_buffer is setting
      up pages for metadata.  Because of how the Btrfs page flags work,
      this results in us skipping the crc on the page during IO.
      
      This patch sovles the race by waiting until after the extent buffer
      is inserted into the radix tree before it sets page private.
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      eb14ab8e
  2. 07 Feb, 2011 1 commit
  3. 06 Feb, 2011 4 commits
  4. 01 Feb, 2011 3 commits
  5. 31 Jan, 2011 2 commits
    • Chris Mason's avatar
      Btrfs: catch errors from btrfs_sync_log · b31eabd8
      Chris Mason authored
      btrfs_sync_log returns -EAGAIN when we need full transaction commits
      instead of small log commits, but sometimes we were dropping the return
      value.
      
      In practice, we check for this a few different ways, but this is still a
      bug that can leave off full log commits when we really need them.
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      b31eabd8
    • Josef Bacik's avatar
      Btrfs: make shrink_delalloc a little friendlier · b1953bce
      Josef Bacik authored
      Xfstests 224 will just sit there and spin for ever until eventually we give up
      flushing delalloc and exit.  On my box this took several hours.  I could not
      interrupt this process either, even though we use INTERRUPTIBLE.  So do 2 things
      
      1) Keep us from looping over and over again without reclaiming anything
      2) If we get interrupted exit the loop
      
      I tested this and the test now exits in a reasonable amount of time, and can be
      interrupted with ctrl+c.  Thanks,
      Signed-off-by: default avatarJosef Bacik <josef@redhat.com>
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      b1953bce
  6. 28 Jan, 2011 12 commits
  7. 26 Jan, 2011 12 commits
  8. 17 Jan, 2011 1 commit
    • liubo's avatar
      Btrfs: forced readonly mounts on errors · acce952b
      liubo authored
      This patch comes from "Forced readonly mounts on errors" ideas.
      
      As we know, this is the first step in being more fault tolerant of disk
      corruptions instead of just using BUG() statements.
      
      The major content:
      - add a framework for generating errors that should result in filesystems
        going readonly.
      - keep FS state in disk super block.
      - make sure that all of resource will be freed and released at umount time.
      - make sure that fter FS is forced readonly on error, there will be no more
        disk change before FS is corrected. For this, we should stop write operation.
      
      After this patch is applied, the conversion from BUG() to such a framework can
      happen incrementally.
      Signed-off-by: default avatarLiu Bo <liubo2009@cn.fujitsu.com>
      Signed-off-by: default avatarChris Mason <chris.mason@oracle.com>
      acce952b
  9. 16 Jan, 2011 1 commit