From nobody Thu Apr 9 06:36:03 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DACD63803EA for ; Tue, 10 Mar 2026 10:56:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773140183; cv=none; b=d3x/oIhtT+QdfnCeFEJuHbm7ARbJoVP/ySM4Srb9+mrbcIjoIg9t2mqiXXmc3mbtV2mr++2UunBGajz2kR8KU5K+XnZccqpa7SUNFUb8P8tjkBYLE/ZcuYEi+m9Y2pA+FfR2nMFqjLI8LV3m5W/AeNaxZCAud9wowwnPmC4DGmY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773140183; c=relaxed/simple; bh=4wmdd2cg0/m1f/1qyTr/K0c031G2xoidDPc2GAzftvg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=EzpFEEg+GWqELXxYGJxDEZnilDDzi06b3sqXp2hAziie35MYMwQN+qGsOasBswgH5qToiXz6HC7Fv7gYXL2LXkwVyFCkdvM7X0LJGvgspIHxL4i9aJyOzy+tvz1rnRUxCAkGVMwC+VSmhZPakJzdniFqjvj+bmyxhEOIKyDYwjs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z9SuEGOc; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z9SuEGOc" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-3598b2318c2so5538147a91.3 for ; Tue, 10 Mar 2026 03:56:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773140181; x=1773744981; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lq0gtUIdK/pcjxTH7mAibkkU2ZdoA8YXOl+R8yTw3JQ=; b=Z9SuEGOcOYcYsrAijHSdCfW02mbXFyds+uQb+MNbC35h4BtEIgfd7YpsRc8jjNQnTP uNiIJAdqOTM4YBu+8VRiepAlkC8QheTjQZbkw20dK+RojEsx8MI5Q6Deqr63XWtqx5xB mwwkQ5X0cBVFtKhCUCtyjFyE6YKqvm7Tc9EI9hGaGrGnLtYLCYDD0TTzhhaPrEttQ46K If9qbaQu4aiEQq+fXRx+yYRZ+wk9H37uUtGFbEnH5beuSwaHT08a1B7owsuGml6j0dkg MUBTo2BLt/sddqzBUPGgvvebRnYHfmmkUnyq1EFHPQYclJXmZ5T1H+LORl4iYw5J3x2r 3mpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773140181; x=1773744981; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=lq0gtUIdK/pcjxTH7mAibkkU2ZdoA8YXOl+R8yTw3JQ=; b=GT6687ApMK47F3mNGUisjnDZHhkU1EblNDRIEZXax1xWfONv66KS1VDeq019IB5S/4 Ua3/CXRr4OWUeap26hRPv/rZJCTSyuZmajbPZi1p1BamTESO+T184JPpUX9Do1tjinFO AblmHi/rqeOh9UlzNYsq7Em87bMXdo79dKtT8l7dRLD9Zisw1fBZ/W57aAodvJLw1g5w aqxXl1O72wyH7ZC4H5PGwAPmuaZAJpdyAVB6cGKipKVYn4eZtiE1FzKJvH9x2MnJ2I9Q WsHhWnoYrc+Z4Nqv/+IfUk26qeHn2darhVvspoKeMK28co/UHjhRmbAWD1lCl5cio0vr zyyQ== X-Forwarded-Encrypted: i=1; AJvYcCUtzZBatN/b2F/TDBfJzTl2i4Bcz7x7cb5Ujl4xF3SXvA72dvIt9UWbx5IADQmoiBZ8eU+RPpTySWIfaAg=@vger.kernel.org X-Gm-Message-State: AOJu0YxLoltzaaj/1Fnsplv4Hlkx+g1q9dUybg3fLzeTWxA8DCzzOVfy FFRKUmCtjd3DtY0VqM+mlgfPoi4GgKfQi4FNnywqEYtZ4y/J/6haqJZP X-Gm-Gg: ATEYQzxIpkP+rUskTKbqW47M5SC1jTfxB/8RzqIoOyvbHqw7bkMJd/5kGzqZ66p7DlI 8iiJL0I3/96zpisaVvLHrl4Tzkt6cEBw+dOx7JQQ/kzVZh6dF2uh46WP7xPZ7WCQJnbVkZoZORi gg3v+MAePgFPI9AjZQu0V/R/umk+5n9n99IwNkwwCqfZ4wRfZQwcFLyxiuHrR7agG6rj1Q43Lu9 QLGerNBO7+o8sSfOsf2hZbRDlfPtucD1E3pwaxxEh9rCscud6qBA0YE6Jro/0D0m55jWa2AOHhf Q1dx+pkb7ZcA3dW5pKkh3XG9F4/Fc90GLuSbcZJzu42UPzbmsHJK/rNA0kzvdmbQ9VuA0nnCJt6 FbT3LW9ygF7IfrdESNUtxVOWmS2RV2kESLcCrSDg7PPnJC47BATUGr3EAQnxPNuibTMw3eVOKih pxlwx6YNS4Geru/QfdFlIZeyTTVosBnOnz27lgdfLQchMU32YaXVvKqTUUs8cj9xE9vGv2pw== X-Received: by 2002:a17:902:ce82:b0:2aa:ea8e:f118 with SMTP id d9443c01a7336-2ae8241ddf9mr166651615ad.3.1773140181101; Tue, 10 Mar 2026 03:56:21 -0700 (PDT) Received: from kernel-fuzz.. ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2ae840c9a0csm149873725ad.91.2026.03.10.03.56.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Mar 2026 03:56:20 -0700 (PDT) From: ZhengYuan Huang To: dsterba@suse.com, clm@fb.com Cc: wqu@suse.com, osandov@fb.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH v2] btrfs: tree-checker: introduce checks for FREE_SPACE_BITMAP Date: Tue, 10 Mar 2026 18:56:06 +0800 Message-ID: <20260310105606.2134142-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Introduce checks for FREE_SPACE_BITMAP item, which include: - Key alignment check Same as FREE_SPACE_EXTENT, the objectid is the logical bytenr of the free space, and offset is the length of the free space, so both should be aligned to the fs block size.=20 - Non-zero range check A zero key->offset would describe an empty bitmap, which is invalid. - Item size check The item must hold exactly DIV_ROUND_UP(key->offset >> sectorsize_bits, BITS_PER_BYTE) bytes. A mismatch indicates a truncated or otherwise corrupt bitmap item; without this check, the bitmap loading path would walk past the end of the leaf and trigger a NULL dereference in assert_eb_folio_uptodate(). Signed-off-by: ZhengYuan Huang Reviewed-by: Qu Wenruo --- [CHANGELOG] v2: - Move the FREE_SPACE_BITMAP item size validation from load_free_space_bitmaps() in free-space-tree.c into tree-checker, so corrupt bitmap items are rejected when the leaf is read from disk. - Drop the extent_buffer_test_bit() range check added in v1. - Rework the fix to follow Qu Wenruo's suggested tree-checker based validation. --- fs/btrfs/tree-checker.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c index c10b4c242acf..0f12fe462b6c 100644 --- a/fs/btrfs/tree-checker.c +++ b/fs/btrfs/tree-checker.c @@ -1901,6 +1901,42 @@ static int check_dev_extent_item(const struct extent= _buffer *leaf, return 0; } =20 +static int check_free_space_bitmap(struct extent_buffer *leaf, + struct btrfs_key *key, int slot) +{ + struct btrfs_fs_info *fs_info =3D leaf->fs_info; + const u32 blocksize =3D fs_info->sectorsize; + u32 expected_item_size; + + if (unlikely(!IS_ALIGNED(key->objectid, blocksize) || + !IS_ALIGNED(key->offset, blocksize))) { + generic_err(leaf, slot, + "free space bitmap key range is not aligned to %u, has (%llu %u %ll= u)", + blocksize, key->objectid, key->type, key->offset); + return -EUCLEAN; + } + if (unlikely(key->offset =3D=3D 0)) { + generic_err(leaf, slot, + "free space bitmap range is 0"); + return -EUCLEAN; + } + /* + * The item must hold exactly the right number of bitmap bytes for the + * range described by key->offset. A mismatch means the item was + * truncated or the key is corrupt; either way the bitmap data is not + * safe to access. + */ + expected_item_size =3D DIV_ROUND_UP(key->offset >> fs_info->sectorsize_bi= ts, + BITS_PER_BYTE); + if (unlikely(btrfs_item_size(leaf, slot) !=3D expected_item_size)) { + generic_err(leaf, slot, + "invalid item size for free space bitmap, has %u expect %u", + btrfs_item_size(leaf, slot), expected_item_size); + return -EUCLEAN; + } + return 0; +} + /* * Common point to switch the item-specific validation. */ @@ -1964,6 +2000,9 @@ static enum btrfs_tree_block_status check_leaf_item(s= truct extent_buffer *leaf, case BTRFS_RAID_STRIPE_KEY: ret =3D check_raid_stripe_extent(leaf, key, slot); break; + case BTRFS_FREE_SPACE_BITMAP_KEY: + ret =3D check_free_space_bitmap(leaf, key, slot); + break; } =20 if (unlikely(ret)) --=20 2.43.0