3 places where we copy pathnames into ioctl arguments
were not limited to the destination name size, and
could overflow. Use the new strncpy_null() macro
to make this safe.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
In the places where we copy a string into the name
member of btrfs_ioctl_vol_args or btrfs_ioctl_vol_args_v2,
we use strncopy (to not overflow the name array) and then
set the last position to the null character.
Howver, in both cases the arrays are defined with:
char name[MAX+1];
hence the last array position is name[MAX].
In most cases, we now insert the null at name[MAX-1]
which deprives us of one useful character.
Even the above isn't consistent through the code, so
make some helper code to make it simple, i.e.
strncpy_null(dest, src) which automatically does the
right thing based on the size of dest.
Thanks to Zach Brown for the macro suggestion.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
cmd_subvol_create() calls either BTRFS_IOC_SUBVOL_CREATE
or BTRFS_IOC_SUBVOL_CREATE_V2 depending on whether or
not inherit is set. However, these 2 ioctls have different
args structures with different length name[] members.
In the BTRFS_IOC_SUBVOL_CREATE case, the arg is
btrfs_ioctl_vol_args, with a BTRFS_PATH_NAME_MAX length
name, not a BTRFS_SUBVOL_NAME_MAX length name.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
__setup_root() was present in find-root.c as well
as disk-io.c. No need for the cut and paste, just
use the one in disk-io.c
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Zach Brown <zab@redhat.com>
"mdresotre" sounds like it might be French, but most
likely it's a misspelling of mdrestore. Fix it.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Zach Brown <zab@redhat.com>
Mostly just to keep things like coverity happy about potentially
uninitialized structure members, since it doesn't grok the ioctl.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Zach Brown <zab@redhat.com>
In the case that btrfs scrub cancel is given a device name,
we close the file handle, and then pass it to check_mounted_where()
which eventually preads from that (now closed) fd. Fix the logic
so that we close & re-open the discovered mountpoint properly.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Zach Brown <zab@redhat.com>
If scrub start discovers that scrub is already running,
we need to set prg_fd to -1 before goto out, or we'll
try to close it again in the error path.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Zach Brown <zab@redhat.com>
If connection fails the socket is leaked when the status file is used
instead. Close it to trivially cut down on fd use and to bring down the
noise in static code analysis.
Signed-off-by: Zach Brown <zab@redhat.com>
It looks possible to hit the search_again label without using the
prealloc. A new prealloc is allocated, leaking the current one.
Every use of prealloc sets it to null so let's just allocate a new
prealloc when we don't already have one.
Signed-off-by: Zach Brown <zab@redhat.com>
btrfs_scan_one_dir() can overflow an arbitrarily small 256 byte buffer
with an arbitrarily slightly larger 1024 byte buffer as it remembers the
path of a dir to later descend.
Make these buffers the same size to stop the overflow and chose PATH_MAX
for that size so that it won't fail on legitimately bonkers paths.
Signed-off-by: Zach Brown <zab@redhat.com>
Path allocation failure already has its own return, remember to free the
path when the error label is taken.
Signed-off-by: Zach Brown <zab@redhat.com>
struct btrfs_super is about 3.5k but a few writing paths were writing it
out as the full 4k BTRFS_SUPER_INFO_SIZE, leaking a few hundred bytes
after the super_block onto disk. In practice this meant the memory
after super_copy in struct btrfs_fs_info and whatever came after it in
the heap.
Signed-off-by: Zach Brown <zab@redhat.com>
old_left_nritems is unsigned so BUG_ON(old_left_nritems < 0) is
impossible. Presumably the BUG_ON() meant to test that it wasn't 0 so
that btrfs_item_offset_nr() doesn't get a nr of -1.
Signed-off-by: Zach Brown <zab@redhat.com>
Check for failure by testing for a negative file descriptor, not a
descriptor of 0. And if it failed we have nothing to close().
Signed-off-by: Zach Brown <zab@redhat.com>
btrfs_free_path() derefs the path before freeing it. It can't be passed
a null pointer when allocation fails.
Signed-off-by: Zach Brown <zab@redhat.com>
'next' can never be non-null in the body of these loops. It's
initialized to NULL and the loop is terminated the moment it is set.
Signed-off-by: Zach Brown <zab@redhat.com>
copy_one_inline() meant to test the return of pwrite() with ram_size.
Presumably the comparison with len was copied from the test earlier in
the function.
Signed-off-by: Zach Brown <zab@redhat.com>
size_sourcedir() uses shockingly bad code to try and estimate the size
of the files and directories in a subtree.
- Its use of snprintf(), strcat(), and sscanf() with arbitrarily small
on-stack buffers manages to overflow the stack a few times when given
long file names.
$ BIG=$(perl -e 'print "a" x 200')
$ mkdir -p /tmp/$BIG/$BIG/$BIG/$BIG/$BIG
$ mkfs.btrfs /tmp/img -r /tmp/$BIG/$BIG/$BIG/$BIG/$BIG
*** stack smashing detected ***: mkfs.btrfs terminated
- It passes raw paths to system() allowing interpreting file names as
shell control characters.
$ mkfs.btrfs /tmp/img -r /tmp/spacey\ dir/
du: cannot access `/tmp/spacey': No such file or directory
du: cannot access `dir/': No such file or directory
- It redirects du output to "temp_file" in the current directory,
allowing overwriting of files through symlinks.
$ echo hi > target
$ ln -s target temp_file
$ mkfs.btrfs /tmp/img -r /tmp/somedir/
$ cat target
3 /tmp/somedir/
This fixes the worst problems while maintaining -r functionality by
tearing out the system() code and using ftw() to walk the source tree
and sum up st.st_size.
Signed-off-by: Zach Brown <zab@redhat.com>
check_owner_ref() could deref a null path node if btrfs_search_slot()
fails or simply doesn't find a tree tall enough to get to the parent of
the desired block.
This was flagged by static analysis warning that btrfs_search_slot()'s
return value wasn't being checked.
Signed-off-by: Zach Brown <zab@redhat.com>
Again: caught by static analysis.
Errors cow-ing the root block are silently being dropped. This is
just a step towards error handling because both the caller and calee
assert on errors.
Signed-off-by: Zach Brown <zab@redhat.com>
The super block magic is a le64 whose value looks like an unterminated
string in memory. The lack of null termination leads to clumsy use of
string functions and causes static analysis tools to warn that the
string will be unterminated.
So let's just treat it as the le64 that it is. Endian wrappers are used
on the constant so that they're compiled into run-time constants.
Signed-off-by: Zach Brown <zab@redhat.com>
raid6.c was failing to build for Goffredo and me due to
__attribute_const__ being undefined.
Define it in kerncompat.h and include that; this also makes
sure BITS_PER_LONG is defined for raid6.c, prior to this it
was not defined, at least in my build.
Finally, redefine BITS_PER_LONG in a way that it can be
tested in the preprocessor macro.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
David Woodhouse originally contributed this code, and Chris Mason
changed it around to reflect the current design goals for raid56.
The original code expected all metadata and data writes to be full
stripes. This meant metadata block size == stripe size, and had a few
other restrictions.
This version allows metadata blocks smaller than the stripe size. It
implements both raid5 and raid6, although it does not have code to
rebuild from parity if one of the drives is missing or incorrect.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Chris Mason <chris.mason@fusionio.com>
This was a bug from long time ago that never actually got fixed. We start
with bytenr 0 when looping through all of the block groups, but
btrfs_lookup_block_group will bail out since it couldn't find a block group
with 0 as the bytenr. Btrfs_lookup_first_block_group will be nice and
adjust the start up to the right value, so this way we reset all the block
groups properly and not screw up the users block group accounting. Thanks,
Signed-off-by: Josef Bacik <jbacik@fusionio.com>
unless it was intentional to include uuid when -s
option is (show snapshot only) given, we would need
this break statement.
Signed-off-by: Anand Jain <anand.jain@oracle.com>
This patch makes btrfsck print the filesystem, which is to be checked,
to stdout, as well as the UUID of the corresponding partition.
This should be helpful when analyzing (copied and pasted) output of
btrfsck.
Signed-off-by: Dieter Ries <mail@dieterries.net>
- rename to match code where applicable
- add missing options
- unify the help strings in short and detailed sections
- fix a few typos
Signed-off-by: David Sterba <dsterba@suse.cz>
Rename filter options in 'subvol list' subcommand, that way we can
distinguish them from the options that just show some option in the
output and can have a matching uppercase filter.
Signed-off-by: David Sterba <dsterba@suse.cz>
Eric Sandeen