e79a33270d
Originally, verify_dir_item verifies name_len of dir_item with fixed values but not item boundary. If corrupted name_len was not bigger than the fixed value, for example 255, the function will think the dir_item is fine. And then reading beyond boundary will cause crash. Example: 1. Corrupt one dir_item name_len to be 255. 2. Run 'ls -lar /mnt/test/ > /dev/null' dmesg: [ 48.451449] BTRFS info (device vdb1): disk space caching is enabled [ 48.451453] BTRFS info (device vdb1): has skinny extents [ 48.489420] general protection fault: 0000 [#1] SMP [ 48.489571] Modules linked in: ext4 jbd2 mbcache btrfs xor raid6_pq [ 48.489716] CPU: 1 PID: 2710 Comm: ls Not tainted 4.10.0-rc1 #5 [ 48.489853] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 [ 48.490008] task: ffff880035df1bc0 task.stack: ffffc90004800000 [ 48.490008] RIP: 0010:read_extent_buffer+0xd2/0x190 [btrfs] [ 48.490008] RSP: 0018:ffffc90004803d98 EFLAGS: 00010202 [ 48.490008] RAX: 000000000000001b RBX: 000000000000001b RCX: 0000000000000000 [ 48.490008] RDX: ffff880079dbf36c RSI: 0005080000000000 RDI: ffff880079dbf368 [ 48.490008] RBP: ffffc90004803dc8 R08: ffff880078e8cc48 R09: ffff880000000000 [ 48.490008] R10: 0000160000000000 R11: 0000000000001000 R12: ffff880079dbf288 [ 48.490008] R13: ffff880078e8ca88 R14: 0000000000000003 R15: ffffc90004803e20 [ 48.490008] FS: 00007fef50c60800(0000) GS:ffff88007d400000(0000) knlGS:0000000000000000 [ 48.490008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 48.490008] CR2: 000055f335ac2ff8 CR3: 000000007356d000 CR4: 00000000001406e0 [ 48.490008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 48.490008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 48.490008] Call Trace: [ 48.490008] btrfs_real_readdir+0x3b7/0x4a0 [btrfs] [ 48.490008] iterate_dir+0x181/0x1b0 [ 48.490008] SyS_getdents+0xa7/0x150 [ 48.490008] ? fillonedir+0x150/0x150 [ 48.490008] entry_SYSCALL_64_fastpath+0x18/0xad [ 48.490008] RIP: 0033:0x7fef5032546b [ 48.490008] RSP: 002b:00007ffeafcdb830 EFLAGS: 00000206 ORIG_RAX: 000000000000004e [ 48.490008] RAX: ffffffffffffffda RBX: 00007fef5061db38 RCX: 00007fef5032546b [ 48.490008] RDX: 0000000000008000 RSI: 000055f335abaff0 RDI: 0000000000000003 [ 48.490008] RBP: 00007fef5061dae0 R08: 00007fef5061db48 R09: 0000000000000000 [ 48.490008] R10: 000055f335abafc0 R11: 0000000000000206 R12: 00007fef5061db38 [ 48.490008] R13: 0000000000008040 R14: 00007fef5061db38 R15: 000000000000270e [ 48.490008] RIP: read_extent_buffer+0xd2/0x190 [btrfs] RSP: ffffc90004803d98 [ 48.499455] ---[ end trace 321920d8e8339505 ]--- Fix it by adding a parameter @slot and check name_len with item boundary by calling btrfs_is_name_len_valid. Signed-off-by: Su Yue <suy.fnst@cn.fujitsu.com> rev Signed-off-by: David Sterba <dsterba@suse.com>
567 lines
15 KiB
C
567 lines
15 KiB
C
/*
|
|
* Copyright (C) 2007 Oracle. All rights reserved.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public
|
|
* License v2 as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public
|
|
* License along with this program; if not, write to the
|
|
* Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
* Boston, MA 021110-1307, USA.
|
|
*/
|
|
|
|
#include "ctree.h"
|
|
#include "disk-io.h"
|
|
#include "hash.h"
|
|
#include "transaction.h"
|
|
|
|
/*
|
|
* insert a name into a directory, doing overflow properly if there is a hash
|
|
* collision. data_size indicates how big the item inserted should be. On
|
|
* success a struct btrfs_dir_item pointer is returned, otherwise it is
|
|
* an ERR_PTR.
|
|
*
|
|
* The name is not copied into the dir item, you have to do that yourself.
|
|
*/
|
|
static struct btrfs_dir_item *insert_with_overflow(struct btrfs_trans_handle
|
|
*trans,
|
|
struct btrfs_root *root,
|
|
struct btrfs_path *path,
|
|
struct btrfs_key *cpu_key,
|
|
u32 data_size,
|
|
const char *name,
|
|
int name_len)
|
|
{
|
|
struct btrfs_fs_info *fs_info = root->fs_info;
|
|
int ret;
|
|
char *ptr;
|
|
struct btrfs_item *item;
|
|
struct extent_buffer *leaf;
|
|
|
|
ret = btrfs_insert_empty_item(trans, root, path, cpu_key, data_size);
|
|
if (ret == -EEXIST) {
|
|
struct btrfs_dir_item *di;
|
|
di = btrfs_match_dir_item_name(fs_info, path, name, name_len);
|
|
if (di)
|
|
return ERR_PTR(-EEXIST);
|
|
btrfs_extend_item(fs_info, path, data_size);
|
|
} else if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
WARN_ON(ret > 0);
|
|
leaf = path->nodes[0];
|
|
item = btrfs_item_nr(path->slots[0]);
|
|
ptr = btrfs_item_ptr(leaf, path->slots[0], char);
|
|
BUG_ON(data_size > btrfs_item_size(leaf, item));
|
|
ptr += btrfs_item_size(leaf, item) - data_size;
|
|
return (struct btrfs_dir_item *)ptr;
|
|
}
|
|
|
|
/*
|
|
* xattrs work a lot like directories, this inserts an xattr item
|
|
* into the tree
|
|
*/
|
|
int btrfs_insert_xattr_item(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root,
|
|
struct btrfs_path *path, u64 objectid,
|
|
const char *name, u16 name_len,
|
|
const void *data, u16 data_len)
|
|
{
|
|
int ret = 0;
|
|
struct btrfs_dir_item *dir_item;
|
|
unsigned long name_ptr, data_ptr;
|
|
struct btrfs_key key, location;
|
|
struct btrfs_disk_key disk_key;
|
|
struct extent_buffer *leaf;
|
|
u32 data_size;
|
|
|
|
if (name_len + data_len > BTRFS_MAX_XATTR_SIZE(root->fs_info))
|
|
return -ENOSPC;
|
|
|
|
key.objectid = objectid;
|
|
key.type = BTRFS_XATTR_ITEM_KEY;
|
|
key.offset = btrfs_name_hash(name, name_len);
|
|
|
|
data_size = sizeof(*dir_item) + name_len + data_len;
|
|
dir_item = insert_with_overflow(trans, root, path, &key, data_size,
|
|
name, name_len);
|
|
if (IS_ERR(dir_item))
|
|
return PTR_ERR(dir_item);
|
|
memset(&location, 0, sizeof(location));
|
|
|
|
leaf = path->nodes[0];
|
|
btrfs_cpu_key_to_disk(&disk_key, &location);
|
|
btrfs_set_dir_item_key(leaf, dir_item, &disk_key);
|
|
btrfs_set_dir_type(leaf, dir_item, BTRFS_FT_XATTR);
|
|
btrfs_set_dir_name_len(leaf, dir_item, name_len);
|
|
btrfs_set_dir_transid(leaf, dir_item, trans->transid);
|
|
btrfs_set_dir_data_len(leaf, dir_item, data_len);
|
|
name_ptr = (unsigned long)(dir_item + 1);
|
|
data_ptr = (unsigned long)((char *)name_ptr + name_len);
|
|
|
|
write_extent_buffer(leaf, name, name_ptr, name_len);
|
|
write_extent_buffer(leaf, data, data_ptr, data_len);
|
|
btrfs_mark_buffer_dirty(path->nodes[0]);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* insert a directory item in the tree, doing all the magic for
|
|
* both indexes. 'dir' indicates which objectid to insert it into,
|
|
* 'location' is the key to stuff into the directory item, 'type' is the
|
|
* type of the inode we're pointing to, and 'index' is the sequence number
|
|
* to use for the second index (if one is created).
|
|
* Will return 0 or -ENOMEM
|
|
*/
|
|
int btrfs_insert_dir_item(struct btrfs_trans_handle *trans, struct btrfs_root
|
|
*root, const char *name, int name_len,
|
|
struct btrfs_inode *dir, struct btrfs_key *location,
|
|
u8 type, u64 index)
|
|
{
|
|
int ret = 0;
|
|
int ret2 = 0;
|
|
struct btrfs_path *path;
|
|
struct btrfs_dir_item *dir_item;
|
|
struct extent_buffer *leaf;
|
|
unsigned long name_ptr;
|
|
struct btrfs_key key;
|
|
struct btrfs_disk_key disk_key;
|
|
u32 data_size;
|
|
|
|
key.objectid = btrfs_ino(dir);
|
|
key.type = BTRFS_DIR_ITEM_KEY;
|
|
key.offset = btrfs_name_hash(name, name_len);
|
|
|
|
path = btrfs_alloc_path();
|
|
if (!path)
|
|
return -ENOMEM;
|
|
path->leave_spinning = 1;
|
|
|
|
btrfs_cpu_key_to_disk(&disk_key, location);
|
|
|
|
data_size = sizeof(*dir_item) + name_len;
|
|
dir_item = insert_with_overflow(trans, root, path, &key, data_size,
|
|
name, name_len);
|
|
if (IS_ERR(dir_item)) {
|
|
ret = PTR_ERR(dir_item);
|
|
if (ret == -EEXIST)
|
|
goto second_insert;
|
|
goto out_free;
|
|
}
|
|
|
|
leaf = path->nodes[0];
|
|
btrfs_set_dir_item_key(leaf, dir_item, &disk_key);
|
|
btrfs_set_dir_type(leaf, dir_item, type);
|
|
btrfs_set_dir_data_len(leaf, dir_item, 0);
|
|
btrfs_set_dir_name_len(leaf, dir_item, name_len);
|
|
btrfs_set_dir_transid(leaf, dir_item, trans->transid);
|
|
name_ptr = (unsigned long)(dir_item + 1);
|
|
|
|
write_extent_buffer(leaf, name, name_ptr, name_len);
|
|
btrfs_mark_buffer_dirty(leaf);
|
|
|
|
second_insert:
|
|
/* FIXME, use some real flag for selecting the extra index */
|
|
if (root == root->fs_info->tree_root) {
|
|
ret = 0;
|
|
goto out_free;
|
|
}
|
|
btrfs_release_path(path);
|
|
|
|
ret2 = btrfs_insert_delayed_dir_index(trans, root->fs_info, name,
|
|
name_len, dir, &disk_key, type, index);
|
|
out_free:
|
|
btrfs_free_path(path);
|
|
if (ret)
|
|
return ret;
|
|
if (ret2)
|
|
return ret2;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* lookup a directory item based on name. 'dir' is the objectid
|
|
* we're searching in, and 'mod' tells us if you plan on deleting the
|
|
* item (use mod < 0) or changing the options (use mod > 0)
|
|
*/
|
|
struct btrfs_dir_item *btrfs_lookup_dir_item(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root,
|
|
struct btrfs_path *path, u64 dir,
|
|
const char *name, int name_len,
|
|
int mod)
|
|
{
|
|
int ret;
|
|
struct btrfs_key key;
|
|
int ins_len = mod < 0 ? -1 : 0;
|
|
int cow = mod != 0;
|
|
|
|
key.objectid = dir;
|
|
key.type = BTRFS_DIR_ITEM_KEY;
|
|
|
|
key.offset = btrfs_name_hash(name, name_len);
|
|
|
|
ret = btrfs_search_slot(trans, root, &key, path, ins_len, cow);
|
|
if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
if (ret > 0)
|
|
return NULL;
|
|
|
|
return btrfs_match_dir_item_name(root->fs_info, path, name, name_len);
|
|
}
|
|
|
|
int btrfs_check_dir_item_collision(struct btrfs_root *root, u64 dir,
|
|
const char *name, int name_len)
|
|
{
|
|
int ret;
|
|
struct btrfs_key key;
|
|
struct btrfs_dir_item *di;
|
|
int data_size;
|
|
struct extent_buffer *leaf;
|
|
int slot;
|
|
struct btrfs_path *path;
|
|
|
|
|
|
path = btrfs_alloc_path();
|
|
if (!path)
|
|
return -ENOMEM;
|
|
|
|
key.objectid = dir;
|
|
key.type = BTRFS_DIR_ITEM_KEY;
|
|
key.offset = btrfs_name_hash(name, name_len);
|
|
|
|
ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
|
|
|
|
/* return back any errors */
|
|
if (ret < 0)
|
|
goto out;
|
|
|
|
/* nothing found, we're safe */
|
|
if (ret > 0) {
|
|
ret = 0;
|
|
goto out;
|
|
}
|
|
|
|
/* we found an item, look for our name in the item */
|
|
di = btrfs_match_dir_item_name(root->fs_info, path, name, name_len);
|
|
if (di) {
|
|
/* our exact name was found */
|
|
ret = -EEXIST;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* see if there is room in the item to insert this
|
|
* name
|
|
*/
|
|
data_size = sizeof(*di) + name_len;
|
|
leaf = path->nodes[0];
|
|
slot = path->slots[0];
|
|
if (data_size + btrfs_item_size_nr(leaf, slot) +
|
|
sizeof(struct btrfs_item) > BTRFS_LEAF_DATA_SIZE(root->fs_info)) {
|
|
ret = -EOVERFLOW;
|
|
} else {
|
|
/* plenty of insertion room */
|
|
ret = 0;
|
|
}
|
|
out:
|
|
btrfs_free_path(path);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* lookup a directory item based on index. 'dir' is the objectid
|
|
* we're searching in, and 'mod' tells us if you plan on deleting the
|
|
* item (use mod < 0) or changing the options (use mod > 0)
|
|
*
|
|
* The name is used to make sure the index really points to the name you were
|
|
* looking for.
|
|
*/
|
|
struct btrfs_dir_item *
|
|
btrfs_lookup_dir_index_item(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root,
|
|
struct btrfs_path *path, u64 dir,
|
|
u64 objectid, const char *name, int name_len,
|
|
int mod)
|
|
{
|
|
int ret;
|
|
struct btrfs_key key;
|
|
int ins_len = mod < 0 ? -1 : 0;
|
|
int cow = mod != 0;
|
|
|
|
key.objectid = dir;
|
|
key.type = BTRFS_DIR_INDEX_KEY;
|
|
key.offset = objectid;
|
|
|
|
ret = btrfs_search_slot(trans, root, &key, path, ins_len, cow);
|
|
if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
if (ret > 0)
|
|
return ERR_PTR(-ENOENT);
|
|
return btrfs_match_dir_item_name(root->fs_info, path, name, name_len);
|
|
}
|
|
|
|
struct btrfs_dir_item *
|
|
btrfs_search_dir_index_item(struct btrfs_root *root,
|
|
struct btrfs_path *path, u64 dirid,
|
|
const char *name, int name_len)
|
|
{
|
|
struct extent_buffer *leaf;
|
|
struct btrfs_dir_item *di;
|
|
struct btrfs_key key;
|
|
u32 nritems;
|
|
int ret;
|
|
|
|
key.objectid = dirid;
|
|
key.type = BTRFS_DIR_INDEX_KEY;
|
|
key.offset = 0;
|
|
|
|
ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
|
|
if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
|
|
leaf = path->nodes[0];
|
|
nritems = btrfs_header_nritems(leaf);
|
|
|
|
while (1) {
|
|
if (path->slots[0] >= nritems) {
|
|
ret = btrfs_next_leaf(root, path);
|
|
if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
if (ret > 0)
|
|
break;
|
|
leaf = path->nodes[0];
|
|
nritems = btrfs_header_nritems(leaf);
|
|
continue;
|
|
}
|
|
|
|
btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
|
|
if (key.objectid != dirid || key.type != BTRFS_DIR_INDEX_KEY)
|
|
break;
|
|
|
|
di = btrfs_match_dir_item_name(root->fs_info, path,
|
|
name, name_len);
|
|
if (di)
|
|
return di;
|
|
|
|
path->slots[0]++;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
struct btrfs_dir_item *btrfs_lookup_xattr(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root,
|
|
struct btrfs_path *path, u64 dir,
|
|
const char *name, u16 name_len,
|
|
int mod)
|
|
{
|
|
int ret;
|
|
struct btrfs_key key;
|
|
int ins_len = mod < 0 ? -1 : 0;
|
|
int cow = mod != 0;
|
|
|
|
key.objectid = dir;
|
|
key.type = BTRFS_XATTR_ITEM_KEY;
|
|
key.offset = btrfs_name_hash(name, name_len);
|
|
ret = btrfs_search_slot(trans, root, &key, path, ins_len, cow);
|
|
if (ret < 0)
|
|
return ERR_PTR(ret);
|
|
if (ret > 0)
|
|
return NULL;
|
|
|
|
return btrfs_match_dir_item_name(root->fs_info, path, name, name_len);
|
|
}
|
|
|
|
/*
|
|
* helper function to look at the directory item pointed to by 'path'
|
|
* this walks through all the entries in a dir item and finds one
|
|
* for a specific name.
|
|
*/
|
|
struct btrfs_dir_item *btrfs_match_dir_item_name(struct btrfs_fs_info *fs_info,
|
|
struct btrfs_path *path,
|
|
const char *name, int name_len)
|
|
{
|
|
struct btrfs_dir_item *dir_item;
|
|
unsigned long name_ptr;
|
|
u32 total_len;
|
|
u32 cur = 0;
|
|
u32 this_len;
|
|
struct extent_buffer *leaf;
|
|
|
|
leaf = path->nodes[0];
|
|
dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
|
|
if (verify_dir_item(fs_info, leaf, path->slots[0], dir_item))
|
|
return NULL;
|
|
|
|
total_len = btrfs_item_size_nr(leaf, path->slots[0]);
|
|
while (cur < total_len) {
|
|
this_len = sizeof(*dir_item) +
|
|
btrfs_dir_name_len(leaf, dir_item) +
|
|
btrfs_dir_data_len(leaf, dir_item);
|
|
name_ptr = (unsigned long)(dir_item + 1);
|
|
|
|
if (btrfs_dir_name_len(leaf, dir_item) == name_len &&
|
|
memcmp_extent_buffer(leaf, name, name_ptr, name_len) == 0)
|
|
return dir_item;
|
|
|
|
cur += this_len;
|
|
dir_item = (struct btrfs_dir_item *)((char *)dir_item +
|
|
this_len);
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* given a pointer into a directory item, delete it. This
|
|
* handles items that have more than one entry in them.
|
|
*/
|
|
int btrfs_delete_one_dir_name(struct btrfs_trans_handle *trans,
|
|
struct btrfs_root *root,
|
|
struct btrfs_path *path,
|
|
struct btrfs_dir_item *di)
|
|
{
|
|
|
|
struct extent_buffer *leaf;
|
|
u32 sub_item_len;
|
|
u32 item_len;
|
|
int ret = 0;
|
|
|
|
leaf = path->nodes[0];
|
|
sub_item_len = sizeof(*di) + btrfs_dir_name_len(leaf, di) +
|
|
btrfs_dir_data_len(leaf, di);
|
|
item_len = btrfs_item_size_nr(leaf, path->slots[0]);
|
|
if (sub_item_len == item_len) {
|
|
ret = btrfs_del_item(trans, root, path);
|
|
} else {
|
|
/* MARKER */
|
|
unsigned long ptr = (unsigned long)di;
|
|
unsigned long start;
|
|
|
|
start = btrfs_item_ptr_offset(leaf, path->slots[0]);
|
|
memmove_extent_buffer(leaf, ptr, ptr + sub_item_len,
|
|
item_len - (ptr + sub_item_len - start));
|
|
btrfs_truncate_item(root->fs_info, path,
|
|
item_len - sub_item_len, 1);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
int verify_dir_item(struct btrfs_fs_info *fs_info,
|
|
struct extent_buffer *leaf,
|
|
int slot,
|
|
struct btrfs_dir_item *dir_item)
|
|
{
|
|
u16 namelen = BTRFS_NAME_LEN;
|
|
int ret;
|
|
u8 type = btrfs_dir_type(leaf, dir_item);
|
|
|
|
if (type >= BTRFS_FT_MAX) {
|
|
btrfs_crit(fs_info, "invalid dir item type: %d", (int)type);
|
|
return 1;
|
|
}
|
|
|
|
if (type == BTRFS_FT_XATTR)
|
|
namelen = XATTR_NAME_MAX;
|
|
|
|
if (btrfs_dir_name_len(leaf, dir_item) > namelen) {
|
|
btrfs_crit(fs_info, "invalid dir item name len: %u",
|
|
(unsigned)btrfs_dir_name_len(leaf, dir_item));
|
|
return 1;
|
|
}
|
|
|
|
namelen = btrfs_dir_name_len(leaf, dir_item);
|
|
ret = btrfs_is_name_len_valid(leaf, slot,
|
|
(unsigned long)(dir_item + 1), namelen);
|
|
if (!ret)
|
|
return 1;
|
|
|
|
/* BTRFS_MAX_XATTR_SIZE is the same for all dir items */
|
|
if ((btrfs_dir_data_len(leaf, dir_item) +
|
|
btrfs_dir_name_len(leaf, dir_item)) >
|
|
BTRFS_MAX_XATTR_SIZE(fs_info)) {
|
|
btrfs_crit(fs_info, "invalid dir item name + data len: %u + %u",
|
|
(unsigned)btrfs_dir_name_len(leaf, dir_item),
|
|
(unsigned)btrfs_dir_data_len(leaf, dir_item));
|
|
return 1;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
bool btrfs_is_name_len_valid(struct extent_buffer *leaf, int slot,
|
|
unsigned long start, u16 name_len)
|
|
{
|
|
struct btrfs_fs_info *fs_info = leaf->fs_info;
|
|
struct btrfs_key key;
|
|
u32 read_start;
|
|
u32 read_end;
|
|
u32 item_start;
|
|
u32 item_end;
|
|
u32 size;
|
|
bool ret = true;
|
|
|
|
ASSERT(start > BTRFS_LEAF_DATA_OFFSET);
|
|
|
|
read_start = start - BTRFS_LEAF_DATA_OFFSET;
|
|
read_end = read_start + name_len;
|
|
item_start = btrfs_item_offset_nr(leaf, slot);
|
|
item_end = btrfs_item_end_nr(leaf, slot);
|
|
|
|
btrfs_item_key_to_cpu(leaf, &key, slot);
|
|
|
|
switch (key.type) {
|
|
case BTRFS_DIR_ITEM_KEY:
|
|
case BTRFS_XATTR_ITEM_KEY:
|
|
case BTRFS_DIR_INDEX_KEY:
|
|
size = sizeof(struct btrfs_dir_item);
|
|
break;
|
|
case BTRFS_INODE_REF_KEY:
|
|
size = sizeof(struct btrfs_inode_ref);
|
|
break;
|
|
case BTRFS_INODE_EXTREF_KEY:
|
|
size = sizeof(struct btrfs_inode_extref);
|
|
break;
|
|
case BTRFS_ROOT_REF_KEY:
|
|
case BTRFS_ROOT_BACKREF_KEY:
|
|
size = sizeof(struct btrfs_root_ref);
|
|
break;
|
|
default:
|
|
ret = false;
|
|
goto out;
|
|
}
|
|
|
|
if (read_start < item_start) {
|
|
ret = false;
|
|
goto out;
|
|
}
|
|
if (read_end > item_end) {
|
|
ret = false;
|
|
goto out;
|
|
}
|
|
|
|
/* there shall be item(s) before name */
|
|
if (read_start - item_start < size) {
|
|
ret = false;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* This may be the last item in the slot
|
|
* Or same type item(s) is left between read_end and item_end
|
|
*/
|
|
if (item_end != read_end && item_end - read_end < size) {
|
|
ret = false;
|
|
goto out;
|
|
}
|
|
out:
|
|
if (!ret)
|
|
btrfs_crit(fs_info, "invalid dir item name len: %u",
|
|
(unsigned int)name_len);
|
|
return ret;
|
|
}
|