| Message ID | 039c272f2bd6e8e0bb428c8f0b794e61d491aeef.1612468824.git.boris@bur.io (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs-corrupt-block btree data corruption | expand |
On Thu, Feb 04, 2021 at 12:09:31PM -0800, Boris Burkov wrote: Hi Boris, I have a question for this code. > btrfs-corrupt-block already has a mix of generic and specific corruption > options, but currently lacks the capacity for totally arbitrary > corruption in item data. > > There is already a flag for corruption size (bytes/-b), so add a flag > for an offset and a value to memset the item with. Exercise the new > flags with a new variant for -I (item) corruption. Look up the item as > before, but instead of corrupting a field in the item struct, corrupt an > offset/size in the item data. > > The motivating example for this is that in testing fsverity with btrfs, > we need to corrupt the generated Merkle tree--metadata item data which > is an opaque blob to btrfs. > > Signed-off-by: Boris Burkov <boris@bur.io> > --- > btrfs-corrupt-block.c | 71 +++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 68 insertions(+), 3 deletions(-) > > diff --git a/btrfs-corrupt-block.c b/btrfs-corrupt-block.c > index 0c022a8e..bf1ce9c5 100644 > --- a/btrfs-corrupt-block.c > +++ b/btrfs-corrupt-block.c > @@ -116,11 +116,13 @@ static void print_usage(int ret) > printf("\t-m The metadata block to corrupt (must also specify -f for the field to corrupt)\n"); > printf("\t-K <u64,u8,u64> Corrupt the given key (must also specify -f for the field and optionally -r for the root)\n"); > printf("\t-f The field in the item to corrupt\n"); > - printf("\t-I <u64,u8,u64> Corrupt an item corresponding to the passed key triplet (must also specify the field to corrupt and root for the item)\n"); > + printf("\t-I <u64,u8,u64> Corrupt an item corresponding to the passed key triplet (must also specify the field, or bytes, offset, and value to corrupt and root for the item)\n"); > printf("\t-D <u64,u8,u64> Corrupt a dir item corresponding to the passed key triplet, must also specify a field\n"); > printf("\t-d <u64,u8,u64> Delete item corresponding to passed key triplet\n"); > printf("\t-r Operate on this root\n"); > printf("\t-C Delete a csum for the specified bytenr. When used with -b it'll delete that many bytes, otherwise it's just sectorsize\n"); > + printf("\t-v Value to use for corrupting item data\n"); > + printf("\t-o Offset to use for corrupting item data\n"); > exit(ret); > } > > @@ -896,6 +898,50 @@ out: > return ret; > } > > +static int corrupt_btrfs_item_data(struct btrfs_root *root, > + struct btrfs_key *key, > + u64 bogus_offset, u64 bogus_size, > + char bogus_value) > +{ > + struct btrfs_trans_handle *trans; > + struct btrfs_path *path; > + int ret; > + void *data; > + struct extent_buffer *leaf; > + int slot; > + > + path = btrfs_alloc_path(); > + if (!path) > + return -ENOMEM; > + > + trans = btrfs_start_transaction(root, 1); > + if (IS_ERR(trans)) { > + fprintf(stderr, "Couldn't start transaction %ld\n", > + PTR_ERR(trans)); > + ret = PTR_ERR(trans); > + goto free_path; > + } > + > + ret = btrfs_search_slot(trans, root, key, path, 0, 1); > + if (ret != 0) { > + fprintf(stderr, "Error searching to node %d\n", ret); > + goto commit_txn; This is error case. but this code goes to commit transaction. I think there is an option to abort transaction. This code has pros than aborting? > + } > + leaf = path->nodes[0]; > + slot = path->slots[0]; > + data = btrfs_item_ptr(leaf, slot, void); > + // TODO: check offset/size legitimacy > + data += bogus_offset; > + memset_extent_buffer(leaf, bogus_value, (unsigned long)data, bogus_size); > + btrfs_mark_buffer_dirty(leaf); > + > +commit_txn: > + btrfs_commit_transaction(trans, root); > +free_path: > + btrfs_free_path(path); > + return ret; > +} > + > static int delete_item(struct btrfs_root *root, struct btrfs_key *key) > { > struct btrfs_trans_handle *trans; > @@ -1151,6 +1197,8 @@ int main(int argc, char **argv) > u64 root_objectid = 0; > u64 csum_bytenr = 0; > char field[FIELD_BUF_LEN]; > + u64 bogus_value = (u64)-1; > + u64 bogus_offset = (u64)-1; > > field[0] = '\0'; > memset(&key, 0, sizeof(key)); > @@ -1177,11 +1225,13 @@ int main(int argc, char **argv) > { "delete", no_argument, NULL, 'd'}, > { "root", no_argument, NULL, 'r'}, > { "csum", required_argument, NULL, 'C'}, > + { "value", required_argument, NULL, 'v'}, > + { "offset", required_argument, NULL, 'o'}, > { "help", no_argument, NULL, GETOPT_VAL_HELP}, > { NULL, 0, NULL, 0 } > }; > > - c = getopt_long(argc, argv, "l:c:b:eEkuUi:f:x:m:K:I:D:d:r:C:", > + c = getopt_long(argc, argv, "l:c:b:eEkuUi:f:x:m:K:I:D:d:r:C:v:o:", > long_options, NULL); > if (c < 0) > break; > @@ -1244,6 +1294,12 @@ int main(int argc, char **argv) > case 'C': > csum_bytenr = arg_strtou64(optarg); > break; > + case 'v': > + bogus_value = arg_strtou64(optarg); > + break; > + case 'o': > + bogus_offset = arg_strtou64(optarg); > + break; > case GETOPT_VAL_HELP: > default: > print_usage(c != GETOPT_VAL_HELP); > @@ -1368,7 +1424,16 @@ int main(int argc, char **argv) > if (!root_objectid) > print_usage(1); > > - ret = corrupt_btrfs_item(target_root, &key, field); > + if (*field != 0) > + ret = corrupt_btrfs_item(target_root, &key, field); > + else if (bogus_offset != (u64)-1 && > + bytes != (u64)-1 && > + bogus_value != (u64)-1) > + ret = corrupt_btrfs_item_data(target_root, &key, > + bogus_offset, bytes, > + bogus_value); > + else > + print_usage(1); > goto out_close; > } > if (delete) { > -- > 2.24.1 >
On Tue, Feb 09, 2021 at 06:22:47AM +0000, Sidong Yang wrote: > On Thu, Feb 04, 2021 at 12:09:31PM -0800, Boris Burkov wrote: > > Hi Boris, I have a question for this code. > > > btrfs-corrupt-block already has a mix of generic and specific corruption > > options, but currently lacks the capacity for totally arbitrary > > corruption in item data. > > > > There is already a flag for corruption size (bytes/-b), so add a flag > > for an offset and a value to memset the item with. Exercise the new > > flags with a new variant for -I (item) corruption. Look up the item as > > before, but instead of corrupting a field in the item struct, corrupt an > > offset/size in the item data. > > > > The motivating example for this is that in testing fsverity with btrfs, > > we need to corrupt the generated Merkle tree--metadata item data which > > is an opaque blob to btrfs. > > > > Signed-off-by: Boris Burkov <boris@bur.io> > > --- > > btrfs-corrupt-block.c | 71 +++++++++++++++++++++++++++++++++++++++++-- > > 1 file changed, 68 insertions(+), 3 deletions(-) > > > > diff --git a/btrfs-corrupt-block.c b/btrfs-corrupt-block.c > > index 0c022a8e..bf1ce9c5 100644 > > --- a/btrfs-corrupt-block.c > > +++ b/btrfs-corrupt-block.c > > @@ -116,11 +116,13 @@ static void print_usage(int ret) > > printf("\t-m The metadata block to corrupt (must also specify -f for the field to corrupt)\n"); > > printf("\t-K <u64,u8,u64> Corrupt the given key (must also specify -f for the field and optionally -r for the root)\n"); > > printf("\t-f The field in the item to corrupt\n"); > > - printf("\t-I <u64,u8,u64> Corrupt an item corresponding to the passed key triplet (must also specify the field to corrupt and root for the item)\n"); > > + printf("\t-I <u64,u8,u64> Corrupt an item corresponding to the passed key triplet (must also specify the field, or bytes, offset, and value to corrupt and root for the item)\n"); > > printf("\t-D <u64,u8,u64> Corrupt a dir item corresponding to the passed key triplet, must also specify a field\n"); > > printf("\t-d <u64,u8,u64> Delete item corresponding to passed key triplet\n"); > > printf("\t-r Operate on this root\n"); > > printf("\t-C Delete a csum for the specified bytenr. When used with -b it'll delete that many bytes, otherwise it's just sectorsize\n"); > > + printf("\t-v Value to use for corrupting item data\n"); > > + printf("\t-o Offset to use for corrupting item data\n"); > > exit(ret); > > } > > > > @@ -896,6 +898,50 @@ out: > > return ret; > > } > > > > +static int corrupt_btrfs_item_data(struct btrfs_root *root, > > + struct btrfs_key *key, > > + u64 bogus_offset, u64 bogus_size, > > + char bogus_value) > > +{ > > + struct btrfs_trans_handle *trans; > > + struct btrfs_path *path; > > + int ret; > > + void *data; > > + struct extent_buffer *leaf; > > + int slot; > > + > > + path = btrfs_alloc_path(); > > + if (!path) > > + return -ENOMEM; > > + > > + trans = btrfs_start_transaction(root, 1); > > + if (IS_ERR(trans)) { > > + fprintf(stderr, "Couldn't start transaction %ld\n", > > + PTR_ERR(trans)); > > + ret = PTR_ERR(trans); > > + goto free_path; > > + } > > + > > + ret = btrfs_search_slot(trans, root, key, path, 0, 1); > > + if (ret != 0) { > > + fprintf(stderr, "Error searching to node %d\n", ret); > > + goto commit_txn; > > This is error case. but this code goes to commit transaction. I think there is > an option to abort transaction. This code has pros than aborting? > Good question. To be perfectly honest, I copied this pattern from some of the other corruption functions around, and don't have a good answer. Looking at it now, I don't see any harm in either approach (we don't have any work to commit since it was just search_slot that failed) but abort does seem less surprising. > > + } > > + leaf = path->nodes[0]; > > + slot = path->slots[0]; > > + data = btrfs_item_ptr(leaf, slot, void); > > + // TODO: check offset/size legitimacy > > + data += bogus_offset; > > + memset_extent_buffer(leaf, bogus_value, (unsigned long)data, bogus_size); > > + btrfs_mark_buffer_dirty(leaf); > > + > > +commit_txn: > > + btrfs_commit_transaction(trans, root); > > +free_path: > > + btrfs_free_path(path); > > + return ret; > > +} > > + > > static int delete_item(struct btrfs_root *root, struct btrfs_key *key) > > { > > struct btrfs_trans_handle *trans; > > @@ -1151,6 +1197,8 @@ int main(int argc, char **argv) > > u64 root_objectid = 0; > > u64 csum_bytenr = 0; > > char field[FIELD_BUF_LEN]; > > + u64 bogus_value = (u64)-1; > > + u64 bogus_offset = (u64)-1; > > > > field[0] = '\0'; > > memset(&key, 0, sizeof(key)); > > @@ -1177,11 +1225,13 @@ int main(int argc, char **argv) > > { "delete", no_argument, NULL, 'd'}, > > { "root", no_argument, NULL, 'r'}, > > { "csum", required_argument, NULL, 'C'}, > > + { "value", required_argument, NULL, 'v'}, > > + { "offset", required_argument, NULL, 'o'}, > > { "help", no_argument, NULL, GETOPT_VAL_HELP}, > > { NULL, 0, NULL, 0 } > > }; > > > > - c = getopt_long(argc, argv, "l:c:b:eEkuUi:f:x:m:K:I:D:d:r:C:", > > + c = getopt_long(argc, argv, "l:c:b:eEkuUi:f:x:m:K:I:D:d:r:C:v:o:", > > long_options, NULL); > > if (c < 0) > > break; > > @@ -1244,6 +1294,12 @@ int main(int argc, char **argv) > > case 'C': > > csum_bytenr = arg_strtou64(optarg); > > break; > > + case 'v': > > + bogus_value = arg_strtou64(optarg); > > + break; > > + case 'o': > > + bogus_offset = arg_strtou64(optarg); > > + break; > > case GETOPT_VAL_HELP: > > default: > > print_usage(c != GETOPT_VAL_HELP); > > @@ -1368,7 +1424,16 @@ int main(int argc, char **argv) > > if (!root_objectid) > > print_usage(1); > > > > - ret = corrupt_btrfs_item(target_root, &key, field); > > + if (*field != 0) > > + ret = corrupt_btrfs_item(target_root, &key, field); > > + else if (bogus_offset != (u64)-1 && > > + bytes != (u64)-1 && > > + bogus_value != (u64)-1) > > + ret = corrupt_btrfs_item_data(target_root, &key, > > + bogus_offset, bytes, > > + bogus_value); > > + else > > + print_usage(1); > > goto out_close; > > } > > if (delete) { > > -- > > 2.24.1 > >
diff --git a/btrfs-corrupt-block.c b/btrfs-corrupt-block.c index 0c022a8e..bf1ce9c5 100644 --- a/btrfs-corrupt-block.c +++ b/btrfs-corrupt-block.c @@ -116,11 +116,13 @@ static void print_usage(int ret) printf("\t-m The metadata block to corrupt (must also specify -f for the field to corrupt)\n"); printf("\t-K <u64,u8,u64> Corrupt the given key (must also specify -f for the field and optionally -r for the root)\n"); printf("\t-f The field in the item to corrupt\n"); - printf("\t-I <u64,u8,u64> Corrupt an item corresponding to the passed key triplet (must also specify the field to corrupt and root for the item)\n"); + printf("\t-I <u64,u8,u64> Corrupt an item corresponding to the passed key triplet (must also specify the field, or bytes, offset, and value to corrupt and root for the item)\n"); printf("\t-D <u64,u8,u64> Corrupt a dir item corresponding to the passed key triplet, must also specify a field\n"); printf("\t-d <u64,u8,u64> Delete item corresponding to passed key triplet\n"); printf("\t-r Operate on this root\n"); printf("\t-C Delete a csum for the specified bytenr. When used with -b it'll delete that many bytes, otherwise it's just sectorsize\n"); + printf("\t-v Value to use for corrupting item data\n"); + printf("\t-o Offset to use for corrupting item data\n"); exit(ret); } @@ -896,6 +898,50 @@ out: return ret; } +static int corrupt_btrfs_item_data(struct btrfs_root *root, + struct btrfs_key *key, + u64 bogus_offset, u64 bogus_size, + char bogus_value) +{ + struct btrfs_trans_handle *trans; + struct btrfs_path *path; + int ret; + void *data; + struct extent_buffer *leaf; + int slot; + + path = btrfs_alloc_path(); + if (!path) + return -ENOMEM; + + trans = btrfs_start_transaction(root, 1); + if (IS_ERR(trans)) { + fprintf(stderr, "Couldn't start transaction %ld\n", + PTR_ERR(trans)); + ret = PTR_ERR(trans); + goto free_path; + } + + ret = btrfs_search_slot(trans, root, key, path, 0, 1); + if (ret != 0) { + fprintf(stderr, "Error searching to node %d\n", ret); + goto commit_txn; + } + leaf = path->nodes[0]; + slot = path->slots[0]; + data = btrfs_item_ptr(leaf, slot, void); + // TODO: check offset/size legitimacy + data += bogus_offset; + memset_extent_buffer(leaf, bogus_value, (unsigned long)data, bogus_size); + btrfs_mark_buffer_dirty(leaf); + +commit_txn: + btrfs_commit_transaction(trans, root); +free_path: + btrfs_free_path(path); + return ret; +} + static int delete_item(struct btrfs_root *root, struct btrfs_key *key) { struct btrfs_trans_handle *trans; @@ -1151,6 +1197,8 @@ int main(int argc, char **argv) u64 root_objectid = 0; u64 csum_bytenr = 0; char field[FIELD_BUF_LEN]; + u64 bogus_value = (u64)-1; + u64 bogus_offset = (u64)-1; field[0] = '\0'; memset(&key, 0, sizeof(key)); @@ -1177,11 +1225,13 @@ int main(int argc, char **argv) { "delete", no_argument, NULL, 'd'}, { "root", no_argument, NULL, 'r'}, { "csum", required_argument, NULL, 'C'}, + { "value", required_argument, NULL, 'v'}, + { "offset", required_argument, NULL, 'o'}, { "help", no_argument, NULL, GETOPT_VAL_HELP}, { NULL, 0, NULL, 0 } }; - c = getopt_long(argc, argv, "l:c:b:eEkuUi:f:x:m:K:I:D:d:r:C:", + c = getopt_long(argc, argv, "l:c:b:eEkuUi:f:x:m:K:I:D:d:r:C:v:o:", long_options, NULL); if (c < 0) break; @@ -1244,6 +1294,12 @@ int main(int argc, char **argv) case 'C': csum_bytenr = arg_strtou64(optarg); break; + case 'v': + bogus_value = arg_strtou64(optarg); + break; + case 'o': + bogus_offset = arg_strtou64(optarg); + break; case GETOPT_VAL_HELP: default: print_usage(c != GETOPT_VAL_HELP); @@ -1368,7 +1424,16 @@ int main(int argc, char **argv) if (!root_objectid) print_usage(1); - ret = corrupt_btrfs_item(target_root, &key, field); + if (*field != 0) + ret = corrupt_btrfs_item(target_root, &key, field); + else if (bogus_offset != (u64)-1 && + bytes != (u64)-1 && + bogus_value != (u64)-1) + ret = corrupt_btrfs_item_data(target_root, &key, + bogus_offset, bytes, + bogus_value); + else + print_usage(1); goto out_close; } if (delete) {
btrfs-corrupt-block already has a mix of generic and specific corruption options, but currently lacks the capacity for totally arbitrary corruption in item data. There is already a flag for corruption size (bytes/-b), so add a flag for an offset and a value to memset the item with. Exercise the new flags with a new variant for -I (item) corruption. Look up the item as before, but instead of corrupting a field in the item struct, corrupt an offset/size in the item data. The motivating example for this is that in testing fsverity with btrfs, we need to corrupt the generated Merkle tree--metadata item data which is an opaque blob to btrfs. Signed-off-by: Boris Burkov <boris@bur.io> --- btrfs-corrupt-block.c | 71 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 68 insertions(+), 3 deletions(-)