From nobody Sat Feb 7 03:40:52 2026 Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72F7B17332C for ; Sun, 27 Oct 2024 19:47:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.70.40.133 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730058426; cv=none; b=PXal3niFF0+J/q7xmwbZyNNi6G1vNbXLG5P570MdWYGC4NSrNZy40eao2kSGutdpaakhCGuvwJeS28oLbctNoEZlDDGOW15Z7GsQglZzESCp2g97+f+dvMN3oIXin5Xp2Y/277QkaK/HZXqp/zQrJ/efKqpg6DRxUVrprrguQoQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730058426; c=relaxed/simple; bh=yx7OKnMmxkaItU6s2bHO2Y8kAkumLtwqxfzQ1PKIJsk=; h=Date:To:From:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=V2NS6+5wkfK60G7LEVh0pP6laEYzxW4md19ky1gJ8sI5iicGMeVACyOa1WjAMfDjv59wJTwjh3z3BfvPga/lRNaykVpYBsqFelIKzMA21+JuklcIxdIpVt8BMdHwW+wzeL6sY1bFLTIbUEm2nLhMiM0qEo3Vqa6ruFh0eXzgMjY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me; spf=pass smtp.mailfrom=proton.me; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b=hpQ68OKH; arc=none smtp.client-ip=185.70.40.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=proton.me Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=proton.me Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=proton.me header.i=@proton.me header.b="hpQ68OKH" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1730058415; x=1730317615; bh=rBYrbCgFaMolyV5f9SMDe1X9M83MQXaQsQ9KhjScgm8=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=hpQ68OKH1Gr44wXmFZstKys8hQ2dYMfEYJ1tF8ZrZ63IkixSPIzi+4RbDIgAhfJtu sbhR6xOuClADk8Cur6YrIGtms84MoO7gBxe4wbilaUCTVFstIOiX0Hz8QMC6NnubJ6 JhMb4EWgn4Wf8TSyVvz6bM/VRw98gK+62inxSttHQdAEQWAkkzOcfIY1tPlYGvC9S0 1A6zON80wj0HuC0BRoMYWgorP2cg/xq55CjAz6HCXJlZpUOGPyHoaLgjIIekD3K1zH XUNWmZbyE/u1FgoEuWiItTLsNFA+y5oxy50OG81UuZkCIR2Dam7R44ba83T7C/56q0 jXiWR2859DK0Q== Date: Sun, 27 Oct 2024 19:46:52 +0000 To: kent.overstreet@linux.dev, linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org From: Piotr Zalewski Cc: skhan@linuxfoundation.org, Piotr Zalewski , syzbot+005ef9aa519f30d97657@syzkaller.appspotmail.com, Alan Huang Subject: [PATCH v3] bcachefs: Fix NULL ptr dereference in btree_node_iter_and_journal_peek Message-ID: <20241027193842.154220-2-pZ010001011111@proton.me> Feedback-ID: 53478694:user:proton X-Pm-Message-ID: 1b0b1b9852f05303eac84019b51a819f66b46bad Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add NULL check for key returned from bch2_btree_and_journal_iter_peek in btree_node_iter_and_journal_peek to avoid NULL ptr dereference in bch2_bkey_buf_reassemble. When key returned from bch2_btree_and_journal_iter_peek is NULL it means that btree topology needs repair. Print topology error message with position at which node wasn't found, its parent node information and btree_id with level. Return error code returned by bch2_topology_error to ensure that topology error is handled properly by recovery. Reported-by: syzbot+005ef9aa519f30d97657@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D005ef9aa519f30d97657 Fixes: 5222a4607cd8 ("bcachefs: BTREE_ITER_WITH_JOURNAL") Suggested-by: Alan Huang Suggested-by: Kent Overstreet Signed-off-by: Piotr Zalewski --- Notes: changes in v3: - add btree_id and level info to the error message. - use bch2_btree_pos_to_text. changes in v2: - make commit message more verbose. - set topology error, print error message and return appropriate error code. link to v1: https://lore.kernel.org/linux-bcachefs/20241023072024.98915= -3-pZ010001011111@proton.me/ link to v2: https://lore.kernel.org/linux-bcachefs/20241026174155.23343= 0-3-pZ010001011111@proton.me/ fs/bcachefs/btree_iter.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/bcachefs/btree_iter.c b/fs/bcachefs/btree_iter.c index 15ac72b1af51..acf70aaf2fd2 100644 --- a/fs/bcachefs/btree_iter.c +++ b/fs/bcachefs/btree_iter.c @@ -880,6 +880,18 @@ static noinline int btree_node_iter_and_journal_peek(s= truct btree_trans *trans, __bch2_btree_and_journal_iter_init_node_iter(trans, &jiter, l->b, l->iter= , path->pos); =20 k =3D bch2_btree_and_journal_iter_peek(&jiter); + if (!k.k) { + struct printbuf buf =3D PRINTBUF; + + prt_str(&buf, "node not found at pos "); + bch2_bpos_to_text(&buf, path->pos); + prt_str(&buf, " at btree "); + bch2_btree_pos_to_text(&buf, c, l->b); + + ret =3D bch2_fs_topology_error(c, "%s", buf.buf); + printbuf_exit(&buf); + goto err; + } =20 bch2_bkey_buf_reassemble(out, c, k); =20 @@ -887,6 +899,7 @@ static noinline int btree_node_iter_and_journal_peek(st= ruct btree_trans *trans, c->opts.btree_node_prefetch) ret =3D btree_path_prefetch_j(trans, path, &jiter); =20 +err: bch2_btree_and_journal_iter_exit(&jiter); return ret; } --=20 2.47.0