From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F47536D9E7 for ; Mon, 27 Apr 2026 20:28:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777321709; cv=none; b=eJzJmFHonF3sh4IZHO1BQJgO6WKaYExxS9NVML4zxyCxVUVR0UBFNaS1Ti88URRmDkYcazEdMhKnKwaIC08m9Ho/yvbnxqv1GRmfvPaWgiaforbztOeBoZvvAf5tpJtWKMpoJynRWVcbYEnu4PJjBTA3DJVblFANNfQI7HoEqyo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777321709; c=relaxed/simple; bh=2W3udJfpoUpVU+zcXEL2kBe6tqgHZ5XeEjLMm3rQp+Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OYh2s7Zot9mB7/Z0W24/4DZplBlSB4vEyIMKfK75y9ylaz5rsaZfWO8LwprPAn18fBQC5zQW0KRMC4lodiW4HhbvMJ29RfU6Y5bwHI1NOG27DA4ihRRCzuPboYOjKuRZ31ZQTFRrOhKJq1aFITOlH0zRIV+LEjQJGf5p++htI1I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CEbITPW9; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CEbITPW9" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4890d945eb4so53679595e9.0 for ; Mon, 27 Apr 2026 13:28:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777321706; x=1777926506; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RJsJ0/AdMp4F3EjvGpZbBz3zMwBhPSd1Q0YoCqjYwls=; b=CEbITPW9JJptOSlT6yC2YhPqoav+hmMeWJmZhPPMgHHF0EM7KPvo5+v9kLqYVTnmeT L48c2AjLgOXcdNn5Swjz/D7ETSBmxGE0ZA8LTwBbId91R8tlWg2pPsrFSMZ/ZIN/B93y QXprOZDPYuBYfZQ+6h+Fc9rryMpWalD3NHvhgYQd1UWkwQzjoDw/pTlM0fu7ApfQpLm7 vZkSmE77jWLG1BoNvhGS2vEODLWess64ET+18+NAbJpOVyCXTFutbzSFQfACInRRg09j fLS3yMDY6aMTA2Q+5jvbyFt9leqLL0ki2iEtPfb+Ys0Gns8Rk051KKuRGNMiMTYNBMui 4t1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777321706; x=1777926506; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RJsJ0/AdMp4F3EjvGpZbBz3zMwBhPSd1Q0YoCqjYwls=; b=LNFWX0jo1wqWfGVprKcWYxf4CKm8HvEjspztTvTwTxUiz/B3nwKHvW0M36bR47SN86 KSo18DuQTnJSAl1yoFmPBXLH+9cQbcwEXaLT9JjSDs5gXRDJ4OpShMJGcfGIvU1AaYwU VFJDyYGcej6sRUUdXPnFQyb5GoQ7m+x8ogSlmsvC+4xEx6PrfVKgvRZq+SUBwtdNnxqr 9sqIhEWQ+Ms5lHsayeiB29JBtmJxxmOgSi6Ihg+zBLToPR41Fxd8NfR2KIembh5J8OZg O3yxGU/tKVd7I0XGJvqwYHpgncqUtmIta/ydZinapDQ1ISZMSfAi5dZWA3ydn8BZwuou Hp5Q== X-Forwarded-Encrypted: i=1; AFNElJ/EksljAJn5cHh86efPysSnS5rlLDGWpLdk5AouKPHb4rvsRgz/n+h2meWsppmG3LmQpukj5oWoYVx6rCo=@vger.kernel.org X-Gm-Message-State: AOJu0Yz/q9pGjtyd3yrlu1VizwI9SQK1uhlzKsCs9u8lUbzzf6Q1iKzp k8BXAgnTh/NynmQUJrVAAV7PmT/FBictjOitjGCqf0x/vWVaLqdE+LLv X-Gm-Gg: AeBDievwEiGo/YcERxt7M+UEMoBxrn9ncev/GgcQZIUA+s1V48BT5BzoRfz5FSZJNmD j7n14/JdWvxgdSGRRQ9g8iToM3mHZqruuRpV/TDz71EzBXIDYGc6iAifYTvF0S8Ein9v6hTf4Dd ErKpfC3bdiPVtX0UqEeJ8FgIK29hPPzQfhInkn3SGK3Tvqv2RKzeKF342CwqgWgS1Q+vgOlvj4N HPAeGPjnYq3dXjoMB6nJcdW5yvENPHfZDuIWt6kF2W91E3HOsEiLDwv1/xngX4MyhV4ePqaLoRf UqpqOvtSc3Ojlq2RtGJo8xFUXc4cKeFZw2yg7999sKGCd8QITWIjIPyQHT0A7VP/KXfVUrMHvGg Yt1FD94sZg88OckOUdLK8mRGUpEMkgmLNyB4Yr1T9C73xOjBm4tlEvegyLIdVYXzdW+JHHn81aA u59kermMJtvtH7UG6/51Gm79/+U7rsTCJyDFn+reMl4g4= X-Received: by 2002:a05:600c:4f08:b0:48a:5821:6006 with SMTP id 5b1f17b1804b1-48a77e40cfamr2229895e9.4.1777321706225; Mon, 27 Apr 2026 13:28:26 -0700 (PDT) Received: from localhost ([145.40.214.139]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4463cb59a68sm872149f8f.4.2026.04.27.13.28.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 13:28:25 -0700 (PDT) From: Teng Liu <27rabbitlt@gmail.com> To: linux-btrfs@vger.kernel.org Cc: dsterba@suse.com, clm@fb.com, wqu@suse.com, linux-kernel@vger.kernel.org, syzbot+3e20d8f3d41bac5dc9a2@syzkaller.appspotmail.com, Teng Liu <27rabbitlt@gmail.com> Subject: [PATCH v3] btrfs: validate data reloc tree file extent item members in tree-checker Date: Mon, 27 Apr 2026 22:24:58 +0200 Message-ID: <20260427202822.278326-1-27rabbitlt@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260426201605.36626-1-27rabbitlt@gmail.com> References: <20260426201605.36626-1-27rabbitlt@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit get_new_location() uses BUG_ON() to crash the kernel if the file extent item it looks up has any of offset, compression, encryption, or other_encoding set. The data reloc inode is only written by relocation's own paths -- insert_prealloc_file_extent() and insert_ordered_extent_file_extent() -- which always leave those four fields at 0 (the data reloc inode is created with BTRFS_INODE_NOCOMPRESS, and encryption/other_encoding are reserved-and-zero). Observing a non-zero value therefore means the leaf decoded from disk does not match what the kernel wrote, i.e. on-disk corruption. A malformed image can reach this code via balance and panic the kernel. Move the validation into tree-checker's check_extent_data_item(), where the constraint is enforced when the leaf is read off disk rather than after relocation has already started. The data reloc tree has a fixed root id (BTRFS_DATA_RELOC_TREE_OBJECTID) recorded in the extent buffer header, so check_extent_data_item() has all the information it needs to apply this check on its own. Report violations via file_extent_err() and print the four offending values. In get_new_location() replace the BUG_ON() with an ASSERT(). The caller in replace_file_extents() already handles non-zero returns from get_new_location() by breaking out of the loop without aborting the transaction, so no caller changes are needed. Suggested-by: Qu Wenruo Suggested-by: David Sterba Reported-by: syzbot+3e20d8f3d41bac5dc9a2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3e20d8f3d41bac5dc9a2 Signed-off-by: Teng Liu <27rabbitlt@gmail.com> --- Changes in v3: - Move the corruption check from relocation.c into tree-checker's check_extent_data_item(), per Qu and David. The data reloc tree's fixed objectid is recorded in the extent buffer header, so the check has all the context it needs at read time. - Use file_extent_err() and print offset/compression/encryption/ other_encoding values, per Qu. - Replace the BUG_ON in get_new_location() with ASSERT() rather than -EUCLEAN, per David. Changes in v2: - Pair the -EUCLEAN return with btrfs_print_leaf() and btrfs_err() so the offending leaf is dumped to dmesg, per Qu's review of v1. - Expand the changelog to argue why non-zero compression/encryption/other_encoding in the data reloc inode imply on-disk corruption. fs/btrfs/relocation.c | 8 ++++---- fs/btrfs/tree-checker.c | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c index 1c42c5180bdd..527d4dbfe31c 100644 --- a/fs/btrfs/relocation.c +++ b/fs/btrfs/relocation.c @@ -835,10 +835,10 @@ static int get_new_location(struct inode *reloc_inode, u64 *new_bytenr, fi = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_file_extent_item); - BUG_ON(btrfs_file_extent_offset(leaf, fi) || - btrfs_file_extent_compression(leaf, fi) || - btrfs_file_extent_encryption(leaf, fi) || - btrfs_file_extent_other_encoding(leaf, fi)); + ASSERT(!btrfs_file_extent_offset(leaf, fi) && + !btrfs_file_extent_compression(leaf, fi) && + !btrfs_file_extent_encryption(leaf, fi) && + !btrfs_file_extent_other_encoding(leaf, fi)); if (num_bytes != btrfs_file_extent_disk_num_bytes(leaf, fi)) return -EINVAL; diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index 1f15d0793a9c..e4864f7a471e 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -296,6 +296,27 @@ static int check_extent_data_item(struct extent_buffer *leaf, return 0; } + /* + * For the data reloc tree, file extent items are written by + * relocation's own paths, which always leave offset, compression, + * encryption and other_encoding as 0. Any non-zero value here means + * the leaf decoded from disk does not match what the kernel wrote, + * i.e. on-disk corruption. + */ + if (unlikely(btrfs_header_owner(leaf) == BTRFS_DATA_RELOC_TREE_OBJECTID && + (btrfs_file_extent_offset(leaf, fi) || + btrfs_file_extent_compression(leaf, fi) || + btrfs_file_extent_encryption(leaf, fi) || + btrfs_file_extent_other_encoding(leaf, fi)))) { + file_extent_err(leaf, slot, +"invalid members for data reloc tree, offset=%llu compress=%u encryption=%u other_encoding=%u", + btrfs_file_extent_offset(leaf, fi), + btrfs_file_extent_compression(leaf, fi), + btrfs_file_extent_encryption(leaf, fi), + btrfs_file_extent_other_encoding(leaf, fi)); + return -EUCLEAN; + } + /* Regular or preallocated extent has fixed item size */ if (unlikely(item_size != sizeof(*fi))) { file_extent_err(leaf, slot, -- 2.54.0