btrfs: Check name_len on add_inode_ref call path

replay_one_buffer first reads buffers and dispatches items accroding to
the item type.
In this patch, add_inode_ref handles inode_ref and inode_extref.
Then add_inode_ref calls ref_get_fields and extref_get_fields to read
ref/extref name for the first time.
So checking name_len before reading those two is fine.

add_inode_ref also calls inode_in_dir to match ref/extref in parent_dir.
The call graph includes btrfs_match_dir_item_name to read dir_item name
in the parent dir.
Checking first dir_item is not enough. Change it to verify every
dir_item while doing matches.

Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/dir-item.c b/fs/btrfs/dir-item.c
index d9c4a3dd071e2d8d93c191f076e72ceadfa99659..2b00dd746118efdd873bc5d2977c5740a52b363f 100644 (file)
--- a/fs/btrfs/dir-item.c
+++ b/fs/btrfs/dir-item.c
@@ -395,8 +395,6 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
 
        leaf = path->nodes[0];
        dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
-       if (verify_dir_item(fs_info, leaf, path->slots[0], dir_item))
-               return NULL;
 
        total_len = btrfs_item_size_nr(leaf, path->slots[0]);
        while (cur < total_len) {
@@ -405,6 +403,8 @@ struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
                        btrfs_dir_data_len(leaf, dir_item);
                name_ptr = (unsigned long)(dir_item + 1);
 
+               if (verify_dir_item(fs_info, leaf, path->slots[0], dir_item))
+                       return NULL;
                if (btrfs_dir_name_len(leaf, dir_item) == name_len &&
                    memcmp_extent_buffer(leaf, name, name_ptr, name_len) == 0)
                        return dir_item;

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 1930f28edcdde4572ec998f7aa4f13bd026aeea7..11cf38fb3a495e0c12a62c0905a3fccabc3484a8 100644 (file)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1175,15 +1175,19 @@ next:
        return 0;
 }
 
-static int extref_get_fields(struct extent_buffer *eb, unsigned long ref_ptr,
-                            u32 *namelen, char **name, u64 *index,
-                            u64 *parent_objectid)
+static int extref_get_fields(struct extent_buffer *eb, int slot,
+                            unsigned long ref_ptr, u32 *namelen, char **name,
+                            u64 *index, u64 *parent_objectid)
 {
        struct btrfs_inode_extref *extref;
 
        extref = (struct btrfs_inode_extref *)ref_ptr;
 
        *namelen = btrfs_inode_extref_name_len(eb, extref);
+       if (!btrfs_is_name_len_valid(eb, slot, (unsigned long)&extref->name,
+                                    *namelen))
+               return -EIO;
+
        *name = kmalloc(*namelen, GFP_NOFS);
        if (*name == NULL)
                return -ENOMEM;
@@ -1198,14 +1202,19 @@ static int extref_get_fields(struct extent_buffer *eb, unsigned long ref_ptr,
        return 0;
 }
 
-static int ref_get_fields(struct extent_buffer *eb, unsigned long ref_ptr,
-                         u32 *namelen, char **name, u64 *index)
+static int ref_get_fields(struct extent_buffer *eb, int slot,
+                         unsigned long ref_ptr, u32 *namelen, char **name,
+                         u64 *index)
 {
        struct btrfs_inode_ref *ref;
 
        ref = (struct btrfs_inode_ref *)ref_ptr;
 
        *namelen = btrfs_inode_ref_name_len(eb, ref);
+       if (!btrfs_is_name_len_valid(eb, slot, (unsigned long)(ref + 1),
+                                    *namelen))
+               return -EIO;
+
        *name = kmalloc(*namelen, GFP_NOFS);
        if (*name == NULL)
                return -ENOMEM;
@@ -1280,8 +1289,8 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
 
        while (ref_ptr < ref_end) {
                if (log_ref_ver) {
-                       ret = extref_get_fields(eb, ref_ptr, &namelen, &name,
-                                               &ref_index, &parent_objectid);
+                       ret = extref_get_fields(eb, slot, ref_ptr, &namelen,
+                                         &name, &ref_index, &parent_objectid);
                        /*
                         * parent object can change from one array
                         * item to another.
@@ -1293,8 +1302,8 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
                                goto out;
                        }
                } else {
-                       ret = ref_get_fields(eb, ref_ptr, &namelen, &name,
-                                            &ref_index);
+                       ret = ref_get_fields(eb, slot, ref_ptr, &namelen,
+                                            &name, &ref_index);
                }
                if (ret)
                        goto out;