Merge tag 'v6.11-rc2' into media_stage

Linux 6.11-rc2 * tag 'v6.11-rc2': (283 commits) Linux 6.11-rc2 profiling: remove profile=sleep support arm: dts: arm: versatile-ab: Fix duplicate clock node name runtime constants: deal with old decrepit linkers clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() cifs: update internal version number smb: client: fix FSCTL_GET_REPARSE_POINT against NetApp smb3: add dynamic tracepoints for shutdown ioctl cifs: Remove cifs_aio_ctx smb: client: handle lack of FSCTL_GET_REPARSE_POINT support arm64: jump_label: Ensure patched jump_labels are visible to all CPUs syscalls: fix syscall macros for newfstat/newfstatat uretprobe: change syscall number, again thermal: core: Update thermal zone registration documentation Revert "nouveau: rip out busy fence waits" protect the fetch of ->fd[fd] in do_dup2() from mispredictions x86/uaccess: Zero the 8-byte get_range case on failure on 32-bit riscv: Fix linear mapping checks for non-contiguous memory regions KVM: x86/mmu: fix determination of max NPT mapping level for private pages PCI: pciehp: Retain Power Indicator bits for userspace indicators ...
author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2024-08-05 08:25:09 +0200
committer: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> 2024-08-05 08:25:09 +0200
commit: 2c25dcc2361949bc7da730d22de36c019c6bf1e3 (patch)
tree: 3422f89adb17748bde8419918cb7959d79c773f3 /fs/btrfs/tree-checker.c
parent: ba5c778cab1dd3e4918f940989e771e2818afee8 (diff)
parent: de9c2c66ad8e787abec7c9d7eff4f8c3cdd28aed (diff)
1 files changed, 48 insertions, 1 deletions
diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 6388786fd8b5..a825fa598e3c 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -634,7 +634,7 @@ static int check_dir_item(struct extent_buffer *leaf,
 		 */
 		if (key->type == BTRFS_DIR_ITEM_KEY ||
 		    key->type == BTRFS_XATTR_ITEM_KEY) {
-			char namebuf[max(BTRFS_NAME_LEN, XATTR_NAME_MAX)];
+			char namebuf[MAX(BTRFS_NAME_LEN, XATTR_NAME_MAX)];
 
 			read_extent_buffer(leaf, namebuf,
 					(unsigned long)(di + 1), name_len);
@@ -1289,6 +1289,19 @@ static void extent_err(const struct extent_buffer *eb, int slot,
 	va_end(args);
 }
 
+static bool is_valid_dref_root(u64 rootid)
+{
+	/*
+	 * The following tree root objectids are allowed to have a data backref:
+	 * - subvolume trees
+	 * - data reloc tree
+	 * - tree root
+	 *   For v1 space cache
+	 */
+	return is_fstree(rootid) || rootid == BTRFS_DATA_RELOC_TREE_OBJECTID ||
+	       rootid == BTRFS_ROOT_TREE_OBJECTID;
+}
+
 static int check_extent_item(struct extent_buffer *leaf,
 			     struct btrfs_key *key, int slot,
 			     struct btrfs_key *prev_key)
@@ -1441,6 +1454,8 @@ static int check_extent_item(struct extent_buffer *leaf,
 		struct btrfs_extent_data_ref *dref;
 		struct btrfs_shared_data_ref *sref;
 		u64 seq;
+		u64 dref_root;
+		u64 dref_objectid;
 		u64 dref_offset;
 		u64 inline_offset;
 		u8 inline_type;
@@ -1484,11 +1499,26 @@ static int check_extent_item(struct extent_buffer *leaf,
 		 */
 		case BTRFS_EXTENT_DATA_REF_KEY:
 			dref = (struct btrfs_extent_data_ref *)(&iref->offset);
+			dref_root = btrfs_extent_data_ref_root(leaf, dref);
+			dref_objectid = btrfs_extent_data_ref_objectid(leaf, dref);
 			dref_offset = btrfs_extent_data_ref_offset(leaf, dref);
 			seq = hash_extent_data_ref(
 					btrfs_extent_data_ref_root(leaf, dref),
 					btrfs_extent_data_ref_objectid(leaf, dref),
 					btrfs_extent_data_ref_offset(leaf, dref));
+			if (unlikely(!is_valid_dref_root(dref_root))) {
+				extent_err(leaf, slot,
+					   "invalid data ref root value %llu",
+					   dref_root);
+				return -EUCLEAN;
+			}
+			if (unlikely(dref_objectid < BTRFS_FIRST_FREE_OBJECTID ||
+				     dref_objectid > BTRFS_LAST_FREE_OBJECTID)) {
+				extent_err(leaf, slot,
+					   "invalid data ref objectid value %llu",
+					   dref_root);
+				return -EUCLEAN;
+			}
 			if (unlikely(!IS_ALIGNED(dref_offset,
 						 fs_info->sectorsize))) {
 				extent_err(leaf, slot,
@@ -1627,6 +1657,8 @@ static int check_extent_data_ref(struct extent_buffer *leaf,
 		return -EUCLEAN;
 	}
 	for (; ptr < end; ptr += sizeof(*dref)) {
+		u64 root;
+		u64 objectid;
 		u64 offset;
 
 		/*
@@ -1634,7 +1666,22 @@ static int check_extent_data_ref(struct extent_buffer *leaf,
 		 * overflow from the leaf due to hash collisions.
 		 */
 		dref = (struct btrfs_extent_data_ref *)ptr;
+		root = btrfs_extent_data_ref_root(leaf, dref);
+		objectid = btrfs_extent_data_ref_objectid(leaf, dref);
 		offset = btrfs_extent_data_ref_offset(leaf, dref);
+		if (unlikely(!is_valid_dref_root(root))) {
+			extent_err(leaf, slot,
+				   "invalid extent data backref root value %llu",
+				   root);
+			return -EUCLEAN;
+		}
+		if (unlikely(objectid < BTRFS_FIRST_FREE_OBJECTID ||
+			     objectid > BTRFS_LAST_FREE_OBJECTID)) {
+			extent_err(leaf, slot,
+				   "invalid extent data backref objectid value %llu",
+				   root);
+			return -EUCLEAN;
+		}
 		if (unlikely(!IS_ALIGNED(offset, leaf->fs_info->sectorsize))) {
 			extent_err(leaf, slot,
 	"invalid extent data backref offset, have %llu expect aligned to %u",
author	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>	2024-08-05 08:25:09 +0200
committer	Mauro Carvalho Chehab <mchehab+huawei@kernel.org>	2024-08-05 08:25:09 +0200
commit	2c25dcc2361949bc7da730d22de36c019c6bf1e3 (patch)
tree	3422f89adb17748bde8419918cb7959d79c773f3 /fs/btrfs/tree-checker.c
parent	ba5c778cab1dd3e4918f940989e771e2818afee8 (diff)
parent	de9c2c66ad8e787abec7c9d7eff4f8c3cdd28aed (diff)