From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Filipe Manana <fdmanana@suse.com>,
Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.17 32/35] btrfs: tree-checker: add inode extref checks
Date: Fri, 31 Oct 2025 15:01:40 +0100 [thread overview]
Message-ID: <20251031140044.407416705@linuxfoundation.org> (raw)
In-Reply-To: <20251031140043.564670400@linuxfoundation.org>
6.17-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit aab9458b9f0019e97fae394c2d6d9d1a03addfb3 ]
Like inode refs, inode extrefs have a variable length name, which means
we have to do a proper check to make sure no header nor name can exceed
the item limits.
The check itself is very similar to check_inode_ref(), just a different
structure (btrfs_inode_extref vs btrfs_inode_ref).
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-checker.c | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index a997c7cc35a26..a83e455f813bf 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -183,6 +183,7 @@ static bool check_prev_ino(struct extent_buffer *leaf,
/* Only these key->types needs to be checked */
ASSERT(key->type == BTRFS_XATTR_ITEM_KEY ||
key->type == BTRFS_INODE_REF_KEY ||
+ key->type == BTRFS_INODE_EXTREF_KEY ||
key->type == BTRFS_DIR_INDEX_KEY ||
key->type == BTRFS_DIR_ITEM_KEY ||
key->type == BTRFS_EXTENT_DATA_KEY);
@@ -1782,6 +1783,39 @@ static int check_inode_ref(struct extent_buffer *leaf,
return 0;
}
+static int check_inode_extref(struct extent_buffer *leaf,
+ struct btrfs_key *key, struct btrfs_key *prev_key,
+ int slot)
+{
+ unsigned long ptr = btrfs_item_ptr_offset(leaf, slot);
+ unsigned long end = ptr + btrfs_item_size(leaf, slot);
+
+ if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
+ return -EUCLEAN;
+
+ while (ptr < end) {
+ struct btrfs_inode_extref *extref = (struct btrfs_inode_extref *)ptr;
+ u16 namelen;
+
+ if (unlikely(ptr + sizeof(*extref)) > end) {
+ inode_ref_err(leaf, slot,
+ "inode extref overflow, ptr %lu end %lu inode_extref size %zu",
+ ptr, end, sizeof(*extref));
+ return -EUCLEAN;
+ }
+
+ namelen = btrfs_inode_extref_name_len(leaf, extref);
+ if (unlikely(ptr + sizeof(*extref) + namelen > end)) {
+ inode_ref_err(leaf, slot,
+ "inode extref overflow, ptr %lu end %lu namelen %u",
+ ptr, end, namelen);
+ return -EUCLEAN;
+ }
+ ptr += sizeof(*extref) + namelen;
+ }
+ return 0;
+}
+
static int check_raid_stripe_extent(const struct extent_buffer *leaf,
const struct btrfs_key *key, int slot)
{
@@ -1893,6 +1927,9 @@ static enum btrfs_tree_block_status check_leaf_item(struct extent_buffer *leaf,
case BTRFS_INODE_REF_KEY:
ret = check_inode_ref(leaf, key, prev_key, slot);
break;
+ case BTRFS_INODE_EXTREF_KEY:
+ ret = check_inode_extref(leaf, key, prev_key, slot);
+ break;
case BTRFS_BLOCK_GROUP_ITEM_KEY:
ret = check_block_group_item(leaf, key, slot);
break;
--
2.51.0
next prev parent reply other threads:[~2025-10-31 14:07 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-31 14:01 [PATCH 6.17 00/35] 6.17.7-rc1 review Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 01/35] sched_ext: Move internal type and accessor definitions to ext_internal.h Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 02/35] sched_ext: Put event_stats_cpu in struct scx_sched_pcpu Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 03/35] sched_ext: Sync error_irq_work before freeing scx_sched Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 04/35] timekeeping: Fix aux clocks sysfs initialization loop bound Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 05/35] x86/bugs: Report correct retbleed mitigation status Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 06/35] x86/bugs: Qualify RETBLEED_INTEL_MSG Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 07/35] genirq/chip: Add buslock back in to irq_set_handler() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 08/35] genirq/manage: Add buslock back in to __disable_irq_nosync() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 09/35] genirq/manage: Add buslock back in to enable_irq() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 10/35] audit: record fanotify event regardless of presence of rules Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 11/35] EDAC/ie31200: Add two more Intel Alder Lake-S SoCs for EDAC support Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 12/35] perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 13/35] perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of current->mm == NULL Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 14/35] perf: Have get_perf_callchain() return NULL if crosstask and user are set Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 15/35] perf: Skip user unwind if the task is a kernel thread Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 16/35] EDAC: Fix wrong executable file modes for C source files Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 17/35] seccomp: passthrough uprobe systemcall without filtering Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 18/35] sched_ext: Keep bypass on between enable failure and scx_disable_workfn() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 19/35] x86/bugs: Add attack vector controls for VMSCAPE Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 20/35] sched/fair: update_cfs_group() for throttled cfs_rqs Greg Kroah-Hartman
2025-11-02 11:07 ` Aaron Lu
2025-11-02 12:21 ` Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 21/35] x86/bugs: Fix reporting of LFENCE retpoline Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 22/35] EDAC/mc_sysfs: Increase legacy channel support to 16 Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 23/35] cpuset: Use new excpus for nocpu error check when enabling root partition Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 24/35] btrfs: abort transaction on specific error places when walking log tree Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 25/35] btrfs: abort transaction in the process_one_buffer() log tree walk callback Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 26/35] btrfs: zoned: return error from btrfs_zone_finish_endio() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 27/35] btrfs: zoned: refine extent allocator hint selection Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 28/35] btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 29/35] btrfs: always drop log root tree reference in btrfs_replay_log() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 30/35] btrfs: use level argument in log tree walk callback replay_one_buffer() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 31/35] btrfs: abort transaction if we fail to update inode in log replay dir fixup Greg Kroah-Hartman
2025-10-31 14:01 ` Greg Kroah-Hartman [this message]
2025-10-31 14:01 ` [PATCH 6.17 33/35] btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 34/35] sched_ext: Make qmap dump operation non-destructive Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.17 35/35] arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c Greg Kroah-Hartman
2025-10-31 14:58 ` [PATCH 6.17 00/35] 6.17.7-rc1 review Ronald Warsow
2025-10-31 16:59 ` Peter Schneider
2025-10-31 17:06 ` Dileep malepu
2025-10-31 19:35 ` Jon Hunter
2025-10-31 20:39 ` Pavel Machek
2025-10-31 22:35 ` Shuah Khan
2025-10-31 22:45 ` Achill Gilgenast
2025-10-31 22:58 ` Justin Forbes
2025-11-01 9:10 ` Naresh Kamboju
2025-11-01 9:56 ` Jeffrin Thalakkottoor
2025-11-01 11:37 ` Ron Economos
2025-11-01 19:31 ` Brett A C Sheffield
2025-11-01 21:16 ` Miguel Ojeda
2025-11-02 2:58 ` Takeshi Ogasawara
2025-11-03 16:50 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251031140044.407416705@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dsterba@suse.com \
--cc=fdmanana@suse.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).