1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) Qu Wenruo 2017. All rights reserved.
4 */
5
6 /*
7 * The module is used to catch unexpected/corrupted tree block data.
8 * Such behavior can be caused either by a fuzzed image or bugs.
9 *
10 * The objective is to do leaf/node validation checks when tree block is read
11 * from disk, and check *every* possible member, so other code won't
12 * need to checking them again.
13 *
14 * Due to the potential and unwanted damage, every checker needs to be
15 * carefully reviewed otherwise so it does not prevent mount of valid images.
16 */
17
18 #include <linux/types.h>
19 #include <linux/stddef.h>
20 #include <linux/error-injection.h>
21 #include "messages.h"
22 #include "ctree.h"
23 #include "tree-checker.h"
24 #include "compression.h"
25 #include "volumes.h"
26 #include "misc.h"
27 #include "fs.h"
28 #include "accessors.h"
29 #include "file-item.h"
30 #include "inode-item.h"
31 #include "dir-item.h"
32 #include "extent-tree.h"
33
34 /*
35 * Error message should follow the following format:
36 * corrupt <type>: <identifier>, <reason>[, <bad_value>]
37 *
38 * @type: leaf or node
39 * @identifier: the necessary info to locate the leaf/node.
40 * It's recommended to decode key.objecitd/offset if it's
41 * meaningful.
42 * @reason: describe the error
43 * @bad_value: optional, it's recommended to output bad value and its
44 * expected value (range).
45 *
46 * Since comma is used to separate the components, only space is allowed
47 * inside each component.
48 */
49
50 /*
51 * Append generic "corrupt leaf/node root=%llu block=%llu slot=%d: " to @fmt.
52 * Allows callers to customize the output.
53 */
54 __printf(3, 4)
55 __cold
generic_err(const struct extent_buffer * eb,int slot,const char * fmt,...)56 static void generic_err(const struct extent_buffer *eb, int slot,
57 const char *fmt, ...)
58 {
59 const struct btrfs_fs_info *fs_info = eb->fs_info;
60 struct va_format vaf;
61 va_list args;
62
63 va_start(args, fmt);
64
65 vaf.fmt = fmt;
66 vaf.va = &args;
67
68 dump_page(folio_page(eb->folios[0], 0), "eb page dump");
69 btrfs_crit(fs_info,
70 "corrupt %s: root=%llu block=%llu slot=%d, %pV",
71 btrfs_header_level(eb) == 0 ? "leaf" : "node",
72 btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot, &vaf);
73 va_end(args);
74 }
75
76 /*
77 * Customized reporter for extent data item, since its key objectid and
78 * offset has its own meaning.
79 */
80 __printf(3, 4)
81 __cold
file_extent_err(const struct extent_buffer * eb,int slot,const char * fmt,...)82 static void file_extent_err(const struct extent_buffer *eb, int slot,
83 const char *fmt, ...)
84 {
85 const struct btrfs_fs_info *fs_info = eb->fs_info;
86 struct btrfs_key key;
87 struct va_format vaf;
88 va_list args;
89
90 btrfs_item_key_to_cpu(eb, &key, slot);
91 va_start(args, fmt);
92
93 vaf.fmt = fmt;
94 vaf.va = &args;
95
96 dump_page(folio_page(eb->folios[0], 0), "eb page dump");
97 btrfs_crit(fs_info,
98 "corrupt %s: root=%llu block=%llu slot=%d ino=%llu file_offset=%llu, %pV",
99 btrfs_header_level(eb) == 0 ? "leaf" : "node",
100 btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
101 key.objectid, key.offset, &vaf);
102 va_end(args);
103 }
104
105 /*
106 * Return 0 if the btrfs_file_extent_##name is aligned to @alignment
107 * Else return 1
108 */
109 #define CHECK_FE_ALIGNED(leaf, slot, fi, name, alignment) \
110 ({ \
111 if (unlikely(!IS_ALIGNED(btrfs_file_extent_##name((leaf), (fi)), \
112 (alignment)))) \
113 file_extent_err((leaf), (slot), \
114 "invalid %s for file extent, have %llu, should be aligned to %u", \
115 (#name), btrfs_file_extent_##name((leaf), (fi)), \
116 (alignment)); \
117 (!IS_ALIGNED(btrfs_file_extent_##name((leaf), (fi)), (alignment))); \
118 })
119
file_extent_end(struct extent_buffer * leaf,struct btrfs_key * key,struct btrfs_file_extent_item * extent)120 static u64 file_extent_end(struct extent_buffer *leaf,
121 struct btrfs_key *key,
122 struct btrfs_file_extent_item *extent)
123 {
124 u64 end;
125 u64 len;
126
127 if (btrfs_file_extent_type(leaf, extent) == BTRFS_FILE_EXTENT_INLINE) {
128 len = btrfs_file_extent_ram_bytes(leaf, extent);
129 end = ALIGN(key->offset + len, leaf->fs_info->sectorsize);
130 } else {
131 len = btrfs_file_extent_num_bytes(leaf, extent);
132 end = key->offset + len;
133 }
134 return end;
135 }
136
137 /*
138 * Customized report for dir_item, the only new important information is
139 * key->objectid, which represents inode number
140 */
141 __printf(3, 4)
142 __cold
dir_item_err(const struct extent_buffer * eb,int slot,const char * fmt,...)143 static void dir_item_err(const struct extent_buffer *eb, int slot,
144 const char *fmt, ...)
145 {
146 const struct btrfs_fs_info *fs_info = eb->fs_info;
147 struct btrfs_key key;
148 struct va_format vaf;
149 va_list args;
150
151 btrfs_item_key_to_cpu(eb, &key, slot);
152 va_start(args, fmt);
153
154 vaf.fmt = fmt;
155 vaf.va = &args;
156
157 dump_page(folio_page(eb->folios[0], 0), "eb page dump");
158 btrfs_crit(fs_info,
159 "corrupt %s: root=%llu block=%llu slot=%d ino=%llu, %pV",
160 btrfs_header_level(eb) == 0 ? "leaf" : "node",
161 btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
162 key.objectid, &vaf);
163 va_end(args);
164 }
165
166 /*
167 * This functions checks prev_key->objectid, to ensure current key and prev_key
168 * share the same objectid as inode number.
169 *
170 * This is to detect missing INODE_ITEM in subvolume trees.
171 *
172 * Return true if everything is OK or we don't need to check.
173 * Return false if anything is wrong.
174 */
check_prev_ino(struct extent_buffer * leaf,struct btrfs_key * key,int slot,struct btrfs_key * prev_key)175 static bool check_prev_ino(struct extent_buffer *leaf,
176 struct btrfs_key *key, int slot,
177 struct btrfs_key *prev_key)
178 {
179 /* No prev key, skip check */
180 if (slot == 0)
181 return true;
182
183 /* Only these key->types needs to be checked */
184 ASSERT(key->type == BTRFS_XATTR_ITEM_KEY ||
185 key->type == BTRFS_INODE_REF_KEY ||
186 key->type == BTRFS_INODE_EXTREF_KEY ||
187 key->type == BTRFS_DIR_INDEX_KEY ||
188 key->type == BTRFS_DIR_ITEM_KEY ||
189 key->type == BTRFS_EXTENT_DATA_KEY, "key->type=%u", key->type);
190
191 /*
192 * Only subvolume trees along with their reloc trees need this check.
193 * Things like log tree doesn't follow this ino requirement.
194 */
195 if (!btrfs_is_fstree(btrfs_header_owner(leaf)))
196 return true;
197
198 if (key->objectid == prev_key->objectid)
199 return true;
200
201 /* Error found */
202 dir_item_err(leaf, slot,
203 "invalid previous key objectid, have %llu expect %llu",
204 prev_key->objectid, key->objectid);
205 return false;
206 }
check_extent_data_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot,struct btrfs_key * prev_key)207 static int check_extent_data_item(struct extent_buffer *leaf,
208 struct btrfs_key *key, int slot,
209 struct btrfs_key *prev_key)
210 {
211 struct btrfs_fs_info *fs_info = leaf->fs_info;
212 struct btrfs_file_extent_item *fi;
213 u32 sectorsize = fs_info->sectorsize;
214 u32 item_size = btrfs_item_size(leaf, slot);
215 u64 extent_end;
216
217 if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
218 file_extent_err(leaf, slot,
219 "unaligned file_offset for file extent, have %llu should be aligned to %u",
220 key->offset, sectorsize);
221 return -EUCLEAN;
222 }
223
224 /*
225 * Previous key must have the same key->objectid (ino).
226 * It can be XATTR_ITEM, INODE_ITEM or just another EXTENT_DATA.
227 * But if objectids mismatch, it means we have a missing
228 * INODE_ITEM.
229 */
230 if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
231 return -EUCLEAN;
232
233 fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
234
235 /*
236 * Make sure the item contains at least inline header, so the file
237 * extent type is not some garbage.
238 */
239 if (unlikely(item_size < BTRFS_FILE_EXTENT_INLINE_DATA_START)) {
240 file_extent_err(leaf, slot,
241 "invalid item size, have %u expect [%zu, %u)",
242 item_size, BTRFS_FILE_EXTENT_INLINE_DATA_START,
243 SZ_4K);
244 return -EUCLEAN;
245 }
246 if (unlikely(btrfs_file_extent_type(leaf, fi) >=
247 BTRFS_NR_FILE_EXTENT_TYPES)) {
248 file_extent_err(leaf, slot,
249 "invalid type for file extent, have %u expect range [0, %u]",
250 btrfs_file_extent_type(leaf, fi),
251 BTRFS_NR_FILE_EXTENT_TYPES - 1);
252 return -EUCLEAN;
253 }
254
255 /*
256 * Support for new compression/encryption must introduce incompat flag,
257 * and must be caught in open_ctree().
258 */
259 if (unlikely(btrfs_file_extent_compression(leaf, fi) >=
260 BTRFS_NR_COMPRESS_TYPES)) {
261 file_extent_err(leaf, slot,
262 "invalid compression for file extent, have %u expect range [0, %u]",
263 btrfs_file_extent_compression(leaf, fi),
264 BTRFS_NR_COMPRESS_TYPES - 1);
265 return -EUCLEAN;
266 }
267 if (unlikely(btrfs_file_extent_encryption(leaf, fi))) {
268 file_extent_err(leaf, slot,
269 "invalid encryption for file extent, have %u expect 0",
270 btrfs_file_extent_encryption(leaf, fi));
271 return -EUCLEAN;
272 }
273 if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) {
274 /* Inline extent must have 0 as key offset */
275 if (unlikely(key->offset)) {
276 file_extent_err(leaf, slot,
277 "invalid file_offset for inline file extent, have %llu expect 0",
278 key->offset);
279 return -EUCLEAN;
280 }
281
282 /* Compressed inline extent has no on-disk size, skip it */
283 if (btrfs_file_extent_compression(leaf, fi) !=
284 BTRFS_COMPRESS_NONE)
285 return 0;
286
287 /* Uncompressed inline extent size must match item size */
288 if (unlikely(item_size != BTRFS_FILE_EXTENT_INLINE_DATA_START +
289 btrfs_file_extent_ram_bytes(leaf, fi))) {
290 file_extent_err(leaf, slot,
291 "invalid ram_bytes for uncompressed inline extent, have %u expect %llu",
292 item_size, BTRFS_FILE_EXTENT_INLINE_DATA_START +
293 btrfs_file_extent_ram_bytes(leaf, fi));
294 return -EUCLEAN;
295 }
296 return 0;
297 }
298
299 /* Regular or preallocated extent has fixed item size */
300 if (unlikely(item_size != sizeof(*fi))) {
301 file_extent_err(leaf, slot,
302 "invalid item size for reg/prealloc file extent, have %u expect %zu",
303 item_size, sizeof(*fi));
304 return -EUCLEAN;
305 }
306 if (unlikely(CHECK_FE_ALIGNED(leaf, slot, fi, ram_bytes, sectorsize) ||
307 CHECK_FE_ALIGNED(leaf, slot, fi, disk_bytenr, sectorsize) ||
308 CHECK_FE_ALIGNED(leaf, slot, fi, disk_num_bytes, sectorsize) ||
309 CHECK_FE_ALIGNED(leaf, slot, fi, offset, sectorsize) ||
310 CHECK_FE_ALIGNED(leaf, slot, fi, num_bytes, sectorsize)))
311 return -EUCLEAN;
312
313 /* Catch extent end overflow */
314 if (unlikely(check_add_overflow(btrfs_file_extent_num_bytes(leaf, fi),
315 key->offset, &extent_end))) {
316 file_extent_err(leaf, slot,
317 "extent end overflow, have file offset %llu extent num bytes %llu",
318 key->offset,
319 btrfs_file_extent_num_bytes(leaf, fi));
320 return -EUCLEAN;
321 }
322
323 /*
324 * Check that no two consecutive file extent items, in the same leaf,
325 * present ranges that overlap each other.
326 */
327 if (slot > 0 &&
328 prev_key->objectid == key->objectid &&
329 prev_key->type == BTRFS_EXTENT_DATA_KEY) {
330 struct btrfs_file_extent_item *prev_fi;
331 u64 prev_end;
332
333 prev_fi = btrfs_item_ptr(leaf, slot - 1,
334 struct btrfs_file_extent_item);
335 prev_end = file_extent_end(leaf, prev_key, prev_fi);
336 if (unlikely(prev_end > key->offset)) {
337 file_extent_err(leaf, slot - 1,
338 "file extent end range (%llu) goes beyond start offset (%llu) of the next file extent",
339 prev_end, key->offset);
340 return -EUCLEAN;
341 }
342 }
343
344 /*
345 * For non-compressed data extents, ram_bytes should match its
346 * disk_num_bytes.
347 * However we do not really utilize ram_bytes in this case, so this check
348 * is only optional for DEBUG builds for developers to catch the
349 * unexpected behaviors.
350 */
351 if (IS_ENABLED(CONFIG_BTRFS_DEBUG) &&
352 btrfs_file_extent_compression(leaf, fi) == BTRFS_COMPRESS_NONE &&
353 btrfs_file_extent_disk_bytenr(leaf, fi)) {
354 if (WARN_ON(btrfs_file_extent_ram_bytes(leaf, fi) !=
355 btrfs_file_extent_disk_num_bytes(leaf, fi)))
356 file_extent_err(leaf, slot,
357 "mismatch ram_bytes (%llu) and disk_num_bytes (%llu) for non-compressed extent",
358 btrfs_file_extent_ram_bytes(leaf, fi),
359 btrfs_file_extent_disk_num_bytes(leaf, fi));
360 }
361
362 return 0;
363 }
364
check_csum_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot,struct btrfs_key * prev_key)365 static int check_csum_item(struct extent_buffer *leaf, struct btrfs_key *key,
366 int slot, struct btrfs_key *prev_key)
367 {
368 struct btrfs_fs_info *fs_info = leaf->fs_info;
369 u32 sectorsize = fs_info->sectorsize;
370 const u32 csumsize = fs_info->csum_size;
371
372 if (unlikely(key->objectid != BTRFS_EXTENT_CSUM_OBJECTID)) {
373 generic_err(leaf, slot,
374 "invalid key objectid for csum item, have %llu expect %llu",
375 key->objectid, BTRFS_EXTENT_CSUM_OBJECTID);
376 return -EUCLEAN;
377 }
378 if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
379 generic_err(leaf, slot,
380 "unaligned key offset for csum item, have %llu should be aligned to %u",
381 key->offset, sectorsize);
382 return -EUCLEAN;
383 }
384 if (unlikely(!IS_ALIGNED(btrfs_item_size(leaf, slot), csumsize))) {
385 generic_err(leaf, slot,
386 "unaligned item size for csum item, have %u should be aligned to %u",
387 btrfs_item_size(leaf, slot), csumsize);
388 return -EUCLEAN;
389 }
390 if (slot > 0 && prev_key->type == BTRFS_EXTENT_CSUM_KEY) {
391 u64 prev_csum_end;
392 u32 prev_item_size;
393
394 prev_item_size = btrfs_item_size(leaf, slot - 1);
395 prev_csum_end = (prev_item_size / csumsize) * sectorsize;
396 prev_csum_end += prev_key->offset;
397 if (unlikely(prev_csum_end > key->offset)) {
398 generic_err(leaf, slot - 1,
399 "csum end range (%llu) goes beyond the start range (%llu) of the next csum item",
400 prev_csum_end, key->offset);
401 return -EUCLEAN;
402 }
403 }
404 return 0;
405 }
406
407 /* Inode item error output has the same format as dir_item_err() */
408 #define inode_item_err(eb, slot, fmt, ...) \
409 dir_item_err(eb, slot, fmt, __VA_ARGS__)
410
check_inode_key(struct extent_buffer * leaf,struct btrfs_key * key,int slot)411 static int check_inode_key(struct extent_buffer *leaf, struct btrfs_key *key,
412 int slot)
413 {
414 struct btrfs_key item_key;
415 bool is_inode_item;
416
417 btrfs_item_key_to_cpu(leaf, &item_key, slot);
418 is_inode_item = (item_key.type == BTRFS_INODE_ITEM_KEY);
419
420 /* For XATTR_ITEM, location key should be all 0 */
421 if (item_key.type == BTRFS_XATTR_ITEM_KEY) {
422 if (unlikely(key->objectid != 0 || key->type != 0 ||
423 key->offset != 0))
424 return -EUCLEAN;
425 return 0;
426 }
427
428 if (unlikely((key->objectid < BTRFS_FIRST_FREE_OBJECTID ||
429 key->objectid > BTRFS_LAST_FREE_OBJECTID) &&
430 key->objectid != BTRFS_ROOT_TREE_DIR_OBJECTID &&
431 key->objectid != BTRFS_FREE_INO_OBJECTID)) {
432 if (is_inode_item) {
433 generic_err(leaf, slot,
434 "invalid key objectid: has %llu expect %llu or [%llu, %llu] or %llu",
435 key->objectid, BTRFS_ROOT_TREE_DIR_OBJECTID,
436 BTRFS_FIRST_FREE_OBJECTID,
437 BTRFS_LAST_FREE_OBJECTID,
438 BTRFS_FREE_INO_OBJECTID);
439 } else {
440 dir_item_err(leaf, slot,
441 "invalid location key objectid: has %llu expect %llu or [%llu, %llu] or %llu",
442 key->objectid, BTRFS_ROOT_TREE_DIR_OBJECTID,
443 BTRFS_FIRST_FREE_OBJECTID,
444 BTRFS_LAST_FREE_OBJECTID,
445 BTRFS_FREE_INO_OBJECTID);
446 }
447 return -EUCLEAN;
448 }
449 if (unlikely(key->offset != 0)) {
450 if (is_inode_item)
451 inode_item_err(leaf, slot,
452 "invalid key offset: has %llu expect 0",
453 key->offset);
454 else
455 dir_item_err(leaf, slot,
456 "invalid location key offset:has %llu expect 0",
457 key->offset);
458 return -EUCLEAN;
459 }
460 return 0;
461 }
462
check_root_key(struct extent_buffer * leaf,struct btrfs_key * key,int slot)463 static int check_root_key(struct extent_buffer *leaf, struct btrfs_key *key,
464 int slot)
465 {
466 struct btrfs_key item_key;
467 bool is_root_item;
468
469 btrfs_item_key_to_cpu(leaf, &item_key, slot);
470 is_root_item = (item_key.type == BTRFS_ROOT_ITEM_KEY);
471
472 /*
473 * Bad rootid for reloc trees.
474 *
475 * Reloc trees are only for subvolume trees, other trees only need
476 * to be COWed to be relocated.
477 */
478 if (unlikely(is_root_item && key->objectid == BTRFS_TREE_RELOC_OBJECTID &&
479 !btrfs_is_fstree(key->offset))) {
480 generic_err(leaf, slot,
481 "invalid reloc tree for root %lld, root id is not a subvolume tree",
482 key->offset);
483 return -EUCLEAN;
484 }
485
486 /* No such tree id */
487 if (unlikely(key->objectid == 0)) {
488 if (is_root_item)
489 generic_err(leaf, slot, "invalid root id 0");
490 else
491 dir_item_err(leaf, slot,
492 "invalid location key root id 0");
493 return -EUCLEAN;
494 }
495
496 /* DIR_ITEM/INDEX/INODE_REF is not allowed to point to non-fs trees */
497 if (unlikely(!btrfs_is_fstree(key->objectid) && !is_root_item)) {
498 dir_item_err(leaf, slot,
499 "invalid location key objectid, have %llu expect [%llu, %llu]",
500 key->objectid, BTRFS_FIRST_FREE_OBJECTID,
501 BTRFS_LAST_FREE_OBJECTID);
502 return -EUCLEAN;
503 }
504
505 /*
506 * ROOT_ITEM with non-zero offset means this is a snapshot, created at
507 * @offset transid.
508 * Furthermore, for location key in DIR_ITEM, its offset is always -1.
509 *
510 * So here we only check offset for reloc tree whose key->offset must
511 * be a valid tree.
512 */
513 if (unlikely(key->objectid == BTRFS_TREE_RELOC_OBJECTID &&
514 key->offset == 0)) {
515 generic_err(leaf, slot, "invalid root id 0 for reloc tree");
516 return -EUCLEAN;
517 }
518 return 0;
519 }
520
check_dir_item(struct extent_buffer * leaf,struct btrfs_key * key,struct btrfs_key * prev_key,int slot)521 static int check_dir_item(struct extent_buffer *leaf,
522 struct btrfs_key *key, struct btrfs_key *prev_key,
523 int slot)
524 {
525 struct btrfs_fs_info *fs_info = leaf->fs_info;
526 struct btrfs_dir_item *di;
527 u32 item_size = btrfs_item_size(leaf, slot);
528 u32 cur = 0;
529
530 if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
531 return -EUCLEAN;
532
533 di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
534 while (cur < item_size) {
535 struct btrfs_key location_key;
536 u32 name_len;
537 u32 data_len;
538 u32 max_name_len;
539 u32 total_size;
540 u32 name_hash;
541 u8 dir_type;
542 int ret;
543
544 /* header itself should not cross item boundary */
545 if (unlikely(cur + sizeof(*di) > item_size)) {
546 dir_item_err(leaf, slot,
547 "dir item header crosses item boundary, have %zu boundary %u",
548 cur + sizeof(*di), item_size);
549 return -EUCLEAN;
550 }
551
552 /* Location key check */
553 btrfs_dir_item_key_to_cpu(leaf, di, &location_key);
554 if (location_key.type == BTRFS_ROOT_ITEM_KEY) {
555 ret = check_root_key(leaf, &location_key, slot);
556 if (unlikely(ret < 0))
557 return ret;
558 } else if (location_key.type == BTRFS_INODE_ITEM_KEY ||
559 location_key.type == 0) {
560 ret = check_inode_key(leaf, &location_key, slot);
561 if (unlikely(ret < 0))
562 return ret;
563 } else {
564 dir_item_err(leaf, slot,
565 "invalid location key type, have %u, expect %u or %u",
566 location_key.type, BTRFS_ROOT_ITEM_KEY,
567 BTRFS_INODE_ITEM_KEY);
568 return -EUCLEAN;
569 }
570
571 /* dir type check */
572 dir_type = btrfs_dir_ftype(leaf, di);
573 if (unlikely(dir_type <= BTRFS_FT_UNKNOWN ||
574 dir_type >= BTRFS_FT_MAX)) {
575 dir_item_err(leaf, slot,
576 "invalid dir item type, have %u expect (0, %u)",
577 dir_type, BTRFS_FT_MAX);
578 return -EUCLEAN;
579 }
580
581 if (unlikely(key->type == BTRFS_XATTR_ITEM_KEY &&
582 dir_type != BTRFS_FT_XATTR)) {
583 dir_item_err(leaf, slot,
584 "invalid dir item type for XATTR key, have %u expect %u",
585 dir_type, BTRFS_FT_XATTR);
586 return -EUCLEAN;
587 }
588 if (unlikely(dir_type == BTRFS_FT_XATTR &&
589 key->type != BTRFS_XATTR_ITEM_KEY)) {
590 dir_item_err(leaf, slot,
591 "xattr dir type found for non-XATTR key");
592 return -EUCLEAN;
593 }
594 if (dir_type == BTRFS_FT_XATTR)
595 max_name_len = XATTR_NAME_MAX;
596 else
597 max_name_len = BTRFS_NAME_LEN;
598
599 /* Name/data length check */
600 name_len = btrfs_dir_name_len(leaf, di);
601 data_len = btrfs_dir_data_len(leaf, di);
602 if (unlikely(name_len > max_name_len)) {
603 dir_item_err(leaf, slot,
604 "dir item name len too long, have %u max %u",
605 name_len, max_name_len);
606 return -EUCLEAN;
607 }
608 if (unlikely(name_len + data_len > BTRFS_MAX_XATTR_SIZE(fs_info))) {
609 dir_item_err(leaf, slot,
610 "dir item name and data len too long, have %u max %u",
611 name_len + data_len,
612 BTRFS_MAX_XATTR_SIZE(fs_info));
613 return -EUCLEAN;
614 }
615
616 if (unlikely(data_len && dir_type != BTRFS_FT_XATTR)) {
617 dir_item_err(leaf, slot,
618 "dir item with invalid data len, have %u expect 0",
619 data_len);
620 return -EUCLEAN;
621 }
622
623 total_size = sizeof(*di) + name_len + data_len;
624
625 /* header and name/data should not cross item boundary */
626 if (unlikely(cur + total_size > item_size)) {
627 dir_item_err(leaf, slot,
628 "dir item data crosses item boundary, have %u boundary %u",
629 cur + total_size, item_size);
630 return -EUCLEAN;
631 }
632
633 /*
634 * Special check for XATTR/DIR_ITEM, as key->offset is name
635 * hash, should match its name
636 */
637 if (key->type == BTRFS_DIR_ITEM_KEY ||
638 key->type == BTRFS_XATTR_ITEM_KEY) {
639 char namebuf[MAX(BTRFS_NAME_LEN, XATTR_NAME_MAX)];
640
641 read_extent_buffer(leaf, namebuf,
642 (unsigned long)(di + 1), name_len);
643 name_hash = btrfs_name_hash(namebuf, name_len);
644 if (unlikely(key->offset != name_hash)) {
645 dir_item_err(leaf, slot,
646 "name hash mismatch with key, have 0x%016x expect 0x%016llx",
647 name_hash, key->offset);
648 return -EUCLEAN;
649 }
650 }
651 cur += total_size;
652 di = (struct btrfs_dir_item *)((void *)di + total_size);
653 }
654 return 0;
655 }
656
657 __printf(3, 4)
658 __cold
block_group_err(const struct extent_buffer * eb,int slot,const char * fmt,...)659 static void block_group_err(const struct extent_buffer *eb, int slot,
660 const char *fmt, ...)
661 {
662 const struct btrfs_fs_info *fs_info = eb->fs_info;
663 struct btrfs_key key;
664 struct va_format vaf;
665 va_list args;
666
667 btrfs_item_key_to_cpu(eb, &key, slot);
668 va_start(args, fmt);
669
670 vaf.fmt = fmt;
671 vaf.va = &args;
672
673 dump_page(folio_page(eb->folios[0], 0), "eb page dump");
674 btrfs_crit(fs_info,
675 "corrupt %s: root=%llu block=%llu slot=%d bg_start=%llu bg_len=%llu, %pV",
676 btrfs_header_level(eb) == 0 ? "leaf" : "node",
677 btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
678 key.objectid, key.offset, &vaf);
679 va_end(args);
680 }
681
check_block_group_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot)682 static int check_block_group_item(struct extent_buffer *leaf,
683 struct btrfs_key *key, int slot)
684 {
685 struct btrfs_fs_info *fs_info = leaf->fs_info;
686 struct btrfs_block_group_item bgi;
687 u32 item_size = btrfs_item_size(leaf, slot);
688 u64 chunk_objectid;
689 u64 flags;
690 u64 type;
691 size_t exp_size;
692
693 /*
694 * Here we don't really care about alignment since extent allocator can
695 * handle it. We care more about the size.
696 */
697 if (unlikely(key->offset == 0)) {
698 block_group_err(leaf, slot,
699 "invalid block group size 0");
700 return -EUCLEAN;
701 }
702
703 if (btrfs_fs_incompat(fs_info, REMAP_TREE))
704 exp_size = sizeof(struct btrfs_block_group_item_v2);
705 else
706 exp_size = sizeof(struct btrfs_block_group_item);
707
708 if (unlikely(item_size != exp_size)) {
709 block_group_err(leaf, slot,
710 "invalid item size, have %u expect %zu",
711 item_size, exp_size);
712 return -EUCLEAN;
713 }
714
715 read_extent_buffer(leaf, &bgi, btrfs_item_ptr_offset(leaf, slot),
716 sizeof(bgi));
717 chunk_objectid = btrfs_stack_block_group_chunk_objectid(&bgi);
718 if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) {
719 /*
720 * We don't init the nr_global_roots until we load the global
721 * roots, so this could be 0 at mount time. If it's 0 we'll
722 * just assume we're fine, and later we'll check against our
723 * actual value.
724 */
725 if (unlikely(fs_info->nr_global_roots &&
726 chunk_objectid >= fs_info->nr_global_roots)) {
727 block_group_err(leaf, slot,
728 "invalid block group global root id, have %llu, needs to be <= %llu",
729 chunk_objectid,
730 fs_info->nr_global_roots);
731 return -EUCLEAN;
732 }
733 } else if (unlikely(chunk_objectid != BTRFS_FIRST_CHUNK_TREE_OBJECTID)) {
734 block_group_err(leaf, slot,
735 "invalid block group chunk objectid, have %llu expect %llu",
736 btrfs_stack_block_group_chunk_objectid(&bgi),
737 BTRFS_FIRST_CHUNK_TREE_OBJECTID);
738 return -EUCLEAN;
739 }
740
741 if (unlikely(btrfs_stack_block_group_used(&bgi) > key->offset)) {
742 block_group_err(leaf, slot,
743 "invalid block group used, have %llu expect [0, %llu)",
744 btrfs_stack_block_group_used(&bgi), key->offset);
745 return -EUCLEAN;
746 }
747
748 flags = btrfs_stack_block_group_flags(&bgi);
749 if (unlikely(hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK) > 1)) {
750 block_group_err(leaf, slot,
751 "invalid profile flags, have 0x%llx (%lu bits set) expect no more than 1 bit set",
752 flags & BTRFS_BLOCK_GROUP_PROFILE_MASK,
753 hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK));
754 return -EUCLEAN;
755 }
756
757 if (unlikely(flags & BTRFS_BLOCK_GROUP_METADATA_REMAP &&
758 !btrfs_fs_incompat(fs_info, REMAP_TREE))) {
759 block_group_err(leaf, slot,
760 "invalid flags, have 0x%llx (METADATA_REMAP flag set) but no remap-tree incompat flag",
761 flags);
762 return -EUCLEAN;
763 }
764
765 type = flags & BTRFS_BLOCK_GROUP_TYPE_MASK;
766 if (unlikely(type != BTRFS_BLOCK_GROUP_DATA &&
767 type != BTRFS_BLOCK_GROUP_METADATA &&
768 type != BTRFS_BLOCK_GROUP_SYSTEM &&
769 type != BTRFS_BLOCK_GROUP_METADATA_REMAP &&
770 type != (BTRFS_BLOCK_GROUP_METADATA |
771 BTRFS_BLOCK_GROUP_DATA))) {
772 block_group_err(leaf, slot,
773 "invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llx, 0x%llx or 0x%llx",
774 type, hweight64(type),
775 BTRFS_BLOCK_GROUP_DATA, BTRFS_BLOCK_GROUP_METADATA,
776 BTRFS_BLOCK_GROUP_SYSTEM, BTRFS_BLOCK_GROUP_METADATA_REMAP,
777 BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA);
778 return -EUCLEAN;
779 }
780
781 if (unlikely(!btrfs_fs_incompat(fs_info, REMAP_TREE) &&
782 type == BTRFS_BLOCK_GROUP_METADATA_REMAP)) {
783 block_group_err(leaf, slot,
784 "invalid type, METADATA_REMAP set but REMAP_TREE incompat flag not set");
785 return -EUCLEAN;
786 }
787
788 if (unlikely(!btrfs_fs_incompat(fs_info, REMAP_TREE) &&
789 flags & BTRFS_BLOCK_GROUP_REMAPPED)) {
790 block_group_err(leaf, slot,
791 "invalid flags, REMAPPED set but REMAP_TREE incompat flag not set");
792 return -EUCLEAN;
793 }
794
795 if (item_size == sizeof(struct btrfs_block_group_item_v2)) {
796 struct btrfs_block_group_item_v2 *bgi2;
797 u64 remap_bytes;
798 u32 identity_remap_count;
799
800 bgi2 = btrfs_item_ptr(leaf, slot, struct btrfs_block_group_item_v2);
801 remap_bytes = btrfs_block_group_v2_remap_bytes(leaf, bgi2);
802
803 if (unlikely(remap_bytes > key->offset)) {
804 block_group_err(leaf, slot,
805 "invalid remap_bytes, have %llu expect [0, %llu]",
806 remap_bytes, key->offset);
807 return -EUCLEAN;
808 }
809
810 identity_remap_count = btrfs_block_group_v2_identity_remap_count(leaf, bgi2);
811 if (unlikely((u64)identity_remap_count >
812 key->offset >> fs_info->sectorsize_bits)) {
813 block_group_err(leaf, slot,
814 "invalid identity_remap_count, have %u expect [0, %llu]",
815 identity_remap_count,
816 key->offset >> fs_info->sectorsize_bits);
817 return -EUCLEAN;
818 }
819 }
820
821 return 0;
822 }
823
824 __printf(5, 6)
825 __cold
chunk_err(const struct btrfs_fs_info * fs_info,const struct extent_buffer * leaf,const struct btrfs_chunk * chunk,u64 logical,const char * fmt,...)826 static void chunk_err(const struct btrfs_fs_info *fs_info,
827 const struct extent_buffer *leaf,
828 const struct btrfs_chunk *chunk, u64 logical,
829 const char *fmt, ...)
830 {
831 bool is_sb = !leaf;
832 struct va_format vaf;
833 va_list args;
834 int i;
835 int slot = -1;
836
837 if (!is_sb) {
838 /*
839 * Get the slot number by iterating through all slots, this
840 * would provide better readability.
841 */
842 for (i = 0; i < btrfs_header_nritems(leaf); i++) {
843 if (btrfs_item_ptr_offset(leaf, i) ==
844 (unsigned long)chunk) {
845 slot = i;
846 break;
847 }
848 }
849 }
850 va_start(args, fmt);
851 vaf.fmt = fmt;
852 vaf.va = &args;
853
854 if (is_sb)
855 btrfs_crit(fs_info,
856 "corrupt superblock syschunk array: chunk_start=%llu, %pV",
857 logical, &vaf);
858 else
859 btrfs_crit(fs_info,
860 "corrupt leaf: root=%llu block=%llu slot=%d chunk_start=%llu, %pV",
861 BTRFS_CHUNK_TREE_OBJECTID, leaf->start, slot,
862 logical, &vaf);
863 va_end(args);
864 }
865
valid_stripe_count(u64 profile,u16 num_stripes,u16 sub_stripes)866 static bool valid_stripe_count(u64 profile, u16 num_stripes, u16 sub_stripes)
867 {
868 switch (profile) {
869 case BTRFS_BLOCK_GROUP_RAID0:
870 return true;
871 case BTRFS_BLOCK_GROUP_RAID10:
872 return sub_stripes == btrfs_raid_array[BTRFS_RAID_RAID10].sub_stripes;
873 case BTRFS_BLOCK_GROUP_RAID1:
874 return num_stripes == btrfs_raid_array[BTRFS_RAID_RAID1].devs_min;
875 case BTRFS_BLOCK_GROUP_RAID1C3:
876 return num_stripes == btrfs_raid_array[BTRFS_RAID_RAID1C3].devs_min;
877 case BTRFS_BLOCK_GROUP_RAID1C4:
878 return num_stripes == btrfs_raid_array[BTRFS_RAID_RAID1C4].devs_min;
879 case BTRFS_BLOCK_GROUP_RAID5:
880 return num_stripes >= btrfs_raid_array[BTRFS_RAID_RAID5].devs_min;
881 case BTRFS_BLOCK_GROUP_RAID6:
882 return num_stripes >= btrfs_raid_array[BTRFS_RAID_RAID6].devs_min;
883 case BTRFS_BLOCK_GROUP_DUP:
884 return num_stripes == btrfs_raid_array[BTRFS_RAID_DUP].dev_stripes;
885 case 0: /* SINGLE */
886 return num_stripes == btrfs_raid_array[BTRFS_RAID_SINGLE].dev_stripes;
887 default:
888 BUG();
889 }
890 }
891
892 /*
893 * The common chunk check which could also work on super block sys chunk array.
894 *
895 * If @leaf is NULL, then @chunk must be an on-stack chunk item.
896 * (For superblock sys_chunk array, and fs_info->sectorsize is unreliable)
897 *
898 * Return -EUCLEAN if anything is corrupted.
899 * Return 0 if everything is OK.
900 */
btrfs_check_chunk_valid(const struct btrfs_fs_info * fs_info,const struct extent_buffer * leaf,const struct btrfs_chunk * chunk,u64 logical,u32 sectorsize)901 int btrfs_check_chunk_valid(const struct btrfs_fs_info *fs_info,
902 const struct extent_buffer *leaf,
903 const struct btrfs_chunk *chunk, u64 logical,
904 u32 sectorsize)
905 {
906 u64 length;
907 u64 chunk_end;
908 u64 stripe_len;
909 u16 num_stripes;
910 u16 sub_stripes;
911 u64 type;
912 u64 features;
913 u32 chunk_sector_size;
914 bool mixed = false;
915 bool remapped;
916 int raid_index;
917 int nparity;
918 int ncopies;
919
920 if (leaf) {
921 length = btrfs_chunk_length(leaf, chunk);
922 stripe_len = btrfs_chunk_stripe_len(leaf, chunk);
923 num_stripes = btrfs_chunk_num_stripes(leaf, chunk);
924 sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk);
925 type = btrfs_chunk_type(leaf, chunk);
926 chunk_sector_size = btrfs_chunk_sector_size(leaf, chunk);
927 } else {
928 length = btrfs_stack_chunk_length(chunk);
929 stripe_len = btrfs_stack_chunk_stripe_len(chunk);
930 num_stripes = btrfs_stack_chunk_num_stripes(chunk);
931 sub_stripes = btrfs_stack_chunk_sub_stripes(chunk);
932 type = btrfs_stack_chunk_type(chunk);
933 chunk_sector_size = btrfs_stack_chunk_sector_size(chunk);
934 }
935 raid_index = btrfs_bg_flags_to_raid_index(type);
936 ncopies = btrfs_raid_array[raid_index].ncopies;
937 nparity = btrfs_raid_array[raid_index].nparity;
938 remapped = (type & BTRFS_BLOCK_GROUP_REMAPPED);
939
940 if (unlikely(!remapped && !num_stripes)) {
941 chunk_err(fs_info, leaf, chunk, logical,
942 "invalid chunk num_stripes, have %u", num_stripes);
943 return -EUCLEAN;
944 }
945 if (unlikely(num_stripes != 0 && num_stripes < ncopies)) {
946 chunk_err(fs_info, leaf, chunk, logical,
947 "invalid chunk num_stripes < ncopies, have %u < %d",
948 num_stripes, ncopies);
949 return -EUCLEAN;
950 }
951 if (unlikely(nparity && num_stripes == nparity)) {
952 chunk_err(fs_info, leaf, chunk, logical,
953 "invalid chunk num_stripes == nparity, have %u == %d",
954 num_stripes, nparity);
955 return -EUCLEAN;
956 }
957 if (unlikely(!IS_ALIGNED(logical, sectorsize))) {
958 chunk_err(fs_info, leaf, chunk, logical,
959 "invalid chunk logical, have %llu should aligned to %u",
960 logical, sectorsize);
961 return -EUCLEAN;
962 }
963 if (unlikely(chunk_sector_size != sectorsize)) {
964 chunk_err(fs_info, leaf, chunk, logical,
965 "invalid chunk sectorsize, have %u expect %u",
966 chunk_sector_size, sectorsize);
967 return -EUCLEAN;
968 }
969 if (unlikely(!length || !IS_ALIGNED(length, sectorsize))) {
970 chunk_err(fs_info, leaf, chunk, logical,
971 "invalid chunk length, have %llu", length);
972 return -EUCLEAN;
973 }
974 if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
975 chunk_err(fs_info, leaf, chunk, logical,
976 "invalid chunk logical start and length, have logical start %llu length %llu",
977 logical, length);
978 return -EUCLEAN;
979 }
980 if (unlikely(!is_power_of_2(stripe_len) || stripe_len != BTRFS_STRIPE_LEN)) {
981 chunk_err(fs_info, leaf, chunk, logical,
982 "invalid chunk stripe length: %llu",
983 stripe_len);
984 return -EUCLEAN;
985 }
986 /*
987 * We artificially limit the chunk size, so that the number of stripes
988 * inside a chunk can be fit into a U32. The current limit (256G) is
989 * way too large for real world usage anyway, and it's also much larger
990 * than our existing limit (10G).
991 *
992 * Thus it should be a good way to catch obvious bitflips.
993 */
994 if (unlikely(length >= btrfs_stripe_nr_to_offset(U32_MAX))) {
995 chunk_err(fs_info, leaf, chunk, logical,
996 "chunk length too large: have %llu limit %llu",
997 length, btrfs_stripe_nr_to_offset(U32_MAX));
998 return -EUCLEAN;
999 }
1000 if (unlikely(type & ~BTRFS_BLOCK_GROUP_VALID)) {
1001 chunk_err(fs_info, leaf, chunk, logical,
1002 "unrecognized chunk type: 0x%llx",
1003 type & ~BTRFS_BLOCK_GROUP_VALID);
1004 return -EUCLEAN;
1005 }
1006
1007 if (unlikely(!has_single_bit_set(type & BTRFS_BLOCK_GROUP_PROFILE_MASK) &&
1008 (type & BTRFS_BLOCK_GROUP_PROFILE_MASK) != 0)) {
1009 chunk_err(fs_info, leaf, chunk, logical,
1010 "invalid chunk profile flag: 0x%llx, expect 0 or 1 bit set",
1011 type & BTRFS_BLOCK_GROUP_PROFILE_MASK);
1012 return -EUCLEAN;
1013 }
1014 if (unlikely((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0)) {
1015 chunk_err(fs_info, leaf, chunk, logical,
1016 "missing chunk type flag, have 0x%llx one bit must be set in 0x%llx",
1017 type, BTRFS_BLOCK_GROUP_TYPE_MASK);
1018 return -EUCLEAN;
1019 }
1020
1021 if (unlikely((type & BTRFS_BLOCK_GROUP_SYSTEM) &&
1022 (type & (BTRFS_BLOCK_GROUP_METADATA |
1023 BTRFS_BLOCK_GROUP_DATA)))) {
1024 chunk_err(fs_info, leaf, chunk, logical,
1025 "system chunk with data or metadata type: 0x%llx",
1026 type);
1027 return -EUCLEAN;
1028 }
1029
1030 features = btrfs_super_incompat_flags(fs_info->super_copy);
1031 if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS)
1032 mixed = true;
1033
1034 if (!mixed) {
1035 if (unlikely((type & BTRFS_BLOCK_GROUP_METADATA) &&
1036 (type & BTRFS_BLOCK_GROUP_DATA))) {
1037 chunk_err(fs_info, leaf, chunk, logical,
1038 "mixed chunk type in non-mixed mode: 0x%llx", type);
1039 return -EUCLEAN;
1040 }
1041 }
1042
1043 if (unlikely((type & BTRFS_BLOCK_GROUP_METADATA_REMAP) &&
1044 !(features & BTRFS_FEATURE_INCOMPAT_REMAP_TREE))) {
1045 chunk_err(fs_info, leaf, chunk, logical,
1046 "METADATA_REMAP chunk type without REMAP_TREE incompat bit");
1047 return -EUCLEAN;
1048 }
1049
1050 if (unlikely(remapped &&
1051 !(features & BTRFS_FEATURE_INCOMPAT_REMAP_TREE))) {
1052 chunk_err(fs_info, leaf, chunk, logical,
1053 "REMAPPED chunk flag without REMAP_TREE incompat bit");
1054 return -EUCLEAN;
1055 }
1056
1057 if (!remapped &&
1058 !valid_stripe_count(type & BTRFS_BLOCK_GROUP_PROFILE_MASK,
1059 num_stripes, sub_stripes)) {
1060 chunk_err(fs_info, leaf, chunk, logical,
1061 "invalid num_stripes:sub_stripes %u:%u for profile %llu",
1062 num_stripes, sub_stripes,
1063 type & BTRFS_BLOCK_GROUP_PROFILE_MASK);
1064 return -EUCLEAN;
1065 }
1066
1067 return 0;
1068 }
1069
1070 /*
1071 * Enhanced version of chunk item checker.
1072 *
1073 * The common btrfs_check_chunk_valid() doesn't check item size since it needs
1074 * to work on super block sys_chunk_array which doesn't have full item ptr.
1075 */
check_leaf_chunk_item(struct extent_buffer * leaf,struct btrfs_chunk * chunk,struct btrfs_key * key,int slot)1076 static int check_leaf_chunk_item(struct extent_buffer *leaf,
1077 struct btrfs_chunk *chunk,
1078 struct btrfs_key *key, int slot)
1079 {
1080 struct btrfs_fs_info *fs_info = leaf->fs_info;
1081 int num_stripes;
1082
1083 if (unlikely(btrfs_item_size(leaf, slot) < offsetof(struct btrfs_chunk, stripe))) {
1084 chunk_err(fs_info, leaf, chunk, key->offset,
1085 "invalid chunk item size: have %u expect [%zu, %u)",
1086 btrfs_item_size(leaf, slot),
1087 offsetof(struct btrfs_chunk, stripe),
1088 BTRFS_LEAF_DATA_SIZE(fs_info));
1089 return -EUCLEAN;
1090 }
1091
1092 num_stripes = btrfs_chunk_num_stripes(leaf, chunk);
1093 /* Let btrfs_check_chunk_valid() handle this error type */
1094 if (num_stripes == 0)
1095 goto out;
1096
1097 if (unlikely(btrfs_chunk_item_size(num_stripes) !=
1098 btrfs_item_size(leaf, slot))) {
1099 chunk_err(fs_info, leaf, chunk, key->offset,
1100 "invalid chunk item size: have %u expect %lu",
1101 btrfs_item_size(leaf, slot),
1102 btrfs_chunk_item_size(num_stripes));
1103 return -EUCLEAN;
1104 }
1105 out:
1106 return btrfs_check_chunk_valid(fs_info, leaf, chunk, key->offset,
1107 fs_info->sectorsize);
1108 }
1109
1110 __printf(3, 4)
1111 __cold
dev_item_err(const struct extent_buffer * eb,int slot,const char * fmt,...)1112 static void dev_item_err(const struct extent_buffer *eb, int slot,
1113 const char *fmt, ...)
1114 {
1115 struct btrfs_key key;
1116 struct va_format vaf;
1117 va_list args;
1118
1119 btrfs_item_key_to_cpu(eb, &key, slot);
1120 va_start(args, fmt);
1121
1122 vaf.fmt = fmt;
1123 vaf.va = &args;
1124
1125 dump_page(folio_page(eb->folios[0], 0), "eb page dump");
1126 btrfs_crit(eb->fs_info,
1127 "corrupt %s: root=%llu block=%llu slot=%d devid=%llu %pV",
1128 btrfs_header_level(eb) == 0 ? "leaf" : "node",
1129 btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
1130 key.objectid, &vaf);
1131 va_end(args);
1132 }
1133
check_dev_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot)1134 static int check_dev_item(struct extent_buffer *leaf,
1135 struct btrfs_key *key, int slot)
1136 {
1137 struct btrfs_dev_item *ditem;
1138 const u32 item_size = btrfs_item_size(leaf, slot);
1139
1140 if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
1141 dev_item_err(leaf, slot,
1142 "invalid objectid: has=%llu expect=%llu",
1143 key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
1144 return -EUCLEAN;
1145 }
1146
1147 if (unlikely(item_size != sizeof(*ditem))) {
1148 dev_item_err(leaf, slot, "invalid item size: has %u expect %zu",
1149 item_size, sizeof(*ditem));
1150 return -EUCLEAN;
1151 }
1152
1153 ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
1154 if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
1155 dev_item_err(leaf, slot,
1156 "devid mismatch: key has=%llu item has=%llu",
1157 key->offset, btrfs_device_id(leaf, ditem));
1158 return -EUCLEAN;
1159 }
1160
1161 /*
1162 * For device total_bytes, we don't have reliable way to check it, as
1163 * it can be 0 for device removal. Device size check can only be done
1164 * by dev extents check.
1165 */
1166 if (unlikely(btrfs_device_bytes_used(leaf, ditem) >
1167 btrfs_device_total_bytes(leaf, ditem))) {
1168 dev_item_err(leaf, slot,
1169 "invalid bytes used: have %llu expect [0, %llu]",
1170 btrfs_device_bytes_used(leaf, ditem),
1171 btrfs_device_total_bytes(leaf, ditem));
1172 return -EUCLEAN;
1173 }
1174 /*
1175 * Remaining members like io_align/type/gen/dev_group aren't really
1176 * utilized. Skip them to make later usage of them easier.
1177 */
1178 return 0;
1179 }
1180
check_inode_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot)1181 static int check_inode_item(struct extent_buffer *leaf,
1182 struct btrfs_key *key, int slot)
1183 {
1184 struct btrfs_fs_info *fs_info = leaf->fs_info;
1185 struct btrfs_inode_item *iitem;
1186 u64 super_gen = btrfs_super_generation(fs_info->super_copy);
1187 u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777);
1188 const u32 item_size = btrfs_item_size(leaf, slot);
1189 u32 mode;
1190 int ret;
1191 u32 flags;
1192 u32 ro_flags;
1193
1194 ret = check_inode_key(leaf, key, slot);
1195 if (unlikely(ret < 0))
1196 return ret;
1197
1198 if (unlikely(item_size != sizeof(*iitem))) {
1199 generic_err(leaf, slot, "invalid item size: has %u expect %zu",
1200 item_size, sizeof(*iitem));
1201 return -EUCLEAN;
1202 }
1203
1204 iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item);
1205
1206 /* Here we use super block generation + 1 to handle log tree */
1207 if (unlikely(btrfs_inode_generation(leaf, iitem) > super_gen + 1)) {
1208 inode_item_err(leaf, slot,
1209 "invalid inode generation: has %llu expect (0, %llu]",
1210 btrfs_inode_generation(leaf, iitem),
1211 super_gen + 1);
1212 return -EUCLEAN;
1213 }
1214 /* Note for ROOT_TREE_DIR_ITEM, mkfs could set its transid 0 */
1215 if (unlikely(btrfs_inode_transid(leaf, iitem) > super_gen + 1)) {
1216 inode_item_err(leaf, slot,
1217 "invalid inode transid: has %llu expect [0, %llu]",
1218 btrfs_inode_transid(leaf, iitem), super_gen + 1);
1219 return -EUCLEAN;
1220 }
1221
1222 /*
1223 * For size and nbytes it's better not to be too strict, as for dir
1224 * item its size/nbytes can easily get wrong, but doesn't affect
1225 * anything in the fs. So here we skip the check.
1226 */
1227 mode = btrfs_inode_mode(leaf, iitem);
1228 if (unlikely(mode & ~valid_mask)) {
1229 inode_item_err(leaf, slot,
1230 "unknown mode bit detected: 0x%x",
1231 mode & ~valid_mask);
1232 return -EUCLEAN;
1233 }
1234
1235 /*
1236 * S_IFMT is not bit mapped so we can't completely rely on
1237 * is_power_of_2/has_single_bit_set, but it can save us from checking
1238 * FIFO/CHR/DIR/REG. Only needs to check BLK, LNK and SOCKS
1239 */
1240 if (!has_single_bit_set(mode & S_IFMT)) {
1241 if (unlikely(!S_ISLNK(mode) && !S_ISBLK(mode) && !S_ISSOCK(mode))) {
1242 inode_item_err(leaf, slot,
1243 "invalid mode: has 0%o expect valid S_IF* bit(s)",
1244 mode & S_IFMT);
1245 return -EUCLEAN;
1246 }
1247 }
1248 if (unlikely(S_ISDIR(mode) && btrfs_inode_nlink(leaf, iitem) > 1)) {
1249 inode_item_err(leaf, slot,
1250 "invalid nlink: has %u expect no more than 1 for dir",
1251 btrfs_inode_nlink(leaf, iitem));
1252 return -EUCLEAN;
1253 }
1254 btrfs_inode_split_flags(btrfs_inode_flags(leaf, iitem), &flags, &ro_flags);
1255 if (unlikely(flags & ~BTRFS_INODE_FLAG_MASK)) {
1256 inode_item_err(leaf, slot,
1257 "unknown incompat flags detected: 0x%x", flags);
1258 return -EUCLEAN;
1259 }
1260 if (unlikely(!sb_rdonly(fs_info->sb) &&
1261 (ro_flags & ~BTRFS_INODE_RO_FLAG_MASK))) {
1262 inode_item_err(leaf, slot,
1263 "unknown ro-compat flags detected on writeable mount: 0x%x",
1264 ro_flags);
1265 return -EUCLEAN;
1266 }
1267 return 0;
1268 }
1269
check_root_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot)1270 static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
1271 int slot)
1272 {
1273 struct btrfs_fs_info *fs_info = leaf->fs_info;
1274 struct btrfs_root_item ri = { 0 };
1275 const u64 valid_root_flags = BTRFS_ROOT_SUBVOL_RDONLY |
1276 BTRFS_ROOT_SUBVOL_DEAD;
1277 int ret;
1278
1279 ret = check_root_key(leaf, key, slot);
1280 if (unlikely(ret < 0))
1281 return ret;
1282
1283 if (unlikely(btrfs_item_size(leaf, slot) != sizeof(ri) &&
1284 btrfs_item_size(leaf, slot) !=
1285 btrfs_legacy_root_item_size())) {
1286 generic_err(leaf, slot,
1287 "invalid root item size, have %u expect %zu or %u",
1288 btrfs_item_size(leaf, slot), sizeof(ri),
1289 btrfs_legacy_root_item_size());
1290 return -EUCLEAN;
1291 }
1292
1293 /*
1294 * For legacy root item, the members starting at generation_v2 will be
1295 * all filled with 0.
1296 * And since we allow generation_v2 as 0, it will still pass the check.
1297 */
1298 read_extent_buffer(leaf, &ri, btrfs_item_ptr_offset(leaf, slot),
1299 btrfs_item_size(leaf, slot));
1300
1301 /* Generation related */
1302 if (unlikely(btrfs_root_generation(&ri) >
1303 btrfs_super_generation(fs_info->super_copy) + 1)) {
1304 generic_err(leaf, slot,
1305 "invalid root generation, have %llu expect (0, %llu]",
1306 btrfs_root_generation(&ri),
1307 btrfs_super_generation(fs_info->super_copy) + 1);
1308 return -EUCLEAN;
1309 }
1310 if (unlikely(btrfs_root_generation_v2(&ri) >
1311 btrfs_super_generation(fs_info->super_copy) + 1)) {
1312 generic_err(leaf, slot,
1313 "invalid root v2 generation, have %llu expect (0, %llu]",
1314 btrfs_root_generation_v2(&ri),
1315 btrfs_super_generation(fs_info->super_copy) + 1);
1316 return -EUCLEAN;
1317 }
1318 if (unlikely(btrfs_root_last_snapshot(&ri) >
1319 btrfs_super_generation(fs_info->super_copy) + 1)) {
1320 generic_err(leaf, slot,
1321 "invalid root last_snapshot, have %llu expect (0, %llu]",
1322 btrfs_root_last_snapshot(&ri),
1323 btrfs_super_generation(fs_info->super_copy) + 1);
1324 return -EUCLEAN;
1325 }
1326
1327 /* Alignment and level check */
1328 if (unlikely(!IS_ALIGNED(btrfs_root_bytenr(&ri), fs_info->sectorsize))) {
1329 generic_err(leaf, slot,
1330 "invalid root bytenr, have %llu expect to be aligned to %u",
1331 btrfs_root_bytenr(&ri), fs_info->sectorsize);
1332 return -EUCLEAN;
1333 }
1334 if (unlikely(btrfs_root_level(&ri) >= BTRFS_MAX_LEVEL)) {
1335 generic_err(leaf, slot,
1336 "invalid root level, have %u expect [0, %u]",
1337 btrfs_root_level(&ri), BTRFS_MAX_LEVEL - 1);
1338 return -EUCLEAN;
1339 }
1340 if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
1341 generic_err(leaf, slot,
1342 "invalid root drop_level, have %u expect [0, %u]",
1343 btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
1344 return -EUCLEAN;
1345 }
1346 /*
1347 * If drop_progress.objectid is non-zero, a btrfs_drop_snapshot() was
1348 * interrupted and the resume point was recorded in drop_progress and
1349 * drop_level. In that case drop_level must be >= 1: level 0 is the
1350 * leaf level and drop_snapshot never saves a checkpoint there (it
1351 * only records checkpoints at internal node levels in DROP_REFERENCE
1352 * stage). A zero drop_level combined with a non-zero drop_progress
1353 * objectid indicates on-disk corruption and would cause a BUG_ON in
1354 * merge_reloc_root() and btrfs_drop_snapshot() at mount time.
1355 */
1356 if (unlikely(btrfs_disk_key_objectid(&ri.drop_progress) != 0 &&
1357 btrfs_root_drop_level(&ri) == 0)) {
1358 generic_err(leaf, slot,
1359 "invalid root drop_level 0 with non-zero drop_progress objectid %llu",
1360 btrfs_disk_key_objectid(&ri.drop_progress));
1361 return -EUCLEAN;
1362 }
1363
1364 /* Flags check */
1365 if (unlikely(btrfs_root_flags(&ri) & ~valid_root_flags)) {
1366 generic_err(leaf, slot,
1367 "invalid root flags, have 0x%llx expect mask 0x%llx",
1368 btrfs_root_flags(&ri), valid_root_flags);
1369 return -EUCLEAN;
1370 }
1371 return 0;
1372 }
1373
1374 __printf(3,4)
1375 __cold
extent_err(const struct extent_buffer * eb,int slot,const char * fmt,...)1376 static void extent_err(const struct extent_buffer *eb, int slot,
1377 const char *fmt, ...)
1378 {
1379 struct btrfs_key key;
1380 struct va_format vaf;
1381 va_list args;
1382 u64 bytenr;
1383 u64 len;
1384
1385 btrfs_item_key_to_cpu(eb, &key, slot);
1386 bytenr = key.objectid;
1387 if (key.type == BTRFS_METADATA_ITEM_KEY ||
1388 key.type == BTRFS_TREE_BLOCK_REF_KEY ||
1389 key.type == BTRFS_SHARED_BLOCK_REF_KEY)
1390 len = eb->fs_info->nodesize;
1391 else
1392 len = key.offset;
1393 va_start(args, fmt);
1394
1395 vaf.fmt = fmt;
1396 vaf.va = &args;
1397
1398 dump_page(folio_page(eb->folios[0], 0), "eb page dump");
1399 btrfs_crit(eb->fs_info,
1400 "corrupt %s: block=%llu slot=%d extent bytenr=%llu len=%llu %pV",
1401 btrfs_header_level(eb) == 0 ? "leaf" : "node",
1402 eb->start, slot, bytenr, len, &vaf);
1403 va_end(args);
1404 }
1405
is_valid_dref_root(u64 rootid)1406 static bool is_valid_dref_root(u64 rootid)
1407 {
1408 /*
1409 * The following tree root objectids are allowed to have a data backref:
1410 * - subvolume trees
1411 * - data reloc tree
1412 * - tree root
1413 * For v1 space cache
1414 */
1415 return btrfs_is_fstree(rootid) || rootid == BTRFS_DATA_RELOC_TREE_OBJECTID ||
1416 rootid == BTRFS_ROOT_TREE_OBJECTID;
1417 }
1418
check_extent_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot,struct btrfs_key * prev_key)1419 static int check_extent_item(struct extent_buffer *leaf,
1420 struct btrfs_key *key, int slot,
1421 struct btrfs_key *prev_key)
1422 {
1423 struct btrfs_fs_info *fs_info = leaf->fs_info;
1424 struct btrfs_extent_item *ei;
1425 bool is_tree_block = false;
1426 unsigned long ptr; /* Current pointer inside inline refs */
1427 unsigned long end; /* Extent item end */
1428 const u32 item_size = btrfs_item_size(leaf, slot);
1429 u8 last_type = 0;
1430 u64 last_seq = U64_MAX;
1431 u64 flags;
1432 u64 generation;
1433 u64 total_refs; /* Total refs in btrfs_extent_item */
1434 u64 inline_refs = 0; /* found total inline refs */
1435
1436 if (unlikely(key->type == BTRFS_METADATA_ITEM_KEY &&
1437 !btrfs_fs_incompat(fs_info, SKINNY_METADATA))) {
1438 generic_err(leaf, slot,
1439 "invalid key type, METADATA_ITEM type invalid when SKINNY_METADATA feature disabled");
1440 return -EUCLEAN;
1441 }
1442 /* key->objectid is the bytenr for both key types */
1443 if (unlikely(!IS_ALIGNED(key->objectid, fs_info->sectorsize))) {
1444 generic_err(leaf, slot,
1445 "invalid key objectid, have %llu expect to be aligned to %u",
1446 key->objectid, fs_info->sectorsize);
1447 return -EUCLEAN;
1448 }
1449
1450 /* key->offset is tree level for METADATA_ITEM_KEY */
1451 if (unlikely(key->type == BTRFS_METADATA_ITEM_KEY &&
1452 key->offset >= BTRFS_MAX_LEVEL)) {
1453 extent_err(leaf, slot,
1454 "invalid tree level, have %llu expect [0, %u]",
1455 key->offset, BTRFS_MAX_LEVEL - 1);
1456 return -EUCLEAN;
1457 }
1458
1459 /*
1460 * EXTENT/METADATA_ITEM consists of:
1461 * 1) One btrfs_extent_item
1462 * Records the total refs, type and generation of the extent.
1463 *
1464 * 2) One btrfs_tree_block_info (for EXTENT_ITEM and tree backref only)
1465 * Records the first key and level of the tree block.
1466 *
1467 * 2) Zero or more btrfs_extent_inline_ref(s)
1468 * Each inline ref has one btrfs_extent_inline_ref shows:
1469 * 2.1) The ref type, one of the 4
1470 * TREE_BLOCK_REF Tree block only
1471 * SHARED_BLOCK_REF Tree block only
1472 * EXTENT_DATA_REF Data only
1473 * SHARED_DATA_REF Data only
1474 * 2.2) Ref type specific data
1475 * Either using btrfs_extent_inline_ref::offset, or specific
1476 * data structure.
1477 *
1478 * All above inline items should follow the order:
1479 *
1480 * - All btrfs_extent_inline_ref::type should be in an ascending
1481 * order
1482 *
1483 * - Within the same type, the items should follow a descending
1484 * order by their sequence number. The sequence number is
1485 * determined by:
1486 * * btrfs_extent_inline_ref::offset for all types other than
1487 * EXTENT_DATA_REF
1488 * * hash_extent_data_ref() for EXTENT_DATA_REF
1489 */
1490 if (unlikely(item_size < sizeof(*ei))) {
1491 extent_err(leaf, slot,
1492 "invalid item size, have %u expect [%zu, %u)",
1493 item_size, sizeof(*ei),
1494 BTRFS_LEAF_DATA_SIZE(fs_info));
1495 return -EUCLEAN;
1496 }
1497 end = item_size + btrfs_item_ptr_offset(leaf, slot);
1498
1499 /* Checks against extent_item */
1500 ei = btrfs_item_ptr(leaf, slot, struct btrfs_extent_item);
1501 flags = btrfs_extent_flags(leaf, ei);
1502 total_refs = btrfs_extent_refs(leaf, ei);
1503 generation = btrfs_extent_generation(leaf, ei);
1504 if (unlikely(generation >
1505 btrfs_super_generation(fs_info->super_copy) + 1)) {
1506 extent_err(leaf, slot,
1507 "invalid generation, have %llu expect (0, %llu]",
1508 generation,
1509 btrfs_super_generation(fs_info->super_copy) + 1);
1510 return -EUCLEAN;
1511 }
1512 if (unlikely(!has_single_bit_set(flags & (BTRFS_EXTENT_FLAG_DATA |
1513 BTRFS_EXTENT_FLAG_TREE_BLOCK)))) {
1514 extent_err(leaf, slot,
1515 "invalid extent flag, have 0x%llx expect 1 bit set in 0x%llx",
1516 flags, BTRFS_EXTENT_FLAG_DATA |
1517 BTRFS_EXTENT_FLAG_TREE_BLOCK);
1518 return -EUCLEAN;
1519 }
1520 is_tree_block = !!(flags & BTRFS_EXTENT_FLAG_TREE_BLOCK);
1521 if (is_tree_block) {
1522 if (unlikely(key->type == BTRFS_EXTENT_ITEM_KEY &&
1523 key->offset != fs_info->nodesize)) {
1524 extent_err(leaf, slot,
1525 "invalid extent length, have %llu expect %u",
1526 key->offset, fs_info->nodesize);
1527 return -EUCLEAN;
1528 }
1529 } else {
1530 if (unlikely(key->type != BTRFS_EXTENT_ITEM_KEY)) {
1531 extent_err(leaf, slot,
1532 "invalid key type, have %u expect %u for data backref",
1533 key->type, BTRFS_EXTENT_ITEM_KEY);
1534 return -EUCLEAN;
1535 }
1536 if (unlikely(!IS_ALIGNED(key->offset, fs_info->sectorsize))) {
1537 extent_err(leaf, slot,
1538 "invalid extent length, have %llu expect aligned to %u",
1539 key->offset, fs_info->sectorsize);
1540 return -EUCLEAN;
1541 }
1542 if (unlikely(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF)) {
1543 extent_err(leaf, slot,
1544 "invalid extent flag, data has full backref set");
1545 return -EUCLEAN;
1546 }
1547 }
1548 ptr = (unsigned long)(struct btrfs_extent_item *)(ei + 1);
1549
1550 /* Check the special case of btrfs_tree_block_info */
1551 if (is_tree_block && key->type != BTRFS_METADATA_ITEM_KEY) {
1552 struct btrfs_tree_block_info *info;
1553
1554 info = (struct btrfs_tree_block_info *)ptr;
1555 if (unlikely(btrfs_tree_block_level(leaf, info) >= BTRFS_MAX_LEVEL)) {
1556 extent_err(leaf, slot,
1557 "invalid tree block info level, have %u expect [0, %u]",
1558 btrfs_tree_block_level(leaf, info),
1559 BTRFS_MAX_LEVEL - 1);
1560 return -EUCLEAN;
1561 }
1562 ptr = (unsigned long)(struct btrfs_tree_block_info *)(info + 1);
1563 }
1564
1565 /* Check inline refs */
1566 while (ptr < end) {
1567 struct btrfs_extent_inline_ref *iref;
1568 struct btrfs_extent_data_ref *dref;
1569 struct btrfs_shared_data_ref *sref;
1570 u64 seq;
1571 u64 dref_root;
1572 u64 dref_objectid;
1573 u64 dref_offset;
1574 u64 inline_offset;
1575 u8 inline_type;
1576
1577 if (unlikely(ptr + sizeof(*iref) > end)) {
1578 extent_err(leaf, slot,
1579 "inline ref item overflows extent item, ptr %lu iref size %zu end %lu",
1580 ptr, sizeof(*iref), end);
1581 return -EUCLEAN;
1582 }
1583 iref = (struct btrfs_extent_inline_ref *)ptr;
1584 inline_type = btrfs_extent_inline_ref_type(leaf, iref);
1585 inline_offset = btrfs_extent_inline_ref_offset(leaf, iref);
1586 seq = inline_offset;
1587 if (unlikely(ptr + btrfs_extent_inline_ref_size(inline_type) > end)) {
1588 extent_err(leaf, slot,
1589 "inline ref item overflows extent item, ptr %lu iref size %u end %lu",
1590 ptr, btrfs_extent_inline_ref_size(inline_type), end);
1591 return -EUCLEAN;
1592 }
1593
1594 switch (inline_type) {
1595 /* inline_offset is subvolid of the owner, no need to check */
1596 case BTRFS_TREE_BLOCK_REF_KEY:
1597 inline_refs++;
1598 break;
1599 /* Contains parent bytenr */
1600 case BTRFS_SHARED_BLOCK_REF_KEY:
1601 if (unlikely(!IS_ALIGNED(inline_offset,
1602 fs_info->sectorsize))) {
1603 extent_err(leaf, slot,
1604 "invalid tree parent bytenr, have %llu expect aligned to %u",
1605 inline_offset, fs_info->sectorsize);
1606 return -EUCLEAN;
1607 }
1608 inline_refs++;
1609 break;
1610 /*
1611 * Contains owner subvolid, owner key objectid, adjusted offset.
1612 * The only obvious corruption can happen in that offset.
1613 */
1614 case BTRFS_EXTENT_DATA_REF_KEY:
1615 dref = (struct btrfs_extent_data_ref *)(&iref->offset);
1616 dref_root = btrfs_extent_data_ref_root(leaf, dref);
1617 dref_objectid = btrfs_extent_data_ref_objectid(leaf, dref);
1618 dref_offset = btrfs_extent_data_ref_offset(leaf, dref);
1619 seq = hash_extent_data_ref(
1620 btrfs_extent_data_ref_root(leaf, dref),
1621 btrfs_extent_data_ref_objectid(leaf, dref),
1622 btrfs_extent_data_ref_offset(leaf, dref));
1623 if (unlikely(!is_valid_dref_root(dref_root))) {
1624 extent_err(leaf, slot,
1625 "invalid data ref root value %llu",
1626 dref_root);
1627 return -EUCLEAN;
1628 }
1629 if (unlikely(dref_objectid < BTRFS_FIRST_FREE_OBJECTID ||
1630 dref_objectid > BTRFS_LAST_FREE_OBJECTID)) {
1631 extent_err(leaf, slot,
1632 "invalid data ref objectid value %llu",
1633 dref_objectid);
1634 return -EUCLEAN;
1635 }
1636 if (unlikely(!IS_ALIGNED(dref_offset,
1637 fs_info->sectorsize))) {
1638 extent_err(leaf, slot,
1639 "invalid data ref offset, have %llu expect aligned to %u",
1640 dref_offset, fs_info->sectorsize);
1641 return -EUCLEAN;
1642 }
1643 if (unlikely(btrfs_extent_data_ref_count(leaf, dref) == 0)) {
1644 extent_err(leaf, slot,
1645 "invalid data ref count, should have non-zero value");
1646 return -EUCLEAN;
1647 }
1648 inline_refs += btrfs_extent_data_ref_count(leaf, dref);
1649 break;
1650 /* Contains parent bytenr and ref count */
1651 case BTRFS_SHARED_DATA_REF_KEY:
1652 sref = (struct btrfs_shared_data_ref *)(iref + 1);
1653 if (unlikely(!IS_ALIGNED(inline_offset,
1654 fs_info->sectorsize))) {
1655 extent_err(leaf, slot,
1656 "invalid data parent bytenr, have %llu expect aligned to %u",
1657 inline_offset, fs_info->sectorsize);
1658 return -EUCLEAN;
1659 }
1660 if (unlikely(btrfs_shared_data_ref_count(leaf, sref) == 0)) {
1661 extent_err(leaf, slot,
1662 "invalid shared data ref count, should have non-zero value");
1663 return -EUCLEAN;
1664 }
1665 inline_refs += btrfs_shared_data_ref_count(leaf, sref);
1666 break;
1667 case BTRFS_EXTENT_OWNER_REF_KEY:
1668 WARN_ON(!btrfs_fs_incompat(fs_info, SIMPLE_QUOTA));
1669 break;
1670 default:
1671 extent_err(leaf, slot, "unknown inline ref type: %u",
1672 inline_type);
1673 return -EUCLEAN;
1674 }
1675 if (unlikely(inline_type < last_type)) {
1676 extent_err(leaf, slot,
1677 "inline ref out-of-order: has type %u, prev type %u",
1678 inline_type, last_type);
1679 return -EUCLEAN;
1680 }
1681 /* Type changed, allow the sequence starts from U64_MAX again. */
1682 if (inline_type > last_type)
1683 last_seq = U64_MAX;
1684 if (unlikely(seq > last_seq)) {
1685 extent_err(leaf, slot,
1686 "inline ref out-of-order: has type %u offset %llu seq 0x%llx, prev type %u seq 0x%llx",
1687 inline_type, inline_offset, seq,
1688 last_type, last_seq);
1689 return -EUCLEAN;
1690 }
1691 last_type = inline_type;
1692 last_seq = seq;
1693 ptr += btrfs_extent_inline_ref_size(inline_type);
1694 }
1695 /* No padding is allowed */
1696 if (unlikely(ptr != end)) {
1697 extent_err(leaf, slot,
1698 "invalid extent item size, padding bytes found");
1699 return -EUCLEAN;
1700 }
1701
1702 /* Finally, check the inline refs against total refs */
1703 if (unlikely(inline_refs > total_refs)) {
1704 extent_err(leaf, slot,
1705 "invalid extent refs, have %llu expect >= inline %llu",
1706 total_refs, inline_refs);
1707 return -EUCLEAN;
1708 }
1709
1710 if ((prev_key->type == BTRFS_EXTENT_ITEM_KEY) ||
1711 (prev_key->type == BTRFS_METADATA_ITEM_KEY)) {
1712 u64 prev_end = prev_key->objectid;
1713
1714 if (prev_key->type == BTRFS_METADATA_ITEM_KEY)
1715 prev_end += fs_info->nodesize;
1716 else
1717 prev_end += prev_key->offset;
1718
1719 if (unlikely(prev_end > key->objectid)) {
1720 extent_err(leaf, slot,
1721 "previous extent " BTRFS_KEY_FMT " overlaps current extent " BTRFS_KEY_FMT,
1722 BTRFS_KEY_FMT_VALUE(prev_key),
1723 BTRFS_KEY_FMT_VALUE(key));
1724 return -EUCLEAN;
1725 }
1726 }
1727
1728 return 0;
1729 }
1730
check_simple_keyed_refs(struct extent_buffer * leaf,struct btrfs_key * key,int slot)1731 static int check_simple_keyed_refs(struct extent_buffer *leaf,
1732 struct btrfs_key *key, int slot)
1733 {
1734 u32 expect_item_size = 0;
1735
1736 if (key->type == BTRFS_SHARED_DATA_REF_KEY) {
1737 struct btrfs_shared_data_ref *sref;
1738
1739 sref = btrfs_item_ptr(leaf, slot, struct btrfs_shared_data_ref);
1740 if (unlikely(btrfs_shared_data_ref_count(leaf, sref) == 0)) {
1741 extent_err(leaf, slot,
1742 "invalid shared data backref count, should have non-zero value");
1743 return -EUCLEAN;
1744 }
1745
1746 expect_item_size = sizeof(struct btrfs_shared_data_ref);
1747 }
1748
1749 if (unlikely(btrfs_item_size(leaf, slot) != expect_item_size)) {
1750 generic_err(leaf, slot,
1751 "invalid item size, have %u expect %u for key type %u",
1752 btrfs_item_size(leaf, slot),
1753 expect_item_size, key->type);
1754 return -EUCLEAN;
1755 }
1756 if (unlikely(!IS_ALIGNED(key->objectid, leaf->fs_info->sectorsize))) {
1757 generic_err(leaf, slot,
1758 "invalid key objectid for shared block ref, have %llu expect aligned to %u",
1759 key->objectid, leaf->fs_info->sectorsize);
1760 return -EUCLEAN;
1761 }
1762 if (unlikely(key->type != BTRFS_TREE_BLOCK_REF_KEY &&
1763 !IS_ALIGNED(key->offset, leaf->fs_info->sectorsize))) {
1764 extent_err(leaf, slot,
1765 "invalid tree parent bytenr, have %llu expect aligned to %u",
1766 key->offset, leaf->fs_info->sectorsize);
1767 return -EUCLEAN;
1768 }
1769 return 0;
1770 }
1771
check_extent_data_ref(struct extent_buffer * leaf,struct btrfs_key * key,int slot)1772 static int check_extent_data_ref(struct extent_buffer *leaf,
1773 struct btrfs_key *key, int slot)
1774 {
1775 struct btrfs_extent_data_ref *dref;
1776 unsigned long ptr = btrfs_item_ptr_offset(leaf, slot);
1777 const unsigned long end = ptr + btrfs_item_size(leaf, slot);
1778
1779 if (unlikely(btrfs_item_size(leaf, slot) % sizeof(*dref) != 0)) {
1780 generic_err(leaf, slot,
1781 "invalid item size, have %u expect aligned to %zu for key type %u",
1782 btrfs_item_size(leaf, slot),
1783 sizeof(*dref), key->type);
1784 return -EUCLEAN;
1785 }
1786 if (unlikely(!IS_ALIGNED(key->objectid, leaf->fs_info->sectorsize))) {
1787 generic_err(leaf, slot,
1788 "invalid key objectid for shared block ref, have %llu expect aligned to %u",
1789 key->objectid, leaf->fs_info->sectorsize);
1790 return -EUCLEAN;
1791 }
1792 for (; ptr < end; ptr += sizeof(*dref)) {
1793 u64 root;
1794 u64 objectid;
1795 u64 offset;
1796
1797 /*
1798 * We cannot check the extent_data_ref hash due to possible
1799 * overflow from the leaf due to hash collisions.
1800 */
1801 dref = (struct btrfs_extent_data_ref *)ptr;
1802 root = btrfs_extent_data_ref_root(leaf, dref);
1803 objectid = btrfs_extent_data_ref_objectid(leaf, dref);
1804 offset = btrfs_extent_data_ref_offset(leaf, dref);
1805 if (unlikely(!is_valid_dref_root(root))) {
1806 extent_err(leaf, slot,
1807 "invalid extent data backref root value %llu",
1808 root);
1809 return -EUCLEAN;
1810 }
1811 if (unlikely(objectid < BTRFS_FIRST_FREE_OBJECTID ||
1812 objectid > BTRFS_LAST_FREE_OBJECTID)) {
1813 extent_err(leaf, slot,
1814 "invalid extent data backref objectid value %llu",
1815 objectid);
1816 return -EUCLEAN;
1817 }
1818 if (unlikely(!IS_ALIGNED(offset, leaf->fs_info->sectorsize))) {
1819 extent_err(leaf, slot,
1820 "invalid extent data backref offset, have %llu expect aligned to %u",
1821 offset, leaf->fs_info->sectorsize);
1822 return -EUCLEAN;
1823 }
1824 if (unlikely(btrfs_extent_data_ref_count(leaf, dref) == 0)) {
1825 extent_err(leaf, slot,
1826 "invalid extent data backref count, should have non-zero value");
1827 return -EUCLEAN;
1828 }
1829 }
1830 return 0;
1831 }
1832
1833 #define inode_ref_err(eb, slot, fmt, args...) \
1834 inode_item_err(eb, slot, fmt, ##args)
check_inode_ref(struct extent_buffer * leaf,struct btrfs_key * key,struct btrfs_key * prev_key,int slot)1835 static int check_inode_ref(struct extent_buffer *leaf,
1836 struct btrfs_key *key, struct btrfs_key *prev_key,
1837 int slot)
1838 {
1839 struct btrfs_inode_ref *iref;
1840 unsigned long ptr;
1841 unsigned long end;
1842
1843 if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
1844 return -EUCLEAN;
1845 /* namelen can't be 0, so item_size == sizeof() is also invalid */
1846 if (unlikely(btrfs_item_size(leaf, slot) <= sizeof(*iref))) {
1847 inode_ref_err(leaf, slot,
1848 "invalid item size, have %u expect (%zu, %u)",
1849 btrfs_item_size(leaf, slot),
1850 sizeof(*iref), BTRFS_LEAF_DATA_SIZE(leaf->fs_info));
1851 return -EUCLEAN;
1852 }
1853
1854 ptr = btrfs_item_ptr_offset(leaf, slot);
1855 end = ptr + btrfs_item_size(leaf, slot);
1856 while (ptr < end) {
1857 u16 namelen;
1858
1859 if (unlikely(ptr + sizeof(*iref) > end)) {
1860 inode_ref_err(leaf, slot,
1861 "inode ref overflow, ptr %lu end %lu inode_ref_size %zu",
1862 ptr, end, sizeof(*iref));
1863 return -EUCLEAN;
1864 }
1865
1866 iref = (struct btrfs_inode_ref *)ptr;
1867 namelen = btrfs_inode_ref_name_len(leaf, iref);
1868 if (unlikely(ptr + sizeof(*iref) + namelen > end)) {
1869 inode_ref_err(leaf, slot,
1870 "inode ref overflow, ptr %lu end %lu namelen %u",
1871 ptr, end, namelen);
1872 return -EUCLEAN;
1873 }
1874
1875 /*
1876 * NOTE: In theory we should record all found index numbers
1877 * to find any duplicated indexes, but that will be too time
1878 * consuming for inodes with too many hard links.
1879 */
1880 ptr += sizeof(*iref) + namelen;
1881 }
1882 return 0;
1883 }
1884
check_inode_extref(struct extent_buffer * leaf,struct btrfs_key * key,struct btrfs_key * prev_key,int slot)1885 static int check_inode_extref(struct extent_buffer *leaf,
1886 struct btrfs_key *key, struct btrfs_key *prev_key,
1887 int slot)
1888 {
1889 unsigned long ptr = btrfs_item_ptr_offset(leaf, slot);
1890 unsigned long end = ptr + btrfs_item_size(leaf, slot);
1891
1892 if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
1893 return -EUCLEAN;
1894
1895 while (ptr < end) {
1896 struct btrfs_inode_extref *extref = (struct btrfs_inode_extref *)ptr;
1897 u16 namelen;
1898
1899 if (unlikely(ptr + sizeof(*extref) > end)) {
1900 inode_ref_err(leaf, slot,
1901 "inode extref overflow, ptr %lu end %lu inode_extref size %zu",
1902 ptr, end, sizeof(*extref));
1903 return -EUCLEAN;
1904 }
1905
1906 namelen = btrfs_inode_extref_name_len(leaf, extref);
1907 if (unlikely(ptr + sizeof(*extref) + namelen > end)) {
1908 inode_ref_err(leaf, slot,
1909 "inode extref overflow, ptr %lu end %lu namelen %u",
1910 ptr, end, namelen);
1911 return -EUCLEAN;
1912 }
1913 ptr += sizeof(*extref) + namelen;
1914 }
1915 return 0;
1916 }
1917
check_raid_stripe_extent(const struct extent_buffer * leaf,const struct btrfs_key * key,int slot)1918 static int check_raid_stripe_extent(const struct extent_buffer *leaf,
1919 const struct btrfs_key *key, int slot)
1920 {
1921 if (unlikely(!IS_ALIGNED(key->objectid, leaf->fs_info->sectorsize))) {
1922 generic_err(leaf, slot,
1923 "invalid key objectid for raid stripe extent, have %llu expect aligned to %u",
1924 key->objectid, leaf->fs_info->sectorsize);
1925 return -EUCLEAN;
1926 }
1927
1928 if (unlikely(!btrfs_fs_incompat(leaf->fs_info, RAID_STRIPE_TREE))) {
1929 generic_err(leaf, slot,
1930 "RAID_STRIPE_EXTENT present but RAID_STRIPE_TREE incompat bit unset");
1931 return -EUCLEAN;
1932 }
1933
1934 return 0;
1935 }
1936
check_remap_key(const struct extent_buffer * leaf,const struct btrfs_key * key,int slot)1937 static int check_remap_key(const struct extent_buffer *leaf,
1938 const struct btrfs_key *key, int slot)
1939 {
1940 const u32 item_size = btrfs_item_size(leaf, slot);
1941 const u32 sectorsize = leaf->fs_info->sectorsize;
1942 u64 end;
1943
1944 if (unlikely(!btrfs_fs_incompat(leaf->fs_info, REMAP_TREE))) {
1945 generic_err(leaf, slot,
1946 "remap key type %u present but REMAP_TREE incompat bit unset",
1947 key->type);
1948 return -EUCLEAN;
1949 }
1950
1951 switch (key->type) {
1952 case BTRFS_IDENTITY_REMAP_KEY:
1953 if (unlikely(item_size != 0)) {
1954 generic_err(leaf, slot,
1955 "invalid item size for IDENTITY_REMAP, have %u expect 0",
1956 item_size);
1957 return -EUCLEAN;
1958 }
1959 break;
1960 case BTRFS_REMAP_KEY:
1961 case BTRFS_REMAP_BACKREF_KEY:
1962 if (unlikely(item_size != sizeof(struct btrfs_remap_item))) {
1963 generic_err(leaf, slot,
1964 "invalid item size for remap key type %u, have %u expect %zu",
1965 key->type, item_size,
1966 sizeof(struct btrfs_remap_item));
1967 return -EUCLEAN;
1968 }
1969 break;
1970 }
1971
1972 if (unlikely(key->offset == 0)) {
1973 generic_err(leaf, slot,
1974 "invalid remap key length, have 0 expect nonzero");
1975 return -EUCLEAN;
1976 }
1977
1978 if (unlikely(!IS_ALIGNED(key->objectid, sectorsize))) {
1979 generic_err(leaf, slot,
1980 "invalid remap key objectid, have %llu expect aligned to %u",
1981 key->objectid, sectorsize);
1982 return -EUCLEAN;
1983 }
1984
1985 if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
1986 generic_err(leaf, slot,
1987 "invalid remap key offset (length), have %llu expect aligned to %u",
1988 key->offset, sectorsize);
1989 return -EUCLEAN;
1990 }
1991
1992 if (unlikely(check_add_overflow(key->objectid, key->offset, &end))) {
1993 generic_err(leaf, slot,
1994 "remap key overflow, objectid %llu + offset %llu wraps",
1995 key->objectid, key->offset);
1996 return -EUCLEAN;
1997 }
1998
1999 return 0;
2000 }
2001
check_dev_extent_item(const struct extent_buffer * leaf,const struct btrfs_key * key,int slot,struct btrfs_key * prev_key)2002 static int check_dev_extent_item(const struct extent_buffer *leaf,
2003 const struct btrfs_key *key,
2004 int slot,
2005 struct btrfs_key *prev_key)
2006 {
2007 struct btrfs_dev_extent *de;
2008 const u32 sectorsize = leaf->fs_info->sectorsize;
2009
2010 de = btrfs_item_ptr(leaf, slot, struct btrfs_dev_extent);
2011 /* Basic fixed member checks. */
2012 if (unlikely(btrfs_dev_extent_chunk_tree(leaf, de) !=
2013 BTRFS_CHUNK_TREE_OBJECTID)) {
2014 generic_err(leaf, slot,
2015 "invalid dev extent chunk tree id, has %llu expect %llu",
2016 btrfs_dev_extent_chunk_tree(leaf, de),
2017 BTRFS_CHUNK_TREE_OBJECTID);
2018 return -EUCLEAN;
2019 }
2020 if (unlikely(btrfs_dev_extent_chunk_objectid(leaf, de) !=
2021 BTRFS_FIRST_CHUNK_TREE_OBJECTID)) {
2022 generic_err(leaf, slot,
2023 "invalid dev extent chunk objectid, has %llu expect %llu",
2024 btrfs_dev_extent_chunk_objectid(leaf, de),
2025 BTRFS_FIRST_CHUNK_TREE_OBJECTID);
2026 return -EUCLEAN;
2027 }
2028 /* Alignment check. */
2029 if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
2030 generic_err(leaf, slot,
2031 "invalid dev extent key.offset, has %llu not aligned to %u",
2032 key->offset, sectorsize);
2033 return -EUCLEAN;
2034 }
2035 if (unlikely(!IS_ALIGNED(btrfs_dev_extent_chunk_offset(leaf, de),
2036 sectorsize))) {
2037 generic_err(leaf, slot,
2038 "invalid dev extent chunk offset, has %llu not aligned to %u",
2039 btrfs_dev_extent_chunk_objectid(leaf, de),
2040 sectorsize);
2041 return -EUCLEAN;
2042 }
2043 if (unlikely(!IS_ALIGNED(btrfs_dev_extent_length(leaf, de),
2044 sectorsize))) {
2045 generic_err(leaf, slot,
2046 "invalid dev extent length, has %llu not aligned to %u",
2047 btrfs_dev_extent_length(leaf, de), sectorsize);
2048 return -EUCLEAN;
2049 }
2050 /* Overlap check with previous dev extent. */
2051 if (slot && prev_key->objectid == key->objectid &&
2052 prev_key->type == key->type) {
2053 struct btrfs_dev_extent *prev_de;
2054 u64 prev_len;
2055
2056 prev_de = btrfs_item_ptr(leaf, slot - 1, struct btrfs_dev_extent);
2057 prev_len = btrfs_dev_extent_length(leaf, prev_de);
2058 if (unlikely(prev_key->offset + prev_len > key->offset)) {
2059 generic_err(leaf, slot,
2060 "dev extent overlap, prev offset %llu len %llu current offset %llu",
2061 prev_key->offset, prev_len, key->offset);
2062 return -EUCLEAN;
2063 }
2064 }
2065 return 0;
2066 }
2067
check_free_space_info(struct extent_buffer * leaf,struct btrfs_key * key,int slot)2068 static int check_free_space_info(struct extent_buffer *leaf, struct btrfs_key *key,
2069 int slot)
2070 {
2071 struct btrfs_fs_info *fs_info = leaf->fs_info;
2072 struct btrfs_free_space_info *fsi;
2073 const u32 blocksize = fs_info->sectorsize;
2074 u32 flags;
2075
2076 if (unlikely(!IS_ALIGNED(key->objectid, blocksize))) {
2077 generic_err(leaf, slot,
2078 "free space info key objectid is not aligned to %u, has " BTRFS_KEY_FMT,
2079 blocksize, BTRFS_KEY_FMT_VALUE(key));
2080 return -EUCLEAN;
2081 }
2082 if (unlikely(!IS_ALIGNED(key->offset, blocksize))) {
2083 generic_err(leaf, slot,
2084 "free space info key offset is not aligned to %u, has " BTRFS_KEY_FMT,
2085 blocksize, BTRFS_KEY_FMT_VALUE(key));
2086 return -EUCLEAN;
2087 }
2088 if (unlikely(btrfs_item_size(leaf, slot) !=
2089 sizeof(struct btrfs_free_space_info))) {
2090 generic_err(leaf, slot,
2091 "invalid item size for free space info, has %u expect %zu",
2092 btrfs_item_size(leaf, slot),
2093 sizeof(struct btrfs_free_space_info));
2094 return -EUCLEAN;
2095 }
2096 fsi = btrfs_item_ptr(leaf, slot, struct btrfs_free_space_info);
2097 flags = btrfs_free_space_flags(leaf, fsi);
2098 if (unlikely(flags & ~BTRFS_FREE_SPACE_FLAGS_MASK)) {
2099 generic_err(leaf, slot,
2100 "unknown flags for free space info, has 0x%x valid mask 0x%lx",
2101 flags, BTRFS_FREE_SPACE_FLAGS_MASK);
2102 return -EUCLEAN;
2103 }
2104 if (unlikely(btrfs_free_space_extent_count(leaf, fsi) >
2105 key->offset >> fs_info->sectorsize_bits)) {
2106 generic_err(leaf, slot,
2107 "suspicious extent count, has %u max valid %llu",
2108 btrfs_free_space_extent_count(leaf, fsi),
2109 key->offset >> fs_info->sectorsize_bits);
2110 return -EUCLEAN;
2111 }
2112 return 0;
2113 }
2114
check_free_space_extent(struct extent_buffer * leaf,struct btrfs_key * key,int slot)2115 static int check_free_space_extent(struct extent_buffer *leaf, struct btrfs_key *key, int slot)
2116 {
2117 struct btrfs_fs_info *fs_info = leaf->fs_info;
2118 const u32 blocksize = fs_info->sectorsize;
2119
2120 if (unlikely(!IS_ALIGNED(key->objectid, blocksize))) {
2121 generic_err(leaf, slot,
2122 "free space extent key objectid is not aligned to %u, has " BTRFS_KEY_FMT,
2123 blocksize, BTRFS_KEY_FMT_VALUE(key));
2124 return -EUCLEAN;
2125 }
2126 if (unlikely(!IS_ALIGNED(key->offset, blocksize))) {
2127 generic_err(leaf, slot,
2128 "free space extent key offset is not aligned to %u, has " BTRFS_KEY_FMT,
2129 blocksize, BTRFS_KEY_FMT_VALUE(key));
2130 return -EUCLEAN;
2131 }
2132 if (unlikely(btrfs_item_size(leaf, slot) != 0)) {
2133 generic_err(leaf, slot,
2134 "invalid item size for free space info, has %u expect 0",
2135 btrfs_item_size(leaf, slot));
2136 return -EUCLEAN;
2137 }
2138 return 0;
2139 }
2140
check_free_space_bitmap(struct extent_buffer * leaf,struct btrfs_key * key,int slot)2141 static int check_free_space_bitmap(struct extent_buffer *leaf,
2142 struct btrfs_key *key, int slot)
2143 {
2144 struct btrfs_fs_info *fs_info = leaf->fs_info;
2145 const u32 blocksize = fs_info->sectorsize;
2146 u32 expected_item_size;
2147
2148 if (unlikely(!IS_ALIGNED(key->objectid, blocksize))) {
2149 generic_err(leaf, slot,
2150 "free space bitmap key objectid is not aligned to %u, has " BTRFS_KEY_FMT,
2151 blocksize, BTRFS_KEY_FMT_VALUE(key));
2152 return -EUCLEAN;
2153 }
2154 if (unlikely(!IS_ALIGNED(key->offset, blocksize))) {
2155 generic_err(leaf, slot,
2156 "free space bitmap key offset is not aligned to %u, has " BTRFS_KEY_FMT,
2157 blocksize, BTRFS_KEY_FMT_VALUE(key));
2158 return -EUCLEAN;
2159 }
2160 if (unlikely(key->offset == 0)) {
2161 generic_err(leaf, slot, "free space bitmap length is 0");
2162 return -EUCLEAN;
2163 }
2164 /*
2165 * The item must hold exactly the right number of bitmap bytes for the
2166 * range described by key->offset. A mismatch means the item was
2167 * truncated or the key is corrupt; either way the bitmap data is not
2168 * safe to access.
2169 */
2170 expected_item_size = DIV_ROUND_UP(key->offset >> fs_info->sectorsize_bits,
2171 BITS_PER_BYTE);
2172 if (unlikely(btrfs_item_size(leaf, slot) != expected_item_size)) {
2173 generic_err(leaf, slot,
2174 "invalid item size for free space bitmap, has %u expect %u",
2175 btrfs_item_size(leaf, slot), expected_item_size);
2176 return -EUCLEAN;
2177 }
2178 return 0;
2179 }
2180
2181 /*
2182 * Common point to switch the item-specific validation.
2183 */
check_leaf_item(struct extent_buffer * leaf,struct btrfs_key * key,int slot,struct btrfs_key * prev_key)2184 static enum btrfs_tree_block_status check_leaf_item(struct extent_buffer *leaf,
2185 struct btrfs_key *key,
2186 int slot,
2187 struct btrfs_key *prev_key)
2188 {
2189 int ret = 0;
2190 struct btrfs_chunk *chunk;
2191
2192 switch (key->type) {
2193 case BTRFS_EXTENT_DATA_KEY:
2194 ret = check_extent_data_item(leaf, key, slot, prev_key);
2195 break;
2196 case BTRFS_EXTENT_CSUM_KEY:
2197 ret = check_csum_item(leaf, key, slot, prev_key);
2198 break;
2199 case BTRFS_DIR_ITEM_KEY:
2200 case BTRFS_DIR_INDEX_KEY:
2201 case BTRFS_XATTR_ITEM_KEY:
2202 ret = check_dir_item(leaf, key, prev_key, slot);
2203 break;
2204 case BTRFS_INODE_REF_KEY:
2205 ret = check_inode_ref(leaf, key, prev_key, slot);
2206 break;
2207 case BTRFS_INODE_EXTREF_KEY:
2208 ret = check_inode_extref(leaf, key, prev_key, slot);
2209 break;
2210 case BTRFS_BLOCK_GROUP_ITEM_KEY:
2211 ret = check_block_group_item(leaf, key, slot);
2212 break;
2213 case BTRFS_CHUNK_ITEM_KEY:
2214 chunk = btrfs_item_ptr(leaf, slot, struct btrfs_chunk);
2215 ret = check_leaf_chunk_item(leaf, chunk, key, slot);
2216 break;
2217 case BTRFS_DEV_ITEM_KEY:
2218 ret = check_dev_item(leaf, key, slot);
2219 break;
2220 case BTRFS_DEV_EXTENT_KEY:
2221 ret = check_dev_extent_item(leaf, key, slot, prev_key);
2222 break;
2223 case BTRFS_INODE_ITEM_KEY:
2224 ret = check_inode_item(leaf, key, slot);
2225 break;
2226 case BTRFS_ROOT_ITEM_KEY:
2227 ret = check_root_item(leaf, key, slot);
2228 break;
2229 case BTRFS_EXTENT_ITEM_KEY:
2230 case BTRFS_METADATA_ITEM_KEY:
2231 ret = check_extent_item(leaf, key, slot, prev_key);
2232 break;
2233 case BTRFS_TREE_BLOCK_REF_KEY:
2234 case BTRFS_SHARED_DATA_REF_KEY:
2235 case BTRFS_SHARED_BLOCK_REF_KEY:
2236 ret = check_simple_keyed_refs(leaf, key, slot);
2237 break;
2238 case BTRFS_EXTENT_DATA_REF_KEY:
2239 ret = check_extent_data_ref(leaf, key, slot);
2240 break;
2241 case BTRFS_RAID_STRIPE_KEY:
2242 ret = check_raid_stripe_extent(leaf, key, slot);
2243 break;
2244 case BTRFS_FREE_SPACE_INFO_KEY:
2245 ret = check_free_space_info(leaf, key, slot);
2246 break;
2247 case BTRFS_FREE_SPACE_EXTENT_KEY:
2248 ret = check_free_space_extent(leaf, key, slot);
2249 break;
2250 case BTRFS_FREE_SPACE_BITMAP_KEY:
2251 ret = check_free_space_bitmap(leaf, key, slot);
2252 break;
2253 case BTRFS_IDENTITY_REMAP_KEY:
2254 case BTRFS_REMAP_KEY:
2255 case BTRFS_REMAP_BACKREF_KEY:
2256 ret = check_remap_key(leaf, key, slot);
2257 break;
2258 }
2259
2260 if (unlikely(ret))
2261 return BTRFS_TREE_BLOCK_INVALID_ITEM;
2262 return BTRFS_TREE_BLOCK_CLEAN;
2263 }
2264
__btrfs_check_leaf(struct extent_buffer * leaf)2265 enum btrfs_tree_block_status __btrfs_check_leaf(struct extent_buffer *leaf)
2266 {
2267 struct btrfs_fs_info *fs_info = leaf->fs_info;
2268 /* No valid key type is 0, so all key should be larger than this key */
2269 struct btrfs_key prev_key = {0, 0, 0};
2270 struct btrfs_key key;
2271 u32 nritems = btrfs_header_nritems(leaf);
2272 int slot;
2273
2274 if (unlikely(btrfs_header_level(leaf) != 0)) {
2275 generic_err(leaf, 0,
2276 "invalid level for leaf, have %d expect 0",
2277 btrfs_header_level(leaf));
2278 return BTRFS_TREE_BLOCK_INVALID_LEVEL;
2279 }
2280
2281 if (unlikely(!btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_WRITTEN))) {
2282 generic_err(leaf, 0, "invalid flag for leaf, WRITTEN not set");
2283 return BTRFS_TREE_BLOCK_WRITTEN_NOT_SET;
2284 }
2285
2286 /*
2287 * Extent buffers from a relocation tree have a owner field that
2288 * corresponds to the subvolume tree they are based on. So just from an
2289 * extent buffer alone we can not find out what is the id of the
2290 * corresponding subvolume tree, so we can not figure out if the extent
2291 * buffer corresponds to the root of the relocation tree or not. So
2292 * skip this check for relocation trees.
2293 */
2294 if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) {
2295 u64 owner = btrfs_header_owner(leaf);
2296
2297 /* These trees must never be empty */
2298 if (unlikely(owner == BTRFS_ROOT_TREE_OBJECTID ||
2299 owner == BTRFS_CHUNK_TREE_OBJECTID ||
2300 owner == BTRFS_DEV_TREE_OBJECTID ||
2301 owner == BTRFS_FS_TREE_OBJECTID ||
2302 owner == BTRFS_DATA_RELOC_TREE_OBJECTID)) {
2303 generic_err(leaf, 0,
2304 "invalid root, root %llu must never be empty",
2305 owner);
2306 return BTRFS_TREE_BLOCK_INVALID_NRITEMS;
2307 }
2308
2309 /* Unknown tree */
2310 if (unlikely(owner == 0)) {
2311 generic_err(leaf, 0,
2312 "invalid owner, root 0 is not defined");
2313 return BTRFS_TREE_BLOCK_INVALID_OWNER;
2314 }
2315
2316 /* EXTENT_TREE_V2 can have empty extent trees. */
2317 if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2))
2318 return BTRFS_TREE_BLOCK_CLEAN;
2319
2320 if (unlikely(owner == BTRFS_EXTENT_TREE_OBJECTID)) {
2321 generic_err(leaf, 0,
2322 "invalid root, root %llu must never be empty",
2323 owner);
2324 return BTRFS_TREE_BLOCK_INVALID_NRITEMS;
2325 }
2326
2327 return BTRFS_TREE_BLOCK_CLEAN;
2328 }
2329
2330 if (unlikely(nritems == 0))
2331 return BTRFS_TREE_BLOCK_CLEAN;
2332
2333 /*
2334 * Check the following things to make sure this is a good leaf, and
2335 * leaf users won't need to bother with similar sanity checks:
2336 *
2337 * 1) key ordering
2338 * 2) item offset and size
2339 * No overlap, no hole, all inside the leaf.
2340 * 3) item content
2341 * If possible, do comprehensive sanity check.
2342 * NOTE: All checks must only rely on the item data itself.
2343 */
2344 for (slot = 0; slot < nritems; slot++) {
2345 u32 item_end_expected;
2346 u64 item_data_end;
2347 enum btrfs_tree_block_status ret;
2348
2349 btrfs_item_key_to_cpu(leaf, &key, slot);
2350
2351 /* Make sure the keys are in the right order */
2352 if (unlikely(btrfs_comp_cpu_keys(&prev_key, &key) >= 0)) {
2353 generic_err(leaf, slot,
2354 "bad key order, prev " BTRFS_KEY_FMT " current " BTRFS_KEY_FMT,
2355 BTRFS_KEY_FMT_VALUE(&prev_key),
2356 BTRFS_KEY_FMT_VALUE(&key));
2357 return BTRFS_TREE_BLOCK_BAD_KEY_ORDER;
2358 }
2359
2360 item_data_end = (u64)btrfs_item_offset(leaf, slot) +
2361 btrfs_item_size(leaf, slot);
2362 /*
2363 * Make sure the offset and ends are right, remember that the
2364 * item data starts at the end of the leaf and grows towards the
2365 * front.
2366 */
2367 if (slot == 0)
2368 item_end_expected = BTRFS_LEAF_DATA_SIZE(fs_info);
2369 else
2370 item_end_expected = btrfs_item_offset(leaf,
2371 slot - 1);
2372 if (unlikely(item_data_end != item_end_expected)) {
2373 generic_err(leaf, slot,
2374 "unexpected item end, have %llu expect %u",
2375 item_data_end, item_end_expected);
2376 return BTRFS_TREE_BLOCK_INVALID_OFFSETS;
2377 }
2378
2379 /*
2380 * Check to make sure that we don't point outside of the leaf,
2381 * just in case all the items are consistent to each other, but
2382 * all point outside of the leaf.
2383 */
2384 if (unlikely(item_data_end > BTRFS_LEAF_DATA_SIZE(fs_info))) {
2385 generic_err(leaf, slot,
2386 "slot end outside of leaf, have %llu expect range [0, %u]",
2387 item_data_end, BTRFS_LEAF_DATA_SIZE(fs_info));
2388 return BTRFS_TREE_BLOCK_INVALID_OFFSETS;
2389 }
2390
2391 /* Also check if the item pointer overlaps with btrfs item. */
2392 if (unlikely(btrfs_item_ptr_offset(leaf, slot) <
2393 btrfs_item_nr_offset(leaf, slot) + sizeof(struct btrfs_item))) {
2394 generic_err(leaf, slot,
2395 "slot overlaps with its data, item end %lu data start %lu",
2396 btrfs_item_nr_offset(leaf, slot) +
2397 sizeof(struct btrfs_item),
2398 btrfs_item_ptr_offset(leaf, slot));
2399 return BTRFS_TREE_BLOCK_INVALID_OFFSETS;
2400 }
2401
2402 /* Check if the item size and content meet other criteria. */
2403 ret = check_leaf_item(leaf, &key, slot, &prev_key);
2404 if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN))
2405 return ret;
2406
2407 prev_key.objectid = key.objectid;
2408 prev_key.type = key.type;
2409 prev_key.offset = key.offset;
2410 }
2411
2412 return BTRFS_TREE_BLOCK_CLEAN;
2413 }
2414
btrfs_check_leaf(struct extent_buffer * leaf)2415 int btrfs_check_leaf(struct extent_buffer *leaf)
2416 {
2417 enum btrfs_tree_block_status ret;
2418
2419 ret = __btrfs_check_leaf(leaf);
2420 if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN))
2421 return -EUCLEAN;
2422 return 0;
2423 }
2424 ALLOW_ERROR_INJECTION(btrfs_check_leaf, ERRNO);
2425
__btrfs_check_node(struct extent_buffer * node)2426 enum btrfs_tree_block_status __btrfs_check_node(struct extent_buffer *node)
2427 {
2428 struct btrfs_fs_info *fs_info = node->fs_info;
2429 unsigned long nr = btrfs_header_nritems(node);
2430 struct btrfs_key key, next_key;
2431 int slot;
2432 int level = btrfs_header_level(node);
2433 u64 bytenr;
2434
2435 if (unlikely(!btrfs_header_flag(node, BTRFS_HEADER_FLAG_WRITTEN))) {
2436 generic_err(node, 0, "invalid flag for node, WRITTEN not set");
2437 return BTRFS_TREE_BLOCK_WRITTEN_NOT_SET;
2438 }
2439
2440 if (unlikely(level <= 0 || level >= BTRFS_MAX_LEVEL)) {
2441 generic_err(node, 0,
2442 "invalid level for node, have %d expect [1, %d]",
2443 level, BTRFS_MAX_LEVEL - 1);
2444 return BTRFS_TREE_BLOCK_INVALID_LEVEL;
2445 }
2446 if (unlikely(nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(fs_info))) {
2447 btrfs_crit(fs_info,
2448 "corrupt node: root=%llu block=%llu, nritems too %s, have %lu expect range [1,%u]",
2449 btrfs_header_owner(node), node->start,
2450 nr == 0 ? "small" : "large", nr,
2451 BTRFS_NODEPTRS_PER_BLOCK(fs_info));
2452 return BTRFS_TREE_BLOCK_INVALID_NRITEMS;
2453 }
2454
2455 for (slot = 0; slot < nr - 1; slot++) {
2456 bytenr = btrfs_node_blockptr(node, slot);
2457 btrfs_node_key_to_cpu(node, &key, slot);
2458 btrfs_node_key_to_cpu(node, &next_key, slot + 1);
2459
2460 if (unlikely(!bytenr)) {
2461 generic_err(node, slot,
2462 "invalid NULL node pointer");
2463 return BTRFS_TREE_BLOCK_INVALID_BLOCKPTR;
2464 }
2465 if (unlikely(!IS_ALIGNED(bytenr, fs_info->sectorsize))) {
2466 generic_err(node, slot,
2467 "unaligned pointer, have %llu should be aligned to %u",
2468 bytenr, fs_info->sectorsize);
2469 return BTRFS_TREE_BLOCK_INVALID_BLOCKPTR;
2470 }
2471
2472 if (unlikely(btrfs_comp_cpu_keys(&key, &next_key) >= 0)) {
2473 generic_err(node, slot,
2474 "bad key order, current " BTRFS_KEY_FMT " next " BTRFS_KEY_FMT,
2475 BTRFS_KEY_FMT_VALUE(&key),
2476 BTRFS_KEY_FMT_VALUE(&next_key));
2477 return BTRFS_TREE_BLOCK_BAD_KEY_ORDER;
2478 }
2479 }
2480 return BTRFS_TREE_BLOCK_CLEAN;
2481 }
2482
btrfs_check_node(struct extent_buffer * node)2483 int btrfs_check_node(struct extent_buffer *node)
2484 {
2485 enum btrfs_tree_block_status ret;
2486
2487 ret = __btrfs_check_node(node);
2488 if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN))
2489 return -EUCLEAN;
2490 return 0;
2491 }
2492 ALLOW_ERROR_INJECTION(btrfs_check_node, ERRNO);
2493
btrfs_check_eb_owner(const struct extent_buffer * eb,u64 root_owner)2494 int btrfs_check_eb_owner(const struct extent_buffer *eb, u64 root_owner)
2495 {
2496 const bool is_subvol = btrfs_is_fstree(root_owner);
2497 const u64 eb_owner = btrfs_header_owner(eb);
2498
2499 /*
2500 * Skip dummy fs, as selftests don't create unique ebs for each dummy
2501 * root.
2502 */
2503 if (btrfs_is_testing(eb->fs_info))
2504 return 0;
2505 /*
2506 * There are several call sites (backref walking, qgroup, and data
2507 * reloc) passing 0 as @root_owner, as they are not holding the
2508 * tree root. In that case, we can not do a reliable ownership check,
2509 * so just exit.
2510 */
2511 if (root_owner == 0)
2512 return 0;
2513 /*
2514 * These trees use key.offset as their owner, our callers don't have
2515 * the extra capacity to pass key.offset here. So we just skip them.
2516 */
2517 if (root_owner == BTRFS_TREE_LOG_OBJECTID ||
2518 root_owner == BTRFS_TREE_RELOC_OBJECTID)
2519 return 0;
2520
2521 if (!is_subvol) {
2522 /* For non-subvolume trees, the eb owner should match root owner */
2523 if (unlikely(root_owner != eb_owner)) {
2524 btrfs_crit(eb->fs_info,
2525 "corrupted %s, root=%llu block=%llu owner mismatch, have %llu expect %llu",
2526 btrfs_header_level(eb) == 0 ? "leaf" : "node",
2527 root_owner, btrfs_header_bytenr(eb), eb_owner,
2528 root_owner);
2529 return -EUCLEAN;
2530 }
2531 return 0;
2532 }
2533
2534 /*
2535 * For subvolume trees, owners can mismatch, but they should all belong
2536 * to subvolume trees.
2537 */
2538 if (unlikely(is_subvol != btrfs_is_fstree(eb_owner))) {
2539 btrfs_crit(eb->fs_info,
2540 "corrupted %s, root=%llu block=%llu owner mismatch, have %llu expect [%llu, %llu]",
2541 btrfs_header_level(eb) == 0 ? "leaf" : "node",
2542 root_owner, btrfs_header_bytenr(eb), eb_owner,
2543 BTRFS_FIRST_FREE_OBJECTID, BTRFS_LAST_FREE_OBJECTID);
2544 return -EUCLEAN;
2545 }
2546 return 0;
2547 }
2548
btrfs_verify_level_key(struct extent_buffer * eb,const struct btrfs_tree_parent_check * check)2549 int btrfs_verify_level_key(struct extent_buffer *eb,
2550 const struct btrfs_tree_parent_check *check)
2551 {
2552 struct btrfs_fs_info *fs_info = eb->fs_info;
2553 int found_level;
2554 struct btrfs_key found_key;
2555 int ret;
2556
2557 found_level = btrfs_header_level(eb);
2558 if (unlikely(found_level != check->level)) {
2559 DEBUG_WARN();
2560 btrfs_err(fs_info,
2561 "tree level mismatch detected, bytenr=%llu level expected=%u has=%u",
2562 eb->start, check->level, found_level);
2563 return -EUCLEAN;
2564 }
2565
2566 if (!check->has_first_key)
2567 return 0;
2568
2569 /*
2570 * For live tree block (new tree blocks in current transaction),
2571 * we need proper lock context to avoid race, which is impossible here.
2572 * So we only checks tree blocks which is read from disk, whose
2573 * generation <= fs_info->last_trans_committed.
2574 */
2575 if (btrfs_header_generation(eb) > btrfs_get_last_trans_committed(fs_info))
2576 return 0;
2577
2578 /* We have @first_key, so this @eb must have at least one item */
2579 if (unlikely(btrfs_header_nritems(eb) == 0)) {
2580 btrfs_err(fs_info,
2581 "invalid tree nritems, bytenr=%llu nritems=0 expect >0",
2582 eb->start);
2583 DEBUG_WARN();
2584 return -EUCLEAN;
2585 }
2586
2587 if (found_level)
2588 btrfs_node_key_to_cpu(eb, &found_key, 0);
2589 else
2590 btrfs_item_key_to_cpu(eb, &found_key, 0);
2591
2592 ret = btrfs_comp_cpu_keys(&check->first_key, &found_key);
2593 if (unlikely(ret)) {
2594 DEBUG_WARN();
2595 btrfs_err(fs_info,
2596 "tree first key mismatch detected, bytenr=%llu parent_transid=%llu key expected=(%llu,%u,%llu) has=(%llu,%u,%llu)",
2597 eb->start, check->transid, check->first_key.objectid,
2598 check->first_key.type, check->first_key.offset,
2599 found_key.objectid, found_key.type,
2600 found_key.offset);
2601 }
2602 return ret;
2603 }
2604