+enum btrfs_file_extent_field {
+ BTRFS_FILE_EXTENT_DISK_BYTENR,
+ BTRFS_FILE_EXTENT_BAD,
+};
+
+enum btrfs_dir_item_field {
+ BTRFS_DIR_ITEM_NAME,
+ BTRFS_DIR_ITEM_LOCATION_OBJECTID,
+ BTRFS_DIR_ITEM_BAD,
+};
+
+enum btrfs_metadata_block_field {
+ BTRFS_METADATA_BLOCK_GENERATION,
+ BTRFS_METADATA_BLOCK_SHIFT_ITEMS,
+ BTRFS_METADATA_BLOCK_BAD,
+};
+
+enum btrfs_item_field {
+ BTRFS_ITEM_OFFSET,
+ BTRFS_ITEM_BAD,
+};
+
+enum btrfs_key_field {
+ BTRFS_KEY_OBJECTID,
+ BTRFS_KEY_TYPE,
+ BTRFS_KEY_OFFSET,
+ BTRFS_KEY_BAD,
+};
+
+static enum btrfs_inode_field convert_inode_field(char *field)
+{
+ if (!strncmp(field, "isize", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_ISIZE;
+ if (!strncmp(field, "nbytes", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_NBYTES;
+ if (!strncmp(field, "nlink", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_NLINK;
+ if (!strncmp(field, "generation", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_GENERATION;
+ if (!strncmp(field, "transid", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_TRANSID;
+ if (!strncmp(field, "block_group", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_BLOCK_GROUP;
+ if (!strncmp(field, "mode", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_MODE;
+ if (!strncmp(field, "uid", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_UID;
+ if (!strncmp(field, "gid", FIELD_BUF_LEN))
+ return BTRFS_INODE_FIELD_GID;
+ return BTRFS_INODE_FIELD_BAD;
+}
+
+static enum btrfs_file_extent_field convert_file_extent_field(char *field)
+{
+ if (!strncmp(field, "disk_bytenr", FIELD_BUF_LEN))
+ return BTRFS_FILE_EXTENT_DISK_BYTENR;
+ return BTRFS_FILE_EXTENT_BAD;
+}
+
+static enum btrfs_metadata_block_field
+convert_metadata_block_field(char *field)
+{
+ if (!strncmp(field, "generation", FIELD_BUF_LEN))
+ return BTRFS_METADATA_BLOCK_GENERATION;
+ if (!strncmp(field, "shift_items", FIELD_BUF_LEN))
+ return BTRFS_METADATA_BLOCK_SHIFT_ITEMS;
+ return BTRFS_METADATA_BLOCK_BAD;
+}
+
+static enum btrfs_key_field convert_key_field(char *field)
+{
+ if (!strncmp(field, "objectid", FIELD_BUF_LEN))
+ return BTRFS_KEY_OBJECTID;
+ if (!strncmp(field, "type", FIELD_BUF_LEN))
+ return BTRFS_KEY_TYPE;
+ if (!strncmp(field, "offset", FIELD_BUF_LEN))
+ return BTRFS_KEY_OFFSET;
+ return BTRFS_KEY_BAD;
+}
+
+static enum btrfs_item_field convert_item_field(char *field)
+{
+ if (!strncmp(field, "offset", FIELD_BUF_LEN))
+ return BTRFS_ITEM_OFFSET;
+ return BTRFS_ITEM_BAD;
+}
+
+static enum btrfs_dir_item_field convert_dir_item_field(char *field)
+{
+ if (!strncmp(field, "name", FIELD_BUF_LEN))
+ return BTRFS_DIR_ITEM_NAME;
+ if (!strncmp(field, "location_objectid", FIELD_BUF_LEN))
+ return BTRFS_DIR_ITEM_LOCATION_OBJECTID;
+ return BTRFS_DIR_ITEM_BAD;
+}
+
+static u64 generate_u64(u64 orig)
+{
+ u64 ret;
+ do {
+ ret = rand_u64();
+ } while (ret == orig);
+ return ret;
+}
+
+static u32 generate_u32(u32 orig)
+{
+ u32 ret;
+ do {
+ ret = rand_u32();
+ } while (ret == orig);
+ return ret;
+}
+
+static u8 generate_u8(u8 orig)
+{
+ u8 ret;
+ do {
+ ret = rand_u8();
+ } while (ret == orig);
+ return ret;
+}
+
+static int corrupt_key(struct btrfs_root *root, struct btrfs_key *key,
+ char *field)
+{
+ enum btrfs_key_field corrupt_field = convert_key_field(field);
+ struct btrfs_path *path;
+ struct btrfs_trans_handle *trans;
+ int ret;
+
+ root = root->fs_info->fs_root;
+ if (corrupt_field == BTRFS_KEY_BAD) {
+ fprintf(stderr, "Invalid field %s\n", field);
+ return -EINVAL;
+ }
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ btrfs_free_path(path);
+ return PTR_ERR(trans);
+ }
+
+ ret = btrfs_search_slot(trans, root, key, path, 0, 1);
+ if (ret < 0)
+ goto out;
+ if (ret > 0) {
+ fprintf(stderr, "Couldn't find the key to corrupt\n");
+ ret = -ENOENT;
+ goto out;
+ }
+
+ switch (corrupt_field) {
+ case BTRFS_KEY_OBJECTID:
+ key->objectid = generate_u64(key->objectid);
+ break;
+ case BTRFS_KEY_TYPE:
+ key->type = generate_u8(key->type);
+ break;
+ case BTRFS_KEY_OFFSET:
+ key->offset = generate_u64(key->objectid);
+ break;
+ default:
+ fprintf(stderr, "Invalid field %s, %d\n", field,
+ corrupt_field);
+ ret = -EINVAL;
+ goto out;
+ }
+
+ btrfs_set_item_key_unsafe(root, path, key);
+out:
+ btrfs_free_path(path);
+ btrfs_commit_transaction(trans, root);
+ return ret;
+}
+
+static int corrupt_dir_item(struct btrfs_root *root, struct btrfs_key *key,
+ char *field)
+{
+ struct btrfs_trans_handle *trans;
+ struct btrfs_dir_item *di;
+ struct btrfs_path *path;
+ char name[PATH_MAX];
+ struct btrfs_key location;
+ struct btrfs_disk_key disk_key;
+ unsigned long name_ptr;
+ enum btrfs_dir_item_field corrupt_field =
+ convert_dir_item_field(field);
+ u64 bogus;
+ u16 name_len;
+ int ret;
+
+ if (corrupt_field == BTRFS_DIR_ITEM_BAD) {
+ fprintf(stderr, "Invalid field %s\n", field);
+ return -EINVAL;
+ }
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ btrfs_free_path(path);
+ return PTR_ERR(trans);
+ }
+
+ ret = btrfs_search_slot(trans, root, key, path, 0, 1);
+ if (ret) {
+ if (ret > 0)
+ ret = -ENOENT;
+ fprintf(stderr, "Error searching for dir item %d\n", ret);
+ goto out;
+ }
+
+ di = btrfs_item_ptr(path->nodes[0], path->slots[0],
+ struct btrfs_dir_item);
+
+ switch (corrupt_field) {
+ case BTRFS_DIR_ITEM_NAME:
+ name_len = btrfs_dir_name_len(path->nodes[0], di);
+ name_ptr = (unsigned long)(di + 1);
+ read_extent_buffer(path->nodes[0], name, name_ptr, name_len);
+ name[0]++;
+ write_extent_buffer(path->nodes[0], name, name_ptr, name_len);
+ btrfs_mark_buffer_dirty(path->nodes[0]);
+ goto out;
+ case BTRFS_DIR_ITEM_LOCATION_OBJECTID:
+ btrfs_dir_item_key_to_cpu(path->nodes[0], di, &location);
+ bogus = generate_u64(location.objectid);
+ location.objectid = bogus;
+ btrfs_cpu_key_to_disk(&disk_key, &location);
+ btrfs_set_dir_item_key(path->nodes[0], di, &disk_key);
+ btrfs_mark_buffer_dirty(path->nodes[0]);
+ goto out;
+ default:
+ ret = -EINVAL;
+ goto out;
+ }
+out:
+ btrfs_commit_transaction(trans, root);
+ btrfs_free_path(path);
+ return ret;
+}
+
+static int corrupt_inode(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root, u64 inode, char *field)
+{
+ struct btrfs_inode_item *ei;
+ struct btrfs_path *path;
+ struct btrfs_key key;
+ enum btrfs_inode_field corrupt_field = convert_inode_field(field);
+ u64 bogus;
+ u64 orig;
+ int ret;
+
+ if (corrupt_field == BTRFS_INODE_FIELD_BAD) {
+ fprintf(stderr, "Invalid field %s\n", field);
+ return -EINVAL;
+ }
+
+ key.objectid = inode;
+ key.type = BTRFS_INODE_ITEM_KEY;
+ key.offset = (u64)-1;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ ret = btrfs_search_slot(trans, root, &key, path, 0, 1);
+ if (ret < 0)
+ goto out;
+ if (ret) {
+ if (!path->slots[0]) {
+ fprintf(stderr, "Couldn't find inode %Lu\n", inode);
+ ret = -ENOENT;
+ goto out;
+ }
+ path->slots[0]--;
+ ret = 0;
+ }
+
+ btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
+ if (key.objectid != inode) {
+ fprintf(stderr, "Couldn't find inode %Lu\n", inode);
+ ret = -ENOENT;
+ goto out;
+ }
+
+ ei = btrfs_item_ptr(path->nodes[0], path->slots[0],
+ struct btrfs_inode_item);
+ switch (corrupt_field) {
+ case BTRFS_INODE_FIELD_ISIZE:
+ orig = btrfs_inode_size(path->nodes[0], ei);
+ bogus = generate_u64(orig);
+ btrfs_set_inode_size(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_NBYTES:
+ orig = btrfs_inode_nbytes(path->nodes[0], ei);
+ bogus = generate_u64(orig);
+ btrfs_set_inode_nbytes(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_NLINK:
+ orig = btrfs_inode_nlink(path->nodes[0], ei);
+ bogus = generate_u32(orig);
+ btrfs_set_inode_nlink(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_GENERATION:
+ orig = btrfs_inode_generation(path->nodes[0], ei);
+ bogus = generate_u64(orig);
+ btrfs_set_inode_generation(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_TRANSID:
+ orig = btrfs_inode_transid(path->nodes[0], ei);
+ bogus = generate_u64(orig);
+ btrfs_set_inode_transid(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_BLOCK_GROUP:
+ orig = btrfs_inode_block_group(path->nodes[0], ei);
+ bogus = generate_u64(orig);
+ btrfs_set_inode_block_group(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_MODE:
+ orig = btrfs_inode_mode(path->nodes[0], ei);
+ bogus = generate_u32(orig);
+ btrfs_set_inode_mode(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_UID:
+ orig = btrfs_inode_uid(path->nodes[0], ei);
+ bogus = generate_u32(orig);
+ btrfs_set_inode_uid(path->nodes[0], ei, bogus);
+ break;
+ case BTRFS_INODE_FIELD_GID:
+ orig = btrfs_inode_gid(path->nodes[0], ei);
+ bogus = generate_u32(orig);
+ btrfs_set_inode_gid(path->nodes[0], ei, bogus);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+ btrfs_mark_buffer_dirty(path->nodes[0]);
+out:
+ btrfs_free_path(path);
+ return ret;
+}
+
+static int corrupt_file_extent(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root, u64 inode, u64 extent,
+ char *field)
+{
+ struct btrfs_file_extent_item *fi;
+ struct btrfs_path *path;
+ struct btrfs_key key;
+ enum btrfs_file_extent_field corrupt_field;
+ u64 bogus;
+ u64 orig;
+ int ret = 0;
+
+ corrupt_field = convert_file_extent_field(field);
+ if (corrupt_field == BTRFS_FILE_EXTENT_BAD) {
+ fprintf(stderr, "Invalid field %s\n", field);
+ return -EINVAL;
+ }
+
+ key.objectid = inode;
+ key.type = BTRFS_EXTENT_DATA_KEY;
+ key.offset = extent;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ ret = btrfs_search_slot(trans, root, &key, path, 0, 1);
+ if (ret < 0)
+ goto out;
+ if (ret) {
+ fprintf(stderr, "Couldn't find extent %llu for inode %llu\n",
+ extent, inode);
+ ret = -ENOENT;
+ goto out;
+ }
+
+ fi = btrfs_item_ptr(path->nodes[0], path->slots[0],
+ struct btrfs_file_extent_item);
+ switch (corrupt_field) {
+ case BTRFS_FILE_EXTENT_DISK_BYTENR:
+ orig = btrfs_file_extent_disk_bytenr(path->nodes[0], fi);
+ bogus = generate_u64(orig);
+ btrfs_set_file_extent_disk_bytenr(path->nodes[0], fi, bogus);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+ btrfs_mark_buffer_dirty(path->nodes[0]);
+out:
+ btrfs_free_path(path);
+ return ret;
+}
+
+static void shift_items(struct btrfs_root *root, struct extent_buffer *eb)
+{
+ int nritems = btrfs_header_nritems(eb);
+ int shift_space = btrfs_leaf_free_space(root, eb) / 2;
+ int slot = nritems / 2;
+ int i = 0;
+ unsigned int data_end = btrfs_item_offset_nr(eb, nritems - 1);
+
+ /* Shift the item data up to and including slot back by shift space */
+ memmove_extent_buffer(eb, btrfs_leaf_data(eb) + data_end - shift_space,
+ btrfs_leaf_data(eb) + data_end,
+ btrfs_item_offset_nr(eb, slot - 1) - data_end);
+
+ /* Now update the item pointers. */
+ for (i = nritems - 1; i >= slot; i--) {
+ u32 offset = btrfs_item_offset_nr(eb, i);
+ offset -= shift_space;
+ btrfs_set_item_offset(eb, btrfs_item_nr(i), offset);
+ }
+}
+
+static int corrupt_metadata_block(struct btrfs_fs_info *fs_info, u64 block,
+ char *field)
+{
+ struct btrfs_trans_handle *trans;
+ struct btrfs_root *root;
+ struct btrfs_path *path;
+ struct extent_buffer *eb;
+ struct btrfs_key key, root_key;
+ enum btrfs_metadata_block_field corrupt_field;
+ u64 root_objectid;
+ u64 orig, bogus;
+ u8 level;
+ int ret;
+
+ corrupt_field = convert_metadata_block_field(field);
+ if (corrupt_field == BTRFS_METADATA_BLOCK_BAD) {
+ fprintf(stderr, "Invalid field %s\n", field);
+ return -EINVAL;
+ }
+
+ eb = read_tree_block(fs_info, block, 0);
+ if (!extent_buffer_uptodate(eb)) {
+ fprintf(stderr, "Couldn't read in tree block %s\n", field);
+ return -EINVAL;
+ }
+ root_objectid = btrfs_header_owner(eb);
+ level = btrfs_header_level(eb);
+ if (level)
+ btrfs_node_key_to_cpu(eb, &key, 0);
+ else
+ btrfs_item_key_to_cpu(eb, &key, 0);
+ free_extent_buffer(eb);
+
+ root_key.objectid = root_objectid;
+ root_key.type = BTRFS_ROOT_ITEM_KEY;
+ root_key.offset = (u64)-1;
+
+ root = btrfs_read_fs_root(fs_info, &root_key);
+ if (IS_ERR(root)) {
+ fprintf(stderr, "Couldn't find owner root %llu\n",
+ key.objectid);
+ return PTR_ERR(root);
+ }
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ btrfs_free_path(path);
+ fprintf(stderr, "Couldn't start transaction %ld\n",
+ PTR_ERR(trans));
+ return PTR_ERR(trans);
+ }
+
+ path->lowest_level = level;
+ ret = btrfs_search_slot(trans, root, &key, path, 0, 1);
+ if (ret < 0) {
+ fprintf(stderr, "Error searching to node %d\n", ret);
+ goto out;
+ }
+ eb = path->nodes[level];
+
+ ret = 0;
+ switch (corrupt_field) {
+ case BTRFS_METADATA_BLOCK_GENERATION:
+ orig = btrfs_header_generation(eb);
+ bogus = generate_u64(orig);
+ btrfs_set_header_generation(eb, bogus);
+ break;
+ case BTRFS_METADATA_BLOCK_SHIFT_ITEMS:
+ shift_items(root, path->nodes[level]);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+ btrfs_mark_buffer_dirty(path->nodes[level]);
+out:
+ btrfs_commit_transaction(trans, root);
+ btrfs_free_path(path);
+ return ret;
+}
+
+static int corrupt_btrfs_item(struct btrfs_root *root, struct btrfs_key *key,
+ char *field)
+{
+ struct btrfs_trans_handle *trans;
+ struct btrfs_path *path;
+ enum btrfs_item_field corrupt_field;
+ u32 orig, bogus;
+ int ret;
+
+ corrupt_field = convert_item_field(field);
+ if (corrupt_field == BTRFS_ITEM_BAD) {
+ fprintf(stderr, "Invalid field %s\n", field);
+ return -EINVAL;
+ }
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ btrfs_free_path(path);
+ fprintf(stderr, "Couldn't start transaction %ld\n",
+ PTR_ERR(trans));
+ return PTR_ERR(trans);
+ }
+
+ ret = btrfs_search_slot(trans, root, key, path, 0, 1);
+ if (ret != 0) {
+ fprintf(stderr, "Error searching to node %d\n", ret);
+ goto out;
+ }
+
+ ret = 0;
+ switch (corrupt_field) {
+ case BTRFS_ITEM_OFFSET:
+ orig = btrfs_item_offset_nr(path->nodes[0], path->slots[0]);
+ bogus = generate_u32(orig);
+ btrfs_set_item_offset(path->nodes[0],
+ btrfs_item_nr(path->slots[0]), bogus);
+ break;
+ default:
+ ret = -EINVAL;
+ break;
+ }
+ btrfs_mark_buffer_dirty(path->nodes[0]);
+out:
+ btrfs_commit_transaction(trans, root);
+ btrfs_free_path(path);
+ return ret;
+}
+
+static int delete_item(struct btrfs_root *root, struct btrfs_key *key)
+{
+ struct btrfs_trans_handle *trans;
+ struct btrfs_path *path;
+ int ret;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ btrfs_free_path(path);
+ fprintf(stderr, "Couldn't start transaction %ld\n",
+ PTR_ERR(trans));
+ return PTR_ERR(trans);
+ }
+
+ ret = btrfs_search_slot(trans, root, key, path, -1, 1);
+ if (ret) {
+ if (ret > 0)
+ ret = -ENOENT;
+ fprintf(stderr, "Error searching to node %d\n", ret);
+ goto out;
+ }
+ ret = btrfs_del_item(trans, root, path);
+ btrfs_mark_buffer_dirty(path->nodes[0]);
+out:
+ btrfs_commit_transaction(trans, root);
+ btrfs_free_path(path);
+ return ret;
+}
+
+static int delete_csum(struct btrfs_root *root, u64 bytenr, u64 bytes)
+{
+ struct btrfs_trans_handle *trans;
+ int ret;
+
+ root = root->fs_info->csum_root;
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ fprintf(stderr, "Couldn't start transaction %ld\n",
+ PTR_ERR(trans));
+ return PTR_ERR(trans);
+ }
+
+ ret = btrfs_del_csums(trans, root, bytenr, bytes);
+ if (ret)
+ fprintf(stderr, "Error deleting csums %d\n", ret);
+ btrfs_commit_transaction(trans, root);
+ return ret;
+}
+