btrfs: Check name_len on add_inode_ref call path
replay_one_buffer first reads buffers and dispatches items accroding to the item type. In this patch, add_inode_ref handles inode_ref and inode_extref. Then add_inode_ref calls ref_get_fields and extref_get_fields to read ref/extref name for the first time. So checking name_len before reading those two is fine. add_inode_ref also calls inode_in_dir to match ref/extref in parent_dir. The call graph includes btrfs_match_dir_item_name to read dir_item name in the parent dir. Checking first dir_item is not enough. Change it to verify every dir_item while doing matches. Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
This commit is contained in:
parent
e79a33270d
commit
26a836cec2
|
@ -395,8 +395,6 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
|
||||||
|
|
||||||
leaf = path->nodes[0];
|
leaf = path->nodes[0];
|
||||||
dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
|
dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
|
||||||
if (verify_dir_item(fs_info, leaf, path->slots[0], dir_item))
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
total_len = btrfs_item_size_nr(leaf, path->slots[0]);
|
total_len = btrfs_item_size_nr(leaf, path->slots[0]);
|
||||||
while (cur < total_len) {
|
while (cur < total_len) {
|
||||||
|
@ -405,6 +403,8 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
|
||||||
btrfs_dir_data_len(leaf, dir_item);
|
btrfs_dir_data_len(leaf, dir_item);
|
||||||
name_ptr = (unsigned long)(dir_item + 1);
|
name_ptr = (unsigned long)(dir_item + 1);
|
||||||
|
|
||||||
|
if (verify_dir_item(fs_info, leaf, path->slots[0], dir_item))
|
||||||
|
return NULL;
|
||||||
if (btrfs_dir_name_len(leaf, dir_item) == name_len &&
|
if (btrfs_dir_name_len(leaf, dir_item) == name_len &&
|
||||||
memcmp_extent_buffer(leaf, name, name_ptr, name_len) == 0)
|
memcmp_extent_buffer(leaf, name, name_ptr, name_len) == 0)
|
||||||
return dir_item;
|
return dir_item;
|
||||||
|
|
|
@ -1175,15 +1175,19 @@ next:
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int extref_get_fields(struct extent_buffer *eb, unsigned long ref_ptr,
|
static int extref_get_fields(struct extent_buffer *eb, int slot,
|
||||||
u32 *namelen, char **name, u64 *index,
|
unsigned long ref_ptr, u32 *namelen, char **name,
|
||||||
u64 *parent_objectid)
|
u64 *index, u64 *parent_objectid)
|
||||||
{
|
{
|
||||||
struct btrfs_inode_extref *extref;
|
struct btrfs_inode_extref *extref;
|
||||||
|
|
||||||
extref = (struct btrfs_inode_extref *)ref_ptr;
|
extref = (struct btrfs_inode_extref *)ref_ptr;
|
||||||
|
|
||||||
*namelen = btrfs_inode_extref_name_len(eb, extref);
|
*namelen = btrfs_inode_extref_name_len(eb, extref);
|
||||||
|
if (!btrfs_is_name_len_valid(eb, slot, (unsigned long)&extref->name,
|
||||||
|
*namelen))
|
||||||
|
return -EIO;
|
||||||
|
|
||||||
*name = kmalloc(*namelen, GFP_NOFS);
|
*name = kmalloc(*namelen, GFP_NOFS);
|
||||||
if (*name == NULL)
|
if (*name == NULL)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -1198,14 +1202,19 @@ static int extref_get_fields(struct extent_buffer *eb, unsigned long ref_ptr,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int ref_get_fields(struct extent_buffer *eb, unsigned long ref_ptr,
|
static int ref_get_fields(struct extent_buffer *eb, int slot,
|
||||||
u32 *namelen, char **name, u64 *index)
|
unsigned long ref_ptr, u32 *namelen, char **name,
|
||||||
|
u64 *index)
|
||||||
{
|
{
|
||||||
struct btrfs_inode_ref *ref;
|
struct btrfs_inode_ref *ref;
|
||||||
|
|
||||||
ref = (struct btrfs_inode_ref *)ref_ptr;
|
ref = (struct btrfs_inode_ref *)ref_ptr;
|
||||||
|
|
||||||
*namelen = btrfs_inode_ref_name_len(eb, ref);
|
*namelen = btrfs_inode_ref_name_len(eb, ref);
|
||||||
|
if (!btrfs_is_name_len_valid(eb, slot, (unsigned long)(ref + 1),
|
||||||
|
*namelen))
|
||||||
|
return -EIO;
|
||||||
|
|
||||||
*name = kmalloc(*namelen, GFP_NOFS);
|
*name = kmalloc(*namelen, GFP_NOFS);
|
||||||
if (*name == NULL)
|
if (*name == NULL)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -1280,8 +1289,8 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
|
||||||
|
|
||||||
while (ref_ptr < ref_end) {
|
while (ref_ptr < ref_end) {
|
||||||
if (log_ref_ver) {
|
if (log_ref_ver) {
|
||||||
ret = extref_get_fields(eb, ref_ptr, &namelen, &name,
|
ret = extref_get_fields(eb, slot, ref_ptr, &namelen,
|
||||||
&ref_index, &parent_objectid);
|
&name, &ref_index, &parent_objectid);
|
||||||
/*
|
/*
|
||||||
* parent object can change from one array
|
* parent object can change from one array
|
||||||
* item to another.
|
* item to another.
|
||||||
|
@ -1293,8 +1302,8 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
ret = ref_get_fields(eb, ref_ptr, &namelen, &name,
|
ret = ref_get_fields(eb, slot, ref_ptr, &namelen,
|
||||||
&ref_index);
|
&name, &ref_index);
|
||||||
}
|
}
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
Loading…
Reference in New Issue