From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 58DA53F65EC for ; Mon, 11 May 2026 13:50:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.194 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778507455; cv=none; b=tsRfNPxhDdrX1vQIBz42qodbO37Y13kOzAC67ohzNrbI/1I++UEtHu2bp0CA8eNSo65erueHm6qmLWVu3g56E/rhWwJxWKAHNZ9WHZteaMQTFhKQHPij6R4+Q1DImkZUQwLJRvhhTqSE/m7ay+xW2SY/NK3/lCMHkkC6ai9cKQs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778507455; c=relaxed/simple; bh=VU7dovewEuq7+18DyhSwuy9wBjF4GEUHEUo/7194ffY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=YTRdeTQ5bOa49oOALcm9c0imEN+oz4N7Y/L4p1ok929OfAuN5bjDnJRllkFre19gsPYyKgLUUy8XEUjNGlAdvb4cEqb7D3otv7GENXsNNgcPUjXf3eiKq96UcyO/ejty2G6x68aX3GzSirGQBgFcuKnJaBi65JhJ822PqCAgSWs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=pGGTyPaM; arc=none smtp.client-ip=209.85.210.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pGGTyPaM" Received: by mail-pf1-f194.google.com with SMTP id d2e1a72fcca58-8353c9f24d2so2215912b3a.3 for ; Mon, 11 May 2026 06:50:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778507454; x=1779112254; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Mb6EMph4s+bgHUrbnXBexgBGiQjwhyIsJ4J1dKda6tE=; b=pGGTyPaMSygHez/Hxt3W7MtF5NyS40KbSQ9S5H+Zq0/YDUT3Sxd3Xmy4H1P4Z9fZo2 pF5AGE6ThlIBZHw/dxILNg9fQ5ww6GgK+PeH+tfK8vCWp0G0d1W1wPFKNntkmDDbxyJZ Dh93VjeWSa9uTzktqJD2RZThcc4nuxIE5m6F0tbYpoJIWKNn64QIevXbRCtRFjbDAWZw 30Kw6aM9zJznEvQ6tYWq1EC8Zzk5cgo+YtF3xysybqaOq8Cj3a+P1/x5nall/rzVMEeU aU1dSJteQ8YgAXgn4nn/v/kQ351+O/7LhLkCukP2Sxd/Z65ztwwou4ApqkKufyiOR5Bz VejA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778507454; x=1779112254; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Mb6EMph4s+bgHUrbnXBexgBGiQjwhyIsJ4J1dKda6tE=; b=Zranc6NAeOz2AwhnXMOiNeuiPi7ORqR2X/K7U3czCyHnfCRIH/FFdKsqtSnC9WvxJ6 7JjcK7Bq7czLkvDsUFW8eUzaU2klz4T9iYcrgaatzYOUmdzbGwKdPHKETaF8jusOJscI Qpi38c73ywo/SJlq4lSSnwxI61hkBQGL7Vq9aKqN1F+nLENV0JydvFmqBsoZti+7Ryix EwZQ61lg1TGqxv5JnGGmOWj/O+LL+eqnu29h7KnDt/XTUzV68I3G7h1qTMneigHe0iLP mCyw2rKe6MbOjrTDI0f9mF/Vandsa5FKGzk1NSxDnDQ/Jt0fkrTTTAijCLAZ5lez/C1q yGZQ== X-Forwarded-Encrypted: i=1; AFNElJ/qcqn0tYz/B58oI6xKbumDdyeRd7aa/0MTm4c0ki5I/JA+zqW4hcY7USj902jrEkRZeIc8muIUNS9UY1U=@vger.kernel.org X-Gm-Message-State: AOJu0YwA38J7ibmVg7JLtKL5eV1E1scnrtFNALnmuUcVpW4/G/8RTiks FVaglppjim4MWKSa79tozEDgjtUOL9puvH7B2ARVjtYUPl7SxYmDoeOs X-Gm-Gg: Acq92OGJpQ3w257imvWxDa+CMLoFOgjfLPcRfGDNWzovt4wqUMGRaPY1u7bF26uYBQ4 0NNS1F7pUMdWR/wTZzHeCvXrZuttpDqX+LcKfSWxpuF78d0ZQ7FUnhIqPRFc8xo6Fgou9O/Y7vt EXC7DPMs+8iDA+DADkuOvRaA2u+DutXDuflklxb/YvioDMt4ryQMAWYGrhoLrxvbAOpsKg4WKP4 xQGty4j/EHBy0tPLCDml9Xtxl/H49SieNSQ5CUI/wctBqOidIn8zHD/1Rf8yUPnxbv41Od52Nwl e7ouMILnPtexnagJP5Ek6nHapOGrE2oXXrzL+prP95Q0XgoznIFEWC5JSTSaRufKs3tFqfjwSQn ziC8WovrT4BlNpDxI7HGnZnZ5ir+r52d5DiTRhFwxCYkgdR+TeC2T9sGrdP5rG/KC6ZrZiUtcaA s6eS5juBtbVAyaWtQiaKRkgXbClvB6pXM= X-Received: by 2002:a05:6a00:4391:b0:82f:48e:241c with SMTP id d2e1a72fcca58-83a5d68123dmr24106383b3a.23.1778507453718; Mon, 11 May 2026 06:50:53 -0700 (PDT) Received: from localhost ([111.228.63.84]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8396594645csm21302937b3a.14.2026.05.11.06.50.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 06:50:53 -0700 (PDT) From: Zhang Cen To: Chris Mason , David Sterba Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, zerocling0077@gmail.com, 2045gemini@gmail.com, Zhang Cen Subject: [PATCH] btrfs: validate legacy free space cache entry types Date: Mon, 11 May 2026 21:50:16 +0800 Message-Id: <20260511135016.3165392-1-rollkingzzc@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Legacy free-space cache v1 stores each entry type as a raw u8, but __load_free_space_cache() only special-cases EXTENT and treats every other value as a bitmap entry. In normal builds the remaining bitmap count is guarded only by ASSERT(), so a malformed cache can consume bitmap pages past the header budget. Reject unknown entry types and fail the cache load when a bitmap entry exceeds the header's num_bitmaps count. The existing error path already discards a bogus cache and rebuilds it, so valid caches keep their current behavior while malformed ones are stopped before bitmap loading. Sanitizer validation reported: KASAN slab-out-of-bounds in io_ctl_check_crc() Read of size 8 Call trace: dump_stack_lvl() (?:?) print_address_description() (mm/kasan/report.c:373) io_ctl_check_crc() (fs/btrfs/free-space-cache.c:552) print_report() (?:?) __virt_addr_valid() (?:?) srso_alias_return_thunk() (arch/x86/include/asm/nospec-branch.h:375) kasan_addr_to_slab() (mm/kasan/common.c:45) kasan_report() (?:?) find_held_lock() (kernel/locking/lockdep.c:5340) __lock_release() (kernel/locking/lockdep.c:5511) _raw_spin_unlock() (kernel/locking/spinlock.c:188) btrfs_alloc_root() (fs/btrfs/disk-io.c:606) btrfs_test_fscache_unknown_entry_type() (fs/btrfs/free-space-cache.c:?) btrfs_run_sanity_tests() (fs/btrfs/free-space-cache.c:?) init_btrfs_fs() (fs/btrfs/super.c:2690) do_one_initcall() (init/main.c:1382) __kasan_kmalloc() (?:?) rcu_is_watching() (?:?) do_initcalls() (init/main.c:1457) kernel_init_freeable() (init/main.c:1674) kernel_init() (init/main.c:1584) ret_from_fork() (?:?) __switch_to() (?:?) ret_from_fork_asm() (?:?) kasan_save_stack() (mm/kasan/common.c:52) kasan_save_track() (mm/kasan/common.c:74) __kmalloc_noprof() (?:?) io_ctl_init() (fs/btrfs/free-space-cache.c:378) Signed-off-by: Zhang Cen --- fs/btrfs/free-space-cache.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c index ab22e4f9ffdd..71797c647f8a 100644 --- a/fs/btrfs/free-space-cache.c +++ b/fs/btrfs/free-space-cache.c @@ -839,8 +839,14 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, kmem_cache_free(btrfs_free_space_cachep, e); goto free_cache; } - } else { - ASSERT(num_bitmaps); + } else if (type == BTRFS_FREE_SPACE_BITMAP) { + if (!num_bitmaps) { + ret = -EUCLEAN; + btrfs_err(fs_info, + "free space cache has more bitmap entries than bitmaps"); + kmem_cache_free(btrfs_free_space_cachep, e); + goto free_cache; + } num_bitmaps--; e->bitmap = kmem_cache_zalloc( btrfs_free_space_bitmap_cachep, GFP_NOFS); @@ -864,6 +870,12 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, recalculate_thresholds(ctl); spin_unlock(&ctl->tree_lock); list_add_tail(&e->list, &bitmaps); + } else { + ret = -EUCLEAN; + btrfs_err(fs_info, + "unknown free space cache entry type %u", type); + kmem_cache_free(btrfs_free_space_cachep, e); + goto free_cache; } num_entries--; -- 2.43.0