fs/btrfs/ctree.c | 2 +- fs/btrfs/disk-io.c | 18 ++++++++++++++---- fs/btrfs/disk-io.h | 3 ++- fs/btrfs/extent-tree.c | 2 +- fs/btrfs/extent_io.c | 12 ++++++++++-- fs/btrfs/tree-log.c | 2 +- 6 files changed, 29 insertions(+), 10 deletions(-)
This series fixes a btrfs crash caused by reusing a cached extent buffer without re-running the caller supplied tree-parent verification. The problem happens when a tree block is first read and validated with one expected level, then later looked up again through a path that derives a different expected level from corrupted metadata. If the extent buffer is already marked EXTENT_BUFFER_UPTODATE, the cached-hit path returns it without re-validating the supplied btrfs_tree_parent_check. This can allow an inconsistent btrfs_root to be constructed and later lead to a null-ptr-deref during backref walking. Patch 1/2 is a preparatory change that extends btrfs_buffer_uptodate() to support tree-parent verification on cached buffers. Patch 2/2 uses that support on the cached-hit path and contains the actual fix. Together, these changes make cache hits and fresh reads follow the same tree-parent verification rules, turning the corruption into a read failure instead of constructing an inconsistent root object and crashing later. For reference, a more detailed analysis of the trigger path is available at: https://lore.kernel.org/all/CAOmEq9U14a=pwN_dw2M70gfujhMKki434cfmegoxcyUpkYs5bQ@mail.gmail.com/ Changes since v1: - drop the adhoc root-specific consistency check in read_tree_root_path() - move the validation into the cached-hit path as suggested by Qu Wenruo - extend btrfs_buffer_uptodate() with an optional tree-parent check - make read_tree_root_path() pass its check when validating a cached root ZhengYuan Huang (2): btrfs: add tree parent check to btrfs_buffer_uptodate() btrfs: revalidate cached tree blocks on the uptodate path fs/btrfs/ctree.c | 2 +- fs/btrfs/disk-io.c | 18 ++++++++++++++---- fs/btrfs/disk-io.h | 3 ++- fs/btrfs/extent-tree.c | 2 +- fs/btrfs/extent_io.c | 12 ++++++++++-- fs/btrfs/tree-log.c | 2 +- 6 files changed, 29 insertions(+), 10 deletions(-) -- 2.43.0
在 2026/3/13 19:49, ZhengYuan Huang 写道: > This series fixes a btrfs crash caused by reusing a cached extent buffer > without re-running the caller supplied tree-parent verification. > > The problem happens when a tree block is first read and validated with one > expected level, then later looked up again through a path that derives a > different expected level from corrupted metadata. If the extent buffer is > already marked EXTENT_BUFFER_UPTODATE, the cached-hit path returns it > without re-validating the supplied btrfs_tree_parent_check. This can allow > an inconsistent btrfs_root to be constructed and later lead to a > null-ptr-deref during backref walking. > > Patch 1/2 is a preparatory change that extends > btrfs_buffer_uptodate() to support tree-parent verification on cached > buffers. Patch 2/2 uses that support on the cached-hit path and contains > the actual fix. > > Together, these changes make cache hits and fresh reads follow the same > tree-parent verification rules, turning the corruption into a read failure > instead of constructing an inconsistent root object and crashing later. > > For reference, a more detailed analysis of the trigger path is available at: > https://lore.kernel.org/all/CAOmEq9U14a=pwN_dw2M70gfujhMKki434cfmegoxcyUpkYs5bQ@mail.gmail.com/ > > Changes since v1: > - drop the adhoc root-specific consistency check in read_tree_root_path() > - move the validation into the cached-hit path as suggested by Qu Wenruo > - extend btrfs_buffer_uptodate() with an optional tree-parent check > - make read_tree_root_path() pass its check when validating a cached root > > ZhengYuan Huang (2): > btrfs: add tree parent check to btrfs_buffer_uptodate() > btrfs: revalidate cached tree blocks on the uptodate path The code looks good to me, but considering both patches are small, and without the second patch the first one doesn't make much sense. So I'll merge both into a single patch at merging. Thanks, Qu > > fs/btrfs/ctree.c | 2 +- > fs/btrfs/disk-io.c | 18 ++++++++++++++---- > fs/btrfs/disk-io.h | 3 ++- > fs/btrfs/extent-tree.c | 2 +- > fs/btrfs/extent_io.c | 12 ++++++++++-- > fs/btrfs/tree-log.c | 2 +- > 6 files changed, 29 insertions(+), 10 deletions(-) >
© 2016 - 2026 Red Hat, Inc.