From 35d0588b641b227f6560f8c7240e0b2c43afae14 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Fri, 30 Sep 2016 18:59:44 +0200
Subject: [PATCH] btrfs-progs: tests: add fuzzed image with bad parent refs,
 qgroup-verify

Signed-off-by: David Sterba <dsterba@suse.com>
---
 ...bko-156811-bad-parent-ref-qgroup-verify.raw.txt |  94 +++++++++++++++++++++
 .../bko-156811-bad-parent-ref-qgroup-verify.raw.xz | Bin 0 -> 3832 bytes
 2 files changed, 94 insertions(+)
 create mode 100644 tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.txt
 create mode 100644 tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.xz

diff --git a/tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.txt b/tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.txt
new file mode 100644
index 0000000..6e4a541
--- /dev/null
+++ b/tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.txt
@@ -0,0 +1,94 @@
+URL: https://bugzilla.kernel.org/show_bug.cgi?id=156811
+Lukas Lueg 2016-09-14 19:19:46 UTC
+
+More news from the fuzzer. The attached image causes btrfsck to engage in
+undefined behavior; using btrfs-progs v4.7-42-g56e9586. You need to compile
+with UBSAN in order to reproduce.
+
+The juicy parts:
+
+qgroup-verify.c:333:15: runtime error: member access within null pointer of type 'struct ref'
+    #0 0x88684f in find_parent_roots /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:333:15
+    #1 0x877a71 in account_all_refs /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:525:11
+    #2 0x87513b in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:1372:8
+    #3 0x536d3a in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11637:9
+    #4 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8
+    #5 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+    #6 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188)
+
+
+We don't strictly need UBSAN as the error can be spotted by naked eye in
+find_parent_root(): The line "node = &ref->bytenr_node" gets a reference to a
+member of a NULL pointer before the pointer is checked against being NULL on
+the next line. It should be the other way around...
+
+crc32c.c:75:19: runtime error: load of misaligned address 0x74200001cc9c for type 'unsigned long', which requires 8 byte alignment
+0x74200001cc9c: note: pointer points here
+  00 00 00 00 b7 0e 65 6c  64 61 40 4b a5 0d 0f ba  33 0c 75 27 00 00 02 00  00 00 00 00 01 00 00 00
+              ^ 
+    #0 0x907c52 in crc32c_intel /home/lukas/dev/btrfsfuzz/src-ubsan/crc32c.c:75:19
+    #1 0x6f9845 in __csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:139:8
+    #2 0x6f96b8 in csum_tree_block_size /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:159:9
+    #3 0x6fda28 in read_tree_block_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:348:19
+    #4 0x71669f in btrfs_setup_chunk_tree_and_device_map /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1210:30
+    #5 0x7187e4 in __open_ctree_fd /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1322:8
+    #6 0x717a6d in open_ctree_fs_info /home/lukas/dev/btrfsfuzz/src-ubsan/disk-io.c:1381:9
+    #7 0x533791 in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11449:9
+    #8 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8
+    #9 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+    #10 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188)
+
+SUMMARY: MemorySanitizer: undefined-behavior crc32c.c:75:19 in 
+checking extents
+Chunk[256, 228, 0]: length(4194304), offset(0), type(2) is not found in block group
+Chunk[256, 228, 0] stripe[1, 0] is not found in dev extent
+Chunk[256, 228, 4194304]: length(1638400), offset(4194304), type(5) is not found in block group
+Chunk[256, 228, 4194304] stripe[1, 4194304] is not found in dev extent
+Chunk[256, 228, 5832704]: length(1638400), offset(5832704), type(5) is not found in block group
+Chunk[256, 228, 5832704] stripe[1, 5832704] is not found in dev extent
+ref mismatch on [131072 4096] extent item 0, found 1
+Backref 131072 parent 3 root 3 not found in extent tree
+backpointer mismatch on [131072 4096]
+ref mismatch on [4194304 4096] extent item 0, found 1
+Backref 4194304 parent 5 root 5 not found in extent tree
+backpointer mismatch on [4194304 4096]
+ref mismatch on [4198400 4096] extent item 0, found 1
+Backref 4198400 parent 1 root 1 not found in extent tree
+backpointer mismatch on [4198400 4096]
+ref mismatch on [4231168 4096] extent item 0, found 1
+Backref 4231168 parent 7 root 7 not found in extent tree
+backpointer mismatch on [4231168 4096]
+ref mismatch on [3472328296227680304 3472328296227680304] extent item 0, found 1
+Backref 3472328296227680304 root 1 owner 2 offset 0 num_refs 0 not found in extent tree
+Incorrect local backref count on 3472328296227680304 root 1 owner 2 offset 0 found 1 wanted 0 back 0x70c00000ed00
+backpointer mismatch on [3472328296227680304 3472328296227680304]
+Dev extent's total-byte(0) is not equal to byte-used(7471104) in dev[1, 216, 1]
+Errors found in extent allocation tree or chunk allocation
+checking free space cache
+checking fs roots
+checking csums
+checking root refs
+checking quota groups
+qgroup-verify.c:333:15: runtime error: member access within null pointer of type 'struct ref'
+    #0 0x88684f in find_parent_roots /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:333:15
+    #1 0x877a71 in account_all_refs /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:525:11
+    #2 0x87513b in qgroup_verify_all /home/lukas/dev/btrfsfuzz/src-ubsan/qgroup-verify.c:1372:8
+    #3 0x536d3a in cmd_check /home/lukas/dev/btrfsfuzz/src-ubsan/cmds-check.c:11637:9
+    #4 0x490560 in main /home/lukas/dev/btrfsfuzz/src-ubsan/btrfs.c:243:8
+    #5 0x7f35b46ab730 in __libc_start_main (/lib64/libc.so.6+0x20730)
+    #6 0x422188 in _start (/home/lukas/dev/btrfsfuzz/bin-ubsan/bin/btrfs+0x422188)
+
+SUMMARY: MemorySanitizer: undefined-behavior qgroup-verify.c:333:15 in 
+qgroup-verify.c:334: find_parent_roots: Assertion `ref == NULL` failed.
+btrfs check(backtrace+0x51)[0x43f6d1]
+btrfs check[0x883611]
+btrfs check[0x880ce9]
+btrfs check[0x8868b1]
+btrfs check[0x877a72]
+btrfs check(qgroup_verify_all+0x26c)[0x87513c]
+btrfs check(cmd_check+0x457b)[0x536d3b]
+btrfs check(main+0x6a1)[0x490561]
+/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f35b46ab731]
+btrfs check(_start+0x29)[0x422189]
+Checking filesystem on ubsan_logs/id:002289,src:001702+002037,op:splice,rep:4.img
+UUID: b70e656c-6461-404b-a50d-0fba330c7527
diff --git a/tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.xz b/tests/fuzz-tests/images/bko-156811-bad-parent-ref-qgroup-verify.raw.xz
new file mode 100644
index 0000000000000000000000000000000000000000..7e499f77d5a98b0d4a2fb034c5850583a4d9cede
GIT binary patch
literal 3832
zcmeH~`8U)HAIHC#!CWyYB^eq^82geiNfa6yvc;feVl3Hrk$o*=vP@BFCN)_nLy9bu
zH6k%glqDr&nF>jEcb@zFa({Y$xZUTR=bY!<{({fvyw3ace!o9EM=m=#0|01dxYmpt
zfOAO#03h7&^oqj?<Y_wxz^|R92=h5*seBAUpRqw4xxP<lWkkrmo#im-){>)KAxb-1
z6W8>xQKl)w9`c2f6D97>J$h>5C}Ra~+!-iWqTIk|`6(o7H)_plBJ@X-2vkclU`}=w
zqC7>_p4u~4?OKxWE%j8n8y(n5P}J(MCE?FTC7zyV$HW<XNhoZSiNi*`^0rCppz$B-
zkarw#`9gVnblLJARR1fOcC?lj#-Z26r6<fS!ABY`&r6mj($GS0jVoI?`0f$u1sGjd
zz0NwjsKTVshA(?SDF5o|JloaiA)zV(Gi8`+yI+bSD37P$61ZvGRFC3#)KvBstZh=H
zip}8r^hVI}vS8|s@dW(NM!a5~#JBkN0r&3in&s)G$9TZC#(ncStDl}q=S3p6@7V+>
zN!Dgs@(O6^AralF^Iiu)WHwb%kcTmFowPi7kUTz%Qq8?Fn8l1gboIc1SmWF&`dzo9
zNncE3_eWGC&KW@EFZvm68iUfmrt5;IdPjxyhw9)4cFW!w@j#(AUhTmd4xzuBMtD4H
z<zf*#taC@*A^P{jnsw7+^87VDrKHVlKY?^~(=gmBN<)0)b_|jn(?dGBenj=c#OIKj
zX|q-PrHpVDjj^^f_Bk>)d3oGk1|j#fXdNk_h;dQo?n4k?$~n%5DnoYd%`Ktp6XZSy
z-7S%I`=Z#J${-e8jYH%tD}=A@Z{aOK7wo*PdUGAxA#b<-BS%*gOrb3Vwg#cicQJBA
z$_1;N3^La@Lz9=8fmUUK)yH8ViQo`A>!e6g&Y6*sc#_`e%kGeT!9ji<J)qQ!iHQDP
z8653h#zQ-G%>3(^*1it*&?9oA<i`nP897W!;obSXsib+*^JnWtW3))So-MZb%#8z5
zZ{#k_rbphBpJ#P-NkKs2dy684>-P~O=UJ117QWYHwBO_j<kyQkN<6YGr0)Kvh)WjB
zXP)RpjgMoeR+uz3h%s6sJ@R;Lk|UOK+gjZJL{VQSKCZQ1YD@(OuNWNSuHygLuPoxO
z1CMO6r+o^SAVTFbrE+JY8|Rr*kn)EQ7dtP%;4Lf;$j|QOdUh{bLNFLk&DsfAJon6e
z3OaWgHmGXp>4)4nH?c@&o-L~bs0Q~l(}g&~dF#PZn00|Z4pGqzTDBege(RQo+SwLD
z>i6Wt7SI38lzIWy@VZ(-+!d2HkF#~6&qq{Zrdcjv{*A6t>h_kca#){~%R!Tk2|L4e
zB@YNPp%>vd`2@Mt(X3_#5!54bgt=6JuL}1ut2lApn#6;#x}$kFSD9kHZM`~;zFO6B
z!DhkyvRwYV9d)dwNc2asni8Zsyk@}PQ^0?*ty?+tm?h5S`tJWds6R&waQ6F?ICDI7
z;22w&{K;zbCCnNh5~}}!%k!FO+w}hPJK38%i?$wpr8`&Z^zNI)>l&L^697;xdx-A)
zOms-M&47EOA<@0*!BcMzaz(Z5iGIau__B6vgUIcU8S>+suA8|A4z<POPPX8|Vzg#)
zErRhl1?v!%2!p6(%SE0a68cU}sONumDZ-TDJiF%gRPCArvv_V2<)*UC5U0o_mhq_c
z<F+#H4}ZwQH)v{m?%jH|shKrz{_aI+iSr!=P<rAB+<PsGn~D`8V1Q+imtQG6<uj`N
zgD#@gfYC*ys=!ZQp+haiWys0J^p=a*j38-zR*|j}CY-^3@)pcm_kXyG6`ffsYDi1;
zQJcG@)NGD5Z8<UgNlDNCxG$7#JD1waD^qFq(EkIai8~Fp=I5^psW$1-(nr+a6ISKb
zXQ6#|<H)E+9(l9}#`<LYbBs9A9XI=2^ngQ=bgMdc-|_OpsUcn)hJfveK5{N}>L9I|
zVG`C^e`B&T*?I9)s6g<ed{bJ~t@3(&@KM{iWAZy-GhyzMvE|nSF6pruCY}hS=pvK3
z{-YQjW>_-H<Ew>8TF-pq)8PRQIPKVu-`+#T@}&7QjIR;iJtkzJ9afeK3hE;)PSJy3
zAj3wx(hOOd67~$*;rvpgx94ZltQ&Blos8ci2=rZiN)PVH=ES=~_O=RGHOT9vOs`N3
zN_{}X_|}0Iqlli+)apB<A>U?g;B^Mh!RiUQJ@(GuM-`fzlTg5gT9++It%g3<-jy~H
zWvN5F4E@%A?7Zm%i>bo~pvkZzu#FzB66Jpw$&xM^VVkP^_DNAi0(G2jaio0fGy)D0
zn+L0629t~o8)BL)hEPkM(#b(*5er9<`ockig|0H6M~mL4yI3+a@M8nr*P$*@QI8<!
ztP20TB(;<)&NkTGFqCVDe@*Tzx%)LAXo2*eV$z#o<O&c5tf~$v<_Aj~{%vFbe>&@K
z9P#46T~8VK5^7hn^AC5lzhI^|P@|e(z<wfqegXTVT>P1tzZCY@+So5(KUrUY7FYuB
taR3ZFnD&r;2T0nphDt;03jr=BEFmF*U(AF4xw^w^i~EoN764(K{{{a`Xm<br

literal 0
HcmV?d00001

-- 
2.7.4