From nobody Tue Apr 7 14:19:02 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8CCFF3845A9 for ; Fri, 13 Mar 2026 09:19:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773393583; cv=none; b=QPUhOk55kuaA8d7hFbOp4lIemBkj5hrwSz0Bh7V4scmCeZUceXt+KFNkR5/TM61ng1sS0oEZjF1u9WkVVYWPC7ehXu+WgDtgm4AuBvFGSs9cAaNqsn00axZBLxiKRW6L3dLCQufKjDSh2tUobR3FU9Pqj3ab9J981tvR0rbO1yM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773393583; c=relaxed/simple; bh=YJuSrbjARIOdYMlVeLWTE7xW+S/hIuwwlFLQf1y9p8w=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=i2Y89gpdzD7g0/9M4hLr5I5kPT6iP45PGoSAm4HWJaYKgl9Ws2fG2IAnCGnT/rBnZAX5XkuZ96BHgCqz/6KLHIxmw2qYJqkmytR37+4mmn4wOYWk5NcUuWx1XuSBwcIxXkOJyI/b5fvQticzPFCJ/TC9BO+4u4RU379joBOMl3c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F7RZ4Xu5; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F7RZ4Xu5" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2ab46931cf1so23005355ad.0 for ; Fri, 13 Mar 2026 02:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773393581; x=1773998381; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BOqN0/VOdn2bG6rSPthTbsXJSa4+FCEX9zx281dEFuU=; b=F7RZ4Xu5kew1SV4ps8/GGE4HH4nbryFr+N7h5d22LS64w9LXyWTnch+1cBmzHKZSL/ /58lrgceP2MJRCVQSQmR8Kj9ZuxuAcbMeWYBM5vtG7LCqO7LaeFN0Sbs+iuG4djGLmQ5 nbgSnEhjX19dYiCWj0U6m4kNSIdJW3l60HJ+ra8FoHiFJhenJnEH6s9BIpVn+8m3l+oR NLwyAWnRqKOWfk+kw1MLk9/plVFZ2xaEq2AsAh39REIKYEIbExzzGJlaa3MCRmyPCGv5 fPmLnoDiZDj4sncd6KME/wa7b+kzYeHecE1+xnjhOPCOoGm6IkQ8PxbZc758T+do6C2h D0VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773393581; x=1773998381; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BOqN0/VOdn2bG6rSPthTbsXJSa4+FCEX9zx281dEFuU=; b=adu7Zu7WoMfpIlHFEi2seZU1RC+b/NPhQ4dCWRRaGPBU0nI25BURz3xdf7wJ0ugc4n lNQoUaPRXmY7gI5istjYdj/Amn4thppV+JE9/ZykBLLT3UZGycv4Ltskq9yLmGHqqTKD Ys1E2b7cOiw9A268dvfNNTyO/tmhR9eyJP7N3t/KDFX2hwfQMyiVvMWB+MCiLp14HBY3 n1ZCKD4Mt3ygtat3Wxa51XuRUNhlcMqdZo3XEsoxcY2Zz60qyvfZkoOOpn1+8mTDO7EV IpqrX7nDhrofs4W07/WZ8lMzBzBTCQIy42ryNGrvsRVrK7zt3tgDyT1NpIKpQxmIX3Wa M99g== X-Forwarded-Encrypted: i=1; AJvYcCXcHQKGhs0oDaxIo12HForTzaiYCH4TeLTAhmYmMA9SgxmUT1bCyttVHUgZT+95Yd8CXFAoxW1YXYha2sI=@vger.kernel.org X-Gm-Message-State: AOJu0YxNVxJtjyJVVDKaKXDSI6TlgvlFeCSfoCm+MGRPwdx4hlIUNfO8 /fZpR1NMzgSkxOvzU043lw+nBgQ3GchB8TVyHmo2VVLVCtVcaUa9vjfI X-Gm-Gg: ATEYQzzvQPVrxMj2JNppFkA2FMnTanfdHw+LL8hX8vjLM5LgLdGDbseaQ01ZzOioeUP rE6YMF/CBOQbbRJEKbRJ2xRhfGaAdOwBn8VGT8Gc8rcMWDVcCu1YqpaXaIKKShnfaZRiXc4M0nV qpDlAy4L6Bd8H5mkIerWdpCd15EQc7e5+WE4G2l1tSiBSVPGB1OZtjiWgKn4ty4ugk+TXR3NfHZ P4cf6bnzBkj7aCWiViyzGTeV6CVsmaE7tdpM5CW+xbmyZoVqKq1mD6/Onu781OxqK18YkxEIOFF +hF2wIYSvmd+qXaJvb7PZt7Sb986INT8uG/Hl2q7oR63gJve8RVs5qnQq5BOuMEROK/lh3gx9ef 6yZnft4FdD307v2nymLryCCNtby+ffiorh/4fwWWF7MBnR+Yuww5CelCZhpjLqfub7u8Q8g0a9Q gsFqOXvLqVHGJxfREyvo8fYPfGt/Yp5Vqawwafqc+ftjWv2PUwdO+XQYXPwbVk1o/reHeGLDY= X-Received: by 2002:a17:903:947:b0:2af:7d24:2a93 with SMTP id d9443c01a7336-2af7d242cc4mr1201175ad.8.1773393580835; Fri, 13 Mar 2026 02:19:40 -0700 (PDT) Received: from kernel-fuzz.. ([103.172.183.54]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2aece7ee1d8sm16742135ad.55.2026.03.13.02.19.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Mar 2026 02:19:40 -0700 (PDT) From: ZhengYuan Huang To: dsterba@suse.com, clm@fb.com Cc: wqu@suse.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH v2 2/2] btrfs: revalidate cached tree blocks on the uptodate path Date: Fri, 13 Mar 2026 17:19:24 +0800 Message-ID: <20260313091924.570554-3-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260313091924.570554-1-gality369@gmail.com> References: <20260313091924.570554-1-gality369@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" read_extent_buffer_pages_nowait() returns immediately when an extent buffer is already marked EXTENT_BUFFER_UPTODATE. On that cache-hit path, the caller supplied btrfs_tree_parent_check is not re-run. This can let read_tree_root_path() accept a cached tree block whose actual header level does not match the expected level derived from the root item. In particular, if root_item.level is corrupted while the actual root block was already cached and validated earlier with a different expected level, the later read hits the cached uptodate path, skips re-validation, and builds an inconsistent btrfs_root. That inconsistent root can later lead to a null-ptr-deref in handle_indirect_tree_backref(), because backref walking uses root->root_item.level while btrfs_search_slot() fills path->nodes[] according to the cached commit_root's actual level. Fix this by re-validating cached extent buffers against the supplied btrfs_tree_parent_check on the EXTENT_BUFFER_UPTODATE path, and make read_tree_root_path() pass its check to btrfs_buffer_uptodate(). This makes cache hits and fresh reads follow the same tree-parent verification rules, and turns the corruption into a read failure instead of constructing an inconsistent root object. Signed-off-by: ZhengYuan Huang --- fs/btrfs/disk-io.c | 6 ++++-- fs/btrfs/extent_io.c | 12 +++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 8773f1f7ea46..9a8c06c0adc2 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -1054,8 +1054,10 @@ static struct btrfs_root *read_tree_root_path(struct= btrfs_root *tree_root, root->node =3D NULL; goto fail; } - if (unlikely(!btrfs_buffer_uptodate(root->node, generation, false, NULL))= ) { - ret =3D -EIO; + ret =3D btrfs_buffer_uptodate(root->node, generation, false, &check); + if (unlikely(ret <=3D 0)) { + if (ret =3D=3D 0) + ret =3D -EIO; goto fail; } =20 diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 93eed1d3716c..1324449e892d 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -3828,8 +3828,13 @@ int read_extent_buffer_pages_nowait(struct extent_bu= ffer *eb, int mirror_num, { struct btrfs_bio *bbio; =20 - if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags)) + if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags)) { + int ret =3D btrfs_buffer_uptodate(eb, 0, true, check); + + if (unlikely(ret < 0)) + return ret; return 0; + } =20 /* * We could have had EXTENT_BUFFER_UPTODATE cleared by the write @@ -3850,7 +3855,12 @@ int read_extent_buffer_pages_nowait(struct extent_bu= ffer *eb, int mirror_num, * will now be set, and we shouldn't read it in again. */ if (unlikely(test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))) { + int ret; + clear_extent_buffer_reading(eb); + ret =3D btrfs_buffer_uptodate(eb, 0, true, check); + if (unlikely(ret < 0)) + return ret; return 0; } =20 --=20 2.43.0