diff options
author | Liu Bo <bo.li.liu@oracle.com> | 2016-06-23 16:32:45 -0700 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2016-07-26 13:52:25 +0200 |
commit | 5e24e9af01abcb151173bb133f1a72b94239c670 (patch) | |
tree | acaaca007c5763a9f6309de02fa4459946132e67 /fs/btrfs/ctree.c | |
parent | 6fb37b756acce6d6e045f79c3764206033f617b4 (diff) | |
download | lwn-5e24e9af01abcb151173bb133f1a72b94239c670.tar.gz lwn-5e24e9af01abcb151173bb133f1a72b94239c670.zip |
Btrfs: error out if generic_bin_search get invalid arguments
With btrfs-corrupt-block, one can set btree node/leaf's field, if
we assign a negative value to node/leaf, we can get various hangs,
eg. if extent_root's nritems is -2ULL, then we get stuck in
btrfs_read_block_groups() because it has a while loop and
btrfs_search_slot() on extent_root will always return the first
child.
This lets us know what's happening and returns a EINVAL to callers
instead of returning the first item.
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'fs/btrfs/ctree.c')
-rw-r--r-- | fs/btrfs/ctree.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index a85cf7d23309..362879da4f0d 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -1771,6 +1771,14 @@ static noinline int generic_bin_search(struct extent_buffer *eb, unsigned long map_len = 0; int err; + if (low > high) { + btrfs_err(eb->fs_info, + "%s: low (%d) > high (%d) eb %llu owner %llu level %d", + __func__, low, high, eb->start, + btrfs_header_owner(eb), btrfs_header_level(eb)); + return -EINVAL; + } + while (low < high) { mid = (low + high) / 2; offset = p + mid * item_size; |