Line data Source code
1 : // SPDX-License-Identifier: GPL-2.0
2 : /*
3 : * Copyright (C) Qu Wenruo 2017. All rights reserved.
4 : */
5 :
6 : /*
7 : * The module is used to catch unexpected/corrupted tree block data.
8 : * Such behavior can be caused either by a fuzzed image or bugs.
9 : *
10 : * The objective is to do leaf/node validation checks when tree block is read
11 : * from disk, and check *every* possible member, so other code won't
12 : * need to checking them again.
13 : *
14 : * Due to the potential and unwanted damage, every checker needs to be
15 : * carefully reviewed otherwise so it does not prevent mount of valid images.
16 : */
17 :
18 : #include <linux/types.h>
19 : #include <linux/stddef.h>
20 : #include <linux/error-injection.h>
21 : #include "messages.h"
22 : #include "ctree.h"
23 : #include "tree-checker.h"
24 : #include "disk-io.h"
25 : #include "compression.h"
26 : #include "volumes.h"
27 : #include "misc.h"
28 : #include "fs.h"
29 : #include "accessors.h"
30 : #include "file-item.h"
31 : #include "inode-item.h"
32 :
33 : /*
34 : * Error message should follow the following format:
35 : * corrupt <type>: <identifier>, <reason>[, <bad_value>]
36 : *
37 : * @type: leaf or node
38 : * @identifier: the necessary info to locate the leaf/node.
39 : * It's recommended to decode key.objecitd/offset if it's
40 : * meaningful.
41 : * @reason: describe the error
42 : * @bad_value: optional, it's recommended to output bad value and its
43 : * expected value (range).
44 : *
45 : * Since comma is used to separate the components, only space is allowed
46 : * inside each component.
47 : */
48 :
49 : /*
50 : * Append generic "corrupt leaf/node root=%llu block=%llu slot=%d: " to @fmt.
51 : * Allows callers to customize the output.
52 : */
53 : __printf(3, 4)
54 : __cold
55 0 : static void generic_err(const struct extent_buffer *eb, int slot,
56 : const char *fmt, ...)
57 : {
58 0 : const struct btrfs_fs_info *fs_info = eb->fs_info;
59 0 : struct va_format vaf;
60 0 : va_list args;
61 :
62 0 : va_start(args, fmt);
63 :
64 0 : vaf.fmt = fmt;
65 0 : vaf.va = &args;
66 :
67 0 : btrfs_crit(fs_info,
68 : "corrupt %s: root=%llu block=%llu slot=%d, %pV",
69 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
70 : btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot, &vaf);
71 0 : va_end(args);
72 0 : }
73 :
74 : /*
75 : * Customized reporter for extent data item, since its key objectid and
76 : * offset has its own meaning.
77 : */
78 : __printf(3, 4)
79 : __cold
80 0 : static void file_extent_err(const struct extent_buffer *eb, int slot,
81 : const char *fmt, ...)
82 : {
83 0 : const struct btrfs_fs_info *fs_info = eb->fs_info;
84 0 : struct btrfs_key key;
85 0 : struct va_format vaf;
86 0 : va_list args;
87 :
88 0 : btrfs_item_key_to_cpu(eb, &key, slot);
89 0 : va_start(args, fmt);
90 :
91 0 : vaf.fmt = fmt;
92 0 : vaf.va = &args;
93 :
94 0 : btrfs_crit(fs_info,
95 : "corrupt %s: root=%llu block=%llu slot=%d ino=%llu file_offset=%llu, %pV",
96 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
97 : btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
98 : key.objectid, key.offset, &vaf);
99 0 : va_end(args);
100 0 : }
101 :
102 : /*
103 : * Return 0 if the btrfs_file_extent_##name is aligned to @alignment
104 : * Else return 1
105 : */
106 : #define CHECK_FE_ALIGNED(leaf, slot, fi, name, alignment) \
107 : ({ \
108 : if (unlikely(!IS_ALIGNED(btrfs_file_extent_##name((leaf), (fi)), \
109 : (alignment)))) \
110 : file_extent_err((leaf), (slot), \
111 : "invalid %s for file extent, have %llu, should be aligned to %u", \
112 : (#name), btrfs_file_extent_##name((leaf), (fi)), \
113 : (alignment)); \
114 : (!IS_ALIGNED(btrfs_file_extent_##name((leaf), (fi)), (alignment))); \
115 : })
116 :
117 133038774 : static u64 file_extent_end(struct extent_buffer *leaf,
118 : struct btrfs_key *key,
119 : struct btrfs_file_extent_item *extent)
120 : {
121 133038774 : u64 end;
122 133038774 : u64 len;
123 :
124 133038774 : if (btrfs_file_extent_type(leaf, extent) == BTRFS_FILE_EXTENT_INLINE) {
125 136 : len = btrfs_file_extent_ram_bytes(leaf, extent);
126 136 : end = ALIGN(key->offset + len, leaf->fs_info->sectorsize);
127 : } else {
128 133038479 : len = btrfs_file_extent_num_bytes(leaf, extent);
129 133038476 : end = key->offset + len;
130 : }
131 133038612 : return end;
132 : }
133 :
134 : /*
135 : * Customized report for dir_item, the only new important information is
136 : * key->objectid, which represents inode number
137 : */
138 : __printf(3, 4)
139 : __cold
140 0 : static void dir_item_err(const struct extent_buffer *eb, int slot,
141 : const char *fmt, ...)
142 : {
143 0 : const struct btrfs_fs_info *fs_info = eb->fs_info;
144 0 : struct btrfs_key key;
145 0 : struct va_format vaf;
146 0 : va_list args;
147 :
148 0 : btrfs_item_key_to_cpu(eb, &key, slot);
149 0 : va_start(args, fmt);
150 :
151 0 : vaf.fmt = fmt;
152 0 : vaf.va = &args;
153 :
154 0 : btrfs_crit(fs_info,
155 : "corrupt %s: root=%llu block=%llu slot=%d ino=%llu, %pV",
156 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
157 : btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
158 : key.objectid, &vaf);
159 0 : va_end(args);
160 0 : }
161 :
162 : /*
163 : * This functions checks prev_key->objectid, to ensure current key and prev_key
164 : * share the same objectid as inode number.
165 : *
166 : * This is to detect missing INODE_ITEM in subvolume trees.
167 : *
168 : * Return true if everything is OK or we don't need to check.
169 : * Return false if anything is wrong.
170 : */
171 326355832 : static bool check_prev_ino(struct extent_buffer *leaf,
172 : struct btrfs_key *key, int slot,
173 : struct btrfs_key *prev_key)
174 : {
175 : /* No prev key, skip check */
176 326355832 : if (slot == 0)
177 : return true;
178 :
179 : /* Only these key->types needs to be checked */
180 323119171 : ASSERT(key->type == BTRFS_XATTR_ITEM_KEY ||
181 : key->type == BTRFS_INODE_REF_KEY ||
182 : key->type == BTRFS_DIR_INDEX_KEY ||
183 : key->type == BTRFS_DIR_ITEM_KEY ||
184 : key->type == BTRFS_EXTENT_DATA_KEY);
185 :
186 : /*
187 : * Only subvolume trees along with their reloc trees need this check.
188 : * Things like log tree doesn't follow this ino requirement.
189 : */
190 323119171 : if (!is_fstree(btrfs_header_owner(leaf)))
191 : return true;
192 :
193 313930779 : if (key->objectid == prev_key->objectid)
194 : return true;
195 :
196 : /* Error found */
197 0 : dir_item_err(leaf, slot,
198 : "invalid previous key objectid, have %llu expect %llu",
199 : prev_key->objectid, key->objectid);
200 0 : return false;
201 : }
202 155678942 : static int check_extent_data_item(struct extent_buffer *leaf,
203 : struct btrfs_key *key, int slot,
204 : struct btrfs_key *prev_key)
205 : {
206 155678942 : struct btrfs_fs_info *fs_info = leaf->fs_info;
207 155678942 : struct btrfs_file_extent_item *fi;
208 155678942 : u32 sectorsize = fs_info->sectorsize;
209 155678942 : u32 item_size = btrfs_item_size(leaf, slot);
210 155677515 : u64 extent_end;
211 :
212 155677515 : if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
213 0 : file_extent_err(leaf, slot,
214 : "unaligned file_offset for file extent, have %llu should be aligned to %u",
215 : key->offset, sectorsize);
216 0 : return -EUCLEAN;
217 : }
218 :
219 : /*
220 : * Previous key must have the same key->objectid (ino).
221 : * It can be XATTR_ITEM, INODE_ITEM or just another EXTENT_DATA.
222 : * But if objectids mismatch, it means we have a missing
223 : * INODE_ITEM.
224 : */
225 155677515 : if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
226 : return -EUCLEAN;
227 :
228 155678523 : fi = btrfs_item_ptr(leaf, slot, struct btrfs_file_extent_item);
229 :
230 : /*
231 : * Make sure the item contains at least inline header, so the file
232 : * extent type is not some garbage.
233 : */
234 155677791 : if (unlikely(item_size < BTRFS_FILE_EXTENT_INLINE_DATA_START)) {
235 0 : file_extent_err(leaf, slot,
236 : "invalid item size, have %u expect [%zu, %u)",
237 : item_size, BTRFS_FILE_EXTENT_INLINE_DATA_START,
238 : SZ_4K);
239 0 : return -EUCLEAN;
240 : }
241 155677791 : if (unlikely(btrfs_file_extent_type(leaf, fi) >=
242 : BTRFS_NR_FILE_EXTENT_TYPES)) {
243 0 : file_extent_err(leaf, slot,
244 : "invalid type for file extent, have %u expect range [0, %u]",
245 : btrfs_file_extent_type(leaf, fi),
246 : BTRFS_NR_FILE_EXTENT_TYPES - 1);
247 0 : return -EUCLEAN;
248 : }
249 :
250 : /*
251 : * Support for new compression/encryption must introduce incompat flag,
252 : * and must be caught in open_ctree().
253 : */
254 155676258 : if (unlikely(btrfs_file_extent_compression(leaf, fi) >=
255 : BTRFS_NR_COMPRESS_TYPES)) {
256 0 : file_extent_err(leaf, slot,
257 : "invalid compression for file extent, have %u expect range [0, %u]",
258 : btrfs_file_extent_compression(leaf, fi),
259 : BTRFS_NR_COMPRESS_TYPES - 1);
260 0 : return -EUCLEAN;
261 : }
262 155675887 : if (unlikely(btrfs_file_extent_encryption(leaf, fi))) {
263 0 : file_extent_err(leaf, slot,
264 : "invalid encryption for file extent, have %u expect 0",
265 : btrfs_file_extent_encryption(leaf, fi));
266 0 : return -EUCLEAN;
267 : }
268 155675464 : if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) {
269 : /* Inline extent must have 0 as key offset */
270 4966068 : if (unlikely(key->offset)) {
271 0 : file_extent_err(leaf, slot,
272 : "invalid file_offset for inline file extent, have %llu expect 0",
273 : key->offset);
274 0 : return -EUCLEAN;
275 : }
276 :
277 : /* Compressed inline extent has no on-disk size, skip it */
278 4966068 : if (btrfs_file_extent_compression(leaf, fi) !=
279 : BTRFS_COMPRESS_NONE)
280 : return 0;
281 :
282 : /* Uncompressed inline extent size must match item size */
283 4965960 : if (unlikely(item_size != BTRFS_FILE_EXTENT_INLINE_DATA_START +
284 : btrfs_file_extent_ram_bytes(leaf, fi))) {
285 0 : file_extent_err(leaf, slot,
286 : "invalid ram_bytes for uncompressed inline extent, have %u expect %llu",
287 : item_size, BTRFS_FILE_EXTENT_INLINE_DATA_START +
288 : btrfs_file_extent_ram_bytes(leaf, fi));
289 0 : return -EUCLEAN;
290 : }
291 : return 0;
292 : }
293 :
294 : /* Regular or preallocated extent has fixed item size */
295 150710419 : if (unlikely(item_size != sizeof(*fi))) {
296 0 : file_extent_err(leaf, slot,
297 : "invalid item size for reg/prealloc file extent, have %u expect %zu",
298 : item_size, sizeof(*fi));
299 0 : return -EUCLEAN;
300 : }
301 150710419 : if (unlikely(CHECK_FE_ALIGNED(leaf, slot, fi, ram_bytes, sectorsize) ||
302 : CHECK_FE_ALIGNED(leaf, slot, fi, disk_bytenr, sectorsize) ||
303 : CHECK_FE_ALIGNED(leaf, slot, fi, disk_num_bytes, sectorsize) ||
304 : CHECK_FE_ALIGNED(leaf, slot, fi, offset, sectorsize) ||
305 : CHECK_FE_ALIGNED(leaf, slot, fi, num_bytes, sectorsize)))
306 0 : return -EUCLEAN;
307 :
308 : /* Catch extent end overflow */
309 150708656 : if (unlikely(check_add_overflow(btrfs_file_extent_num_bytes(leaf, fi),
310 : key->offset, &extent_end))) {
311 0 : file_extent_err(leaf, slot,
312 : "extent end overflow, have file offset %llu extent num bytes %llu",
313 : key->offset,
314 : btrfs_file_extent_num_bytes(leaf, fi));
315 0 : return -EUCLEAN;
316 : }
317 :
318 : /*
319 : * Check that no two consecutive file extent items, in the same leaf,
320 : * present ranges that overlap each other.
321 : */
322 150709876 : if (slot > 0 &&
323 149145395 : prev_key->objectid == key->objectid &&
324 149145506 : prev_key->type == BTRFS_EXTENT_DATA_KEY) {
325 133038369 : struct btrfs_file_extent_item *prev_fi;
326 133038369 : u64 prev_end;
327 :
328 133038369 : prev_fi = btrfs_item_ptr(leaf, slot - 1,
329 : struct btrfs_file_extent_item);
330 133038308 : prev_end = file_extent_end(leaf, prev_key, prev_fi);
331 133038923 : if (unlikely(prev_end > key->offset)) {
332 0 : file_extent_err(leaf, slot - 1,
333 : "file extent end range (%llu) goes beyond start offset (%llu) of the next file extent",
334 : prev_end, key->offset);
335 0 : return -EUCLEAN;
336 : }
337 : }
338 :
339 : return 0;
340 : }
341 :
342 133555456 : static int check_csum_item(struct extent_buffer *leaf, struct btrfs_key *key,
343 : int slot, struct btrfs_key *prev_key)
344 : {
345 133555456 : struct btrfs_fs_info *fs_info = leaf->fs_info;
346 133555456 : u32 sectorsize = fs_info->sectorsize;
347 133555456 : const u32 csumsize = fs_info->csum_size;
348 :
349 133555456 : if (unlikely(key->objectid != BTRFS_EXTENT_CSUM_OBJECTID)) {
350 0 : generic_err(leaf, slot,
351 : "invalid key objectid for csum item, have %llu expect %llu",
352 : key->objectid, BTRFS_EXTENT_CSUM_OBJECTID);
353 0 : return -EUCLEAN;
354 : }
355 133555456 : if (unlikely(!IS_ALIGNED(key->offset, sectorsize))) {
356 0 : generic_err(leaf, slot,
357 : "unaligned key offset for csum item, have %llu should be aligned to %u",
358 : key->offset, sectorsize);
359 0 : return -EUCLEAN;
360 : }
361 133555456 : if (unlikely(!IS_ALIGNED(btrfs_item_size(leaf, slot), csumsize))) {
362 0 : generic_err(leaf, slot,
363 : "unaligned item size for csum item, have %u should be aligned to %u",
364 : btrfs_item_size(leaf, slot), csumsize);
365 0 : return -EUCLEAN;
366 : }
367 133555409 : if (slot > 0 && prev_key->type == BTRFS_EXTENT_CSUM_KEY) {
368 132731267 : u64 prev_csum_end;
369 132731267 : u32 prev_item_size;
370 :
371 132731267 : prev_item_size = btrfs_item_size(leaf, slot - 1);
372 132731239 : prev_csum_end = (prev_item_size / csumsize) * sectorsize;
373 132731239 : prev_csum_end += prev_key->offset;
374 132731239 : if (unlikely(prev_csum_end > key->offset)) {
375 0 : generic_err(leaf, slot - 1,
376 : "csum end range (%llu) goes beyond the start range (%llu) of the next csum item",
377 : prev_csum_end, key->offset);
378 0 : return -EUCLEAN;
379 : }
380 : }
381 : return 0;
382 : }
383 :
384 : /* Inode item error output has the same format as dir_item_err() */
385 : #define inode_item_err(eb, slot, fmt, ...) \
386 : dir_item_err(eb, slot, fmt, __VA_ARGS__)
387 :
388 168412760 : static int check_inode_key(struct extent_buffer *leaf, struct btrfs_key *key,
389 : int slot)
390 : {
391 168412760 : struct btrfs_key item_key;
392 168412760 : bool is_inode_item;
393 :
394 168412760 : btrfs_item_key_to_cpu(leaf, &item_key, slot);
395 168412953 : is_inode_item = (item_key.type == BTRFS_INODE_ITEM_KEY);
396 :
397 : /* For XATTR_ITEM, location key should be all 0 */
398 168412953 : if (item_key.type == BTRFS_XATTR_ITEM_KEY) {
399 11680668 : if (unlikely(key->objectid != 0 || key->type != 0 ||
400 : key->offset != 0))
401 : return -EUCLEAN;
402 11680668 : return 0;
403 : }
404 :
405 156732285 : if (unlikely((key->objectid < BTRFS_FIRST_FREE_OBJECTID ||
406 : key->objectid > BTRFS_LAST_FREE_OBJECTID) &&
407 : key->objectid != BTRFS_ROOT_TREE_DIR_OBJECTID &&
408 : key->objectid != BTRFS_FREE_INO_OBJECTID)) {
409 0 : if (is_inode_item) {
410 0 : generic_err(leaf, slot,
411 : "invalid key objectid: has %llu expect %llu or [%llu, %llu] or %llu",
412 : key->objectid, BTRFS_ROOT_TREE_DIR_OBJECTID,
413 : BTRFS_FIRST_FREE_OBJECTID,
414 : BTRFS_LAST_FREE_OBJECTID,
415 : BTRFS_FREE_INO_OBJECTID);
416 : } else {
417 0 : dir_item_err(leaf, slot,
418 : "invalid location key objectid: has %llu expect %llu or [%llu, %llu] or %llu",
419 : key->objectid, BTRFS_ROOT_TREE_DIR_OBJECTID,
420 : BTRFS_FIRST_FREE_OBJECTID,
421 : BTRFS_LAST_FREE_OBJECTID,
422 : BTRFS_FREE_INO_OBJECTID);
423 : }
424 0 : return -EUCLEAN;
425 : }
426 156732285 : if (unlikely(key->offset != 0)) {
427 0 : if (is_inode_item)
428 0 : inode_item_err(leaf, slot,
429 : "invalid key offset: has %llu expect 0",
430 : key->offset);
431 : else
432 0 : dir_item_err(leaf, slot,
433 : "invalid location key offset:has %llu expect 0",
434 : key->offset);
435 0 : return -EUCLEAN;
436 : }
437 : return 0;
438 : }
439 :
440 2129395 : static int check_root_key(struct extent_buffer *leaf, struct btrfs_key *key,
441 : int slot)
442 : {
443 2129395 : struct btrfs_key item_key;
444 2129395 : bool is_root_item;
445 :
446 2129395 : btrfs_item_key_to_cpu(leaf, &item_key, slot);
447 2129395 : is_root_item = (item_key.type == BTRFS_ROOT_ITEM_KEY);
448 :
449 : /* No such tree id */
450 2129395 : if (unlikely(key->objectid == 0)) {
451 0 : if (is_root_item)
452 0 : generic_err(leaf, slot, "invalid root id 0");
453 : else
454 0 : dir_item_err(leaf, slot,
455 : "invalid location key root id 0");
456 0 : return -EUCLEAN;
457 : }
458 :
459 : /* DIR_ITEM/INDEX/INODE_REF is not allowed to point to non-fs trees */
460 4258790 : if (unlikely(!is_fstree(key->objectid) && !is_root_item)) {
461 0 : dir_item_err(leaf, slot,
462 : "invalid location key objectid, have %llu expect [%llu, %llu]",
463 : key->objectid, BTRFS_FIRST_FREE_OBJECTID,
464 : BTRFS_LAST_FREE_OBJECTID);
465 0 : return -EUCLEAN;
466 : }
467 :
468 : /*
469 : * ROOT_ITEM with non-zero offset means this is a snapshot, created at
470 : * @offset transid.
471 : * Furthermore, for location key in DIR_ITEM, its offset is always -1.
472 : *
473 : * So here we only check offset for reloc tree whose key->offset must
474 : * be a valid tree.
475 : */
476 2129395 : if (unlikely(key->objectid == BTRFS_TREE_RELOC_OBJECTID &&
477 : key->offset == 0)) {
478 0 : generic_err(leaf, slot, "invalid root id 0 for reloc tree");
479 0 : return -EUCLEAN;
480 : }
481 : return 0;
482 : }
483 :
484 127820181 : static int check_dir_item(struct extent_buffer *leaf,
485 : struct btrfs_key *key, struct btrfs_key *prev_key,
486 : int slot)
487 : {
488 127820181 : struct btrfs_fs_info *fs_info = leaf->fs_info;
489 127820181 : struct btrfs_dir_item *di;
490 127820181 : u32 item_size = btrfs_item_size(leaf, slot);
491 127820028 : u32 cur = 0;
492 :
493 127820028 : if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
494 : return -EUCLEAN;
495 :
496 127820069 : di = btrfs_item_ptr(leaf, slot, struct btrfs_dir_item);
497 255688372 : while (cur < item_size) {
498 127868247 : struct btrfs_key location_key;
499 127868247 : u32 name_len;
500 127868247 : u32 data_len;
501 127868247 : u32 max_name_len;
502 127868247 : u32 total_size;
503 127868247 : u32 name_hash;
504 127868247 : u8 dir_type;
505 127868247 : int ret;
506 :
507 : /* header itself should not cross item boundary */
508 127868247 : if (unlikely(cur + sizeof(*di) > item_size)) {
509 0 : dir_item_err(leaf, slot,
510 : "dir item header crosses item boundary, have %zu boundary %u",
511 : cur + sizeof(*di), item_size);
512 0 : return -EUCLEAN;
513 : }
514 :
515 : /* Location key check */
516 127868247 : btrfs_dir_item_key_to_cpu(leaf, di, &location_key);
517 127868281 : if (location_key.type == BTRFS_ROOT_ITEM_KEY) {
518 365233 : ret = check_root_key(leaf, &location_key, slot);
519 365233 : if (unlikely(ret < 0))
520 0 : return ret;
521 127503048 : } else if (location_key.type == BTRFS_INODE_ITEM_KEY ||
522 : location_key.type == 0) {
523 127503048 : ret = check_inode_key(leaf, &location_key, slot);
524 127503182 : if (unlikely(ret < 0))
525 0 : return ret;
526 : } else {
527 0 : dir_item_err(leaf, slot,
528 : "invalid location key type, have %u, expect %u or %u",
529 : location_key.type, BTRFS_ROOT_ITEM_KEY,
530 : BTRFS_INODE_ITEM_KEY);
531 0 : return -EUCLEAN;
532 : }
533 :
534 : /* dir type check */
535 127868415 : dir_type = btrfs_dir_ftype(leaf, di);
536 127868363 : if (unlikely(dir_type >= BTRFS_FT_MAX)) {
537 0 : dir_item_err(leaf, slot,
538 : "invalid dir item type, have %u expect [0, %u)",
539 : dir_type, BTRFS_FT_MAX);
540 0 : return -EUCLEAN;
541 : }
542 :
543 127868363 : if (unlikely(key->type == BTRFS_XATTR_ITEM_KEY &&
544 : dir_type != BTRFS_FT_XATTR)) {
545 0 : dir_item_err(leaf, slot,
546 : "invalid dir item type for XATTR key, have %u expect %u",
547 : dir_type, BTRFS_FT_XATTR);
548 0 : return -EUCLEAN;
549 : }
550 127868363 : if (unlikely(dir_type == BTRFS_FT_XATTR &&
551 : key->type != BTRFS_XATTR_ITEM_KEY)) {
552 0 : dir_item_err(leaf, slot,
553 : "xattr dir type found for non-XATTR key");
554 0 : return -EUCLEAN;
555 : }
556 127868363 : if (dir_type == BTRFS_FT_XATTR)
557 : max_name_len = XATTR_NAME_MAX;
558 : else
559 : max_name_len = BTRFS_NAME_LEN;
560 :
561 : /* Name/data length check */
562 127868363 : name_len = btrfs_dir_name_len(leaf, di);
563 127868266 : data_len = btrfs_dir_data_len(leaf, di);
564 127868238 : if (unlikely(name_len > max_name_len)) {
565 0 : dir_item_err(leaf, slot,
566 : "dir item name len too long, have %u max %u",
567 : name_len, max_name_len);
568 0 : return -EUCLEAN;
569 : }
570 127868238 : if (unlikely(name_len + data_len > BTRFS_MAX_XATTR_SIZE(fs_info))) {
571 0 : dir_item_err(leaf, slot,
572 : "dir item name and data len too long, have %u max %u",
573 : name_len + data_len,
574 : BTRFS_MAX_XATTR_SIZE(fs_info));
575 0 : return -EUCLEAN;
576 : }
577 :
578 127868238 : if (unlikely(data_len && dir_type != BTRFS_FT_XATTR)) {
579 0 : dir_item_err(leaf, slot,
580 : "dir item with invalid data len, have %u expect 0",
581 : data_len);
582 0 : return -EUCLEAN;
583 : }
584 :
585 127868238 : total_size = sizeof(*di) + name_len + data_len;
586 :
587 : /* header and name/data should not cross item boundary */
588 127868238 : if (unlikely(cur + total_size > item_size)) {
589 0 : dir_item_err(leaf, slot,
590 : "dir item data crosses item boundary, have %u boundary %u",
591 : cur + total_size, item_size);
592 0 : return -EUCLEAN;
593 : }
594 :
595 : /*
596 : * Special check for XATTR/DIR_ITEM, as key->offset is name
597 : * hash, should match its name
598 : */
599 127868238 : if (key->type == BTRFS_DIR_ITEM_KEY ||
600 : key->type == BTRFS_XATTR_ITEM_KEY) {
601 78918500 : char namebuf[max(BTRFS_NAME_LEN, XATTR_NAME_MAX)];
602 :
603 78918500 : read_extent_buffer(leaf, namebuf,
604 78918500 : (unsigned long)(di + 1), name_len);
605 78918492 : name_hash = btrfs_name_hash(namebuf, name_len);
606 78918596 : if (unlikely(key->offset != name_hash)) {
607 0 : dir_item_err(leaf, slot,
608 : "name hash mismatch with key, have 0x%016x expect 0x%016llx",
609 : name_hash, key->offset);
610 0 : return -EUCLEAN;
611 : }
612 : }
613 127868334 : cur += total_size;
614 127868334 : di = (struct btrfs_dir_item *)((void *)di + total_size);
615 : }
616 : return 0;
617 : }
618 :
619 : __printf(3, 4)
620 : __cold
621 0 : static void block_group_err(const struct extent_buffer *eb, int slot,
622 : const char *fmt, ...)
623 : {
624 0 : const struct btrfs_fs_info *fs_info = eb->fs_info;
625 0 : struct btrfs_key key;
626 0 : struct va_format vaf;
627 0 : va_list args;
628 :
629 0 : btrfs_item_key_to_cpu(eb, &key, slot);
630 0 : va_start(args, fmt);
631 :
632 0 : vaf.fmt = fmt;
633 0 : vaf.va = &args;
634 :
635 0 : btrfs_crit(fs_info,
636 : "corrupt %s: root=%llu block=%llu slot=%d bg_start=%llu bg_len=%llu, %pV",
637 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
638 : btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
639 : key.objectid, key.offset, &vaf);
640 0 : va_end(args);
641 0 : }
642 :
643 679667 : static int check_block_group_item(struct extent_buffer *leaf,
644 : struct btrfs_key *key, int slot)
645 : {
646 679667 : struct btrfs_fs_info *fs_info = leaf->fs_info;
647 679667 : struct btrfs_block_group_item bgi;
648 679667 : u32 item_size = btrfs_item_size(leaf, slot);
649 679667 : u64 chunk_objectid;
650 679667 : u64 flags;
651 679667 : u64 type;
652 :
653 : /*
654 : * Here we don't really care about alignment since extent allocator can
655 : * handle it. We care more about the size.
656 : */
657 679667 : if (unlikely(key->offset == 0)) {
658 0 : block_group_err(leaf, slot,
659 : "invalid block group size 0");
660 0 : return -EUCLEAN;
661 : }
662 :
663 679667 : if (unlikely(item_size != sizeof(bgi))) {
664 0 : block_group_err(leaf, slot,
665 : "invalid item size, have %u expect %zu",
666 : item_size, sizeof(bgi));
667 0 : return -EUCLEAN;
668 : }
669 :
670 679667 : read_extent_buffer(leaf, &bgi, btrfs_item_ptr_offset(leaf, slot),
671 : sizeof(bgi));
672 679667 : chunk_objectid = btrfs_stack_block_group_chunk_objectid(&bgi);
673 679667 : if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2)) {
674 : /*
675 : * We don't init the nr_global_roots until we load the global
676 : * roots, so this could be 0 at mount time. If it's 0 we'll
677 : * just assume we're fine, and later we'll check against our
678 : * actual value.
679 : */
680 0 : if (unlikely(fs_info->nr_global_roots &&
681 : chunk_objectid >= fs_info->nr_global_roots)) {
682 0 : block_group_err(leaf, slot,
683 : "invalid block group global root id, have %llu, needs to be <= %llu",
684 : chunk_objectid,
685 : fs_info->nr_global_roots);
686 0 : return -EUCLEAN;
687 : }
688 679667 : } else if (unlikely(chunk_objectid != BTRFS_FIRST_CHUNK_TREE_OBJECTID)) {
689 0 : block_group_err(leaf, slot,
690 : "invalid block group chunk objectid, have %llu expect %llu",
691 : btrfs_stack_block_group_chunk_objectid(&bgi),
692 : BTRFS_FIRST_CHUNK_TREE_OBJECTID);
693 0 : return -EUCLEAN;
694 : }
695 :
696 679667 : if (unlikely(btrfs_stack_block_group_used(&bgi) > key->offset)) {
697 0 : block_group_err(leaf, slot,
698 : "invalid block group used, have %llu expect [0, %llu)",
699 : btrfs_stack_block_group_used(&bgi), key->offset);
700 0 : return -EUCLEAN;
701 : }
702 :
703 679667 : flags = btrfs_stack_block_group_flags(&bgi);
704 679667 : if (unlikely(hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK) > 1)) {
705 0 : block_group_err(leaf, slot,
706 : "invalid profile flags, have 0x%llx (%lu bits set) expect no more than 1 bit set",
707 : flags & BTRFS_BLOCK_GROUP_PROFILE_MASK,
708 0 : hweight64(flags & BTRFS_BLOCK_GROUP_PROFILE_MASK));
709 0 : return -EUCLEAN;
710 : }
711 :
712 679667 : type = flags & BTRFS_BLOCK_GROUP_TYPE_MASK;
713 679667 : if (unlikely(type != BTRFS_BLOCK_GROUP_DATA &&
714 : type != BTRFS_BLOCK_GROUP_METADATA &&
715 : type != BTRFS_BLOCK_GROUP_SYSTEM &&
716 : type != (BTRFS_BLOCK_GROUP_METADATA |
717 : BTRFS_BLOCK_GROUP_DATA))) {
718 0 : block_group_err(leaf, slot,
719 : "invalid type, have 0x%llx (%lu bits set) expect either 0x%llx, 0x%llx, 0x%llx or 0x%llx",
720 0 : type, hweight64(type),
721 : BTRFS_BLOCK_GROUP_DATA, BTRFS_BLOCK_GROUP_METADATA,
722 : BTRFS_BLOCK_GROUP_SYSTEM,
723 : BTRFS_BLOCK_GROUP_METADATA | BTRFS_BLOCK_GROUP_DATA);
724 0 : return -EUCLEAN;
725 : }
726 : return 0;
727 : }
728 :
729 : __printf(4, 5)
730 : __cold
731 0 : static void chunk_err(const struct extent_buffer *leaf,
732 : const struct btrfs_chunk *chunk, u64 logical,
733 : const char *fmt, ...)
734 : {
735 0 : const struct btrfs_fs_info *fs_info = leaf->fs_info;
736 0 : bool is_sb;
737 0 : struct va_format vaf;
738 0 : va_list args;
739 0 : int i;
740 0 : int slot = -1;
741 :
742 : /* Only superblock eb is able to have such small offset */
743 0 : is_sb = (leaf->start == BTRFS_SUPER_INFO_OFFSET);
744 :
745 0 : if (!is_sb) {
746 : /*
747 : * Get the slot number by iterating through all slots, this
748 : * would provide better readability.
749 : */
750 0 : for (i = 0; i < btrfs_header_nritems(leaf); i++) {
751 0 : if (btrfs_item_ptr_offset(leaf, i) ==
752 0 : (unsigned long)chunk) {
753 : slot = i;
754 : break;
755 : }
756 : }
757 : }
758 0 : va_start(args, fmt);
759 0 : vaf.fmt = fmt;
760 0 : vaf.va = &args;
761 :
762 0 : if (is_sb)
763 0 : btrfs_crit(fs_info,
764 : "corrupt superblock syschunk array: chunk_start=%llu, %pV",
765 : logical, &vaf);
766 : else
767 0 : btrfs_crit(fs_info,
768 : "corrupt leaf: root=%llu block=%llu slot=%d chunk_start=%llu, %pV",
769 : BTRFS_CHUNK_TREE_OBJECTID, leaf->start, slot,
770 : logical, &vaf);
771 0 : va_end(args);
772 0 : }
773 :
774 : /*
775 : * The common chunk check which could also work on super block sys chunk array.
776 : *
777 : * Return -EUCLEAN if anything is corrupted.
778 : * Return 0 if everything is OK.
779 : */
780 33685 : int btrfs_check_chunk_valid(struct extent_buffer *leaf,
781 : struct btrfs_chunk *chunk, u64 logical)
782 : {
783 33685 : struct btrfs_fs_info *fs_info = leaf->fs_info;
784 33685 : u64 length;
785 33685 : u64 chunk_end;
786 33685 : u64 stripe_len;
787 33685 : u16 num_stripes;
788 33685 : u16 sub_stripes;
789 33685 : u64 type;
790 33685 : u64 features;
791 33685 : bool mixed = false;
792 33685 : int raid_index;
793 33685 : int nparity;
794 33685 : int ncopies;
795 :
796 33685 : length = btrfs_chunk_length(leaf, chunk);
797 33685 : stripe_len = btrfs_chunk_stripe_len(leaf, chunk);
798 33685 : num_stripes = btrfs_chunk_num_stripes(leaf, chunk);
799 33685 : sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk);
800 33685 : type = btrfs_chunk_type(leaf, chunk);
801 33685 : raid_index = btrfs_bg_flags_to_raid_index(type);
802 33685 : ncopies = btrfs_raid_array[raid_index].ncopies;
803 33685 : nparity = btrfs_raid_array[raid_index].nparity;
804 :
805 33685 : if (unlikely(!num_stripes)) {
806 0 : chunk_err(leaf, chunk, logical,
807 : "invalid chunk num_stripes, have %u", num_stripes);
808 0 : return -EUCLEAN;
809 : }
810 33685 : if (unlikely(num_stripes < ncopies)) {
811 0 : chunk_err(leaf, chunk, logical,
812 : "invalid chunk num_stripes < ncopies, have %u < %d",
813 : num_stripes, ncopies);
814 0 : return -EUCLEAN;
815 : }
816 33685 : if (unlikely(nparity && num_stripes == nparity)) {
817 0 : chunk_err(leaf, chunk, logical,
818 : "invalid chunk num_stripes == nparity, have %u == %d",
819 : num_stripes, nparity);
820 0 : return -EUCLEAN;
821 : }
822 33685 : if (unlikely(!IS_ALIGNED(logical, fs_info->sectorsize))) {
823 0 : chunk_err(leaf, chunk, logical,
824 : "invalid chunk logical, have %llu should aligned to %u",
825 : logical, fs_info->sectorsize);
826 0 : return -EUCLEAN;
827 : }
828 33685 : if (unlikely(btrfs_chunk_sector_size(leaf, chunk) != fs_info->sectorsize)) {
829 0 : chunk_err(leaf, chunk, logical,
830 : "invalid chunk sectorsize, have %u expect %u",
831 : btrfs_chunk_sector_size(leaf, chunk),
832 : fs_info->sectorsize);
833 0 : return -EUCLEAN;
834 : }
835 33685 : if (unlikely(!length || !IS_ALIGNED(length, fs_info->sectorsize))) {
836 0 : chunk_err(leaf, chunk, logical,
837 : "invalid chunk length, have %llu", length);
838 0 : return -EUCLEAN;
839 : }
840 33685 : if (unlikely(check_add_overflow(logical, length, &chunk_end))) {
841 0 : chunk_err(leaf, chunk, logical,
842 : "invalid chunk logical start and length, have logical start %llu length %llu",
843 : logical, length);
844 0 : return -EUCLEAN;
845 : }
846 67370 : if (unlikely(!is_power_of_2(stripe_len) || stripe_len != BTRFS_STRIPE_LEN)) {
847 0 : chunk_err(leaf, chunk, logical,
848 : "invalid chunk stripe length: %llu",
849 : stripe_len);
850 0 : return -EUCLEAN;
851 : }
852 : /*
853 : * We artificially limit the chunk size, so that the number of stripes
854 : * inside a chunk can be fit into a U32. The current limit (256G) is
855 : * way too large for real world usage anyway, and it's also much larger
856 : * than our existing limit (10G).
857 : *
858 : * Thus it should be a good way to catch obvious bitflips.
859 : */
860 33685 : if (unlikely(length >= btrfs_stripe_nr_to_offset(U32_MAX))) {
861 0 : chunk_err(leaf, chunk, logical,
862 : "chunk length too large: have %llu limit %llu",
863 : length, btrfs_stripe_nr_to_offset(U32_MAX));
864 0 : return -EUCLEAN;
865 : }
866 33685 : if (unlikely(type & ~(BTRFS_BLOCK_GROUP_TYPE_MASK |
867 : BTRFS_BLOCK_GROUP_PROFILE_MASK))) {
868 0 : chunk_err(leaf, chunk, logical,
869 : "unrecognized chunk type: 0x%llx",
870 : ~(BTRFS_BLOCK_GROUP_TYPE_MASK |
871 : BTRFS_BLOCK_GROUP_PROFILE_MASK) &
872 : btrfs_chunk_type(leaf, chunk));
873 0 : return -EUCLEAN;
874 : }
875 :
876 67370 : if (unlikely(!has_single_bit_set(type & BTRFS_BLOCK_GROUP_PROFILE_MASK) &&
877 : (type & BTRFS_BLOCK_GROUP_PROFILE_MASK) != 0)) {
878 0 : chunk_err(leaf, chunk, logical,
879 : "invalid chunk profile flag: 0x%llx, expect 0 or 1 bit set",
880 : type & BTRFS_BLOCK_GROUP_PROFILE_MASK);
881 0 : return -EUCLEAN;
882 : }
883 33685 : if (unlikely((type & BTRFS_BLOCK_GROUP_TYPE_MASK) == 0)) {
884 0 : chunk_err(leaf, chunk, logical,
885 : "missing chunk type flag, have 0x%llx one bit must be set in 0x%llx",
886 : type, BTRFS_BLOCK_GROUP_TYPE_MASK);
887 0 : return -EUCLEAN;
888 : }
889 :
890 33685 : if (unlikely((type & BTRFS_BLOCK_GROUP_SYSTEM) &&
891 : (type & (BTRFS_BLOCK_GROUP_METADATA |
892 : BTRFS_BLOCK_GROUP_DATA)))) {
893 0 : chunk_err(leaf, chunk, logical,
894 : "system chunk with data or metadata type: 0x%llx",
895 : type);
896 0 : return -EUCLEAN;
897 : }
898 :
899 33685 : features = btrfs_super_incompat_flags(fs_info->super_copy);
900 33685 : if (features & BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS)
901 : mixed = true;
902 :
903 33245 : if (!mixed) {
904 33245 : if (unlikely((type & BTRFS_BLOCK_GROUP_METADATA) &&
905 : (type & BTRFS_BLOCK_GROUP_DATA))) {
906 0 : chunk_err(leaf, chunk, logical,
907 : "mixed chunk type in non-mixed mode: 0x%llx", type);
908 0 : return -EUCLEAN;
909 : }
910 : }
911 :
912 33685 : if (unlikely((type & BTRFS_BLOCK_GROUP_RAID10 &&
913 : sub_stripes != btrfs_raid_array[BTRFS_RAID_RAID10].sub_stripes) ||
914 : (type & BTRFS_BLOCK_GROUP_RAID1 &&
915 : num_stripes != btrfs_raid_array[BTRFS_RAID_RAID1].devs_min) ||
916 : (type & BTRFS_BLOCK_GROUP_RAID1C3 &&
917 : num_stripes != btrfs_raid_array[BTRFS_RAID_RAID1C3].devs_min) ||
918 : (type & BTRFS_BLOCK_GROUP_RAID1C4 &&
919 : num_stripes != btrfs_raid_array[BTRFS_RAID_RAID1C4].devs_min) ||
920 : (type & BTRFS_BLOCK_GROUP_RAID5 &&
921 : num_stripes < btrfs_raid_array[BTRFS_RAID_RAID5].devs_min) ||
922 : (type & BTRFS_BLOCK_GROUP_RAID6 &&
923 : num_stripes < btrfs_raid_array[BTRFS_RAID_RAID6].devs_min) ||
924 : (type & BTRFS_BLOCK_GROUP_DUP &&
925 : num_stripes != btrfs_raid_array[BTRFS_RAID_DUP].dev_stripes) ||
926 : ((type & BTRFS_BLOCK_GROUP_PROFILE_MASK) == 0 &&
927 : num_stripes != btrfs_raid_array[BTRFS_RAID_SINGLE].dev_stripes))) {
928 0 : chunk_err(leaf, chunk, logical,
929 : "invalid num_stripes:sub_stripes %u:%u for profile %llu",
930 : num_stripes, sub_stripes,
931 : type & BTRFS_BLOCK_GROUP_PROFILE_MASK);
932 0 : return -EUCLEAN;
933 : }
934 :
935 : return 0;
936 : }
937 :
938 : /*
939 : * Enhanced version of chunk item checker.
940 : *
941 : * The common btrfs_check_chunk_valid() doesn't check item size since it needs
942 : * to work on super block sys_chunk_array which doesn't have full item ptr.
943 : */
944 30469 : static int check_leaf_chunk_item(struct extent_buffer *leaf,
945 : struct btrfs_chunk *chunk,
946 : struct btrfs_key *key, int slot)
947 : {
948 30469 : int num_stripes;
949 :
950 30469 : if (unlikely(btrfs_item_size(leaf, slot) < sizeof(struct btrfs_chunk))) {
951 0 : chunk_err(leaf, chunk, key->offset,
952 : "invalid chunk item size: have %u expect [%zu, %u)",
953 : btrfs_item_size(leaf, slot),
954 : sizeof(struct btrfs_chunk),
955 0 : BTRFS_LEAF_DATA_SIZE(leaf->fs_info));
956 0 : return -EUCLEAN;
957 : }
958 :
959 30469 : num_stripes = btrfs_chunk_num_stripes(leaf, chunk);
960 : /* Let btrfs_check_chunk_valid() handle this error type */
961 30469 : if (num_stripes == 0)
962 0 : goto out;
963 :
964 30469 : if (unlikely(btrfs_chunk_item_size(num_stripes) !=
965 : btrfs_item_size(leaf, slot))) {
966 0 : chunk_err(leaf, chunk, key->offset,
967 : "invalid chunk item size: have %u expect %lu",
968 : btrfs_item_size(leaf, slot),
969 : btrfs_chunk_item_size(num_stripes));
970 0 : return -EUCLEAN;
971 : }
972 30469 : out:
973 30469 : return btrfs_check_chunk_valid(leaf, chunk, key->offset);
974 : }
975 :
976 : __printf(3, 4)
977 : __cold
978 0 : static void dev_item_err(const struct extent_buffer *eb, int slot,
979 : const char *fmt, ...)
980 : {
981 0 : struct btrfs_key key;
982 0 : struct va_format vaf;
983 0 : va_list args;
984 :
985 0 : btrfs_item_key_to_cpu(eb, &key, slot);
986 0 : va_start(args, fmt);
987 :
988 0 : vaf.fmt = fmt;
989 0 : vaf.va = &args;
990 :
991 0 : btrfs_crit(eb->fs_info,
992 : "corrupt %s: root=%llu block=%llu slot=%d devid=%llu %pV",
993 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
994 : btrfs_header_owner(eb), btrfs_header_bytenr(eb), slot,
995 : key.objectid, &vaf);
996 0 : va_end(args);
997 0 : }
998 :
999 4624 : static int check_dev_item(struct extent_buffer *leaf,
1000 : struct btrfs_key *key, int slot)
1001 : {
1002 4624 : struct btrfs_dev_item *ditem;
1003 4624 : const u32 item_size = btrfs_item_size(leaf, slot);
1004 :
1005 4624 : if (unlikely(key->objectid != BTRFS_DEV_ITEMS_OBJECTID)) {
1006 0 : dev_item_err(leaf, slot,
1007 : "invalid objectid: has=%llu expect=%llu",
1008 : key->objectid, BTRFS_DEV_ITEMS_OBJECTID);
1009 0 : return -EUCLEAN;
1010 : }
1011 :
1012 4624 : if (unlikely(item_size != sizeof(*ditem))) {
1013 0 : dev_item_err(leaf, slot, "invalid item size: has %u expect %zu",
1014 : item_size, sizeof(*ditem));
1015 0 : return -EUCLEAN;
1016 : }
1017 :
1018 4624 : ditem = btrfs_item_ptr(leaf, slot, struct btrfs_dev_item);
1019 4624 : if (unlikely(btrfs_device_id(leaf, ditem) != key->offset)) {
1020 0 : dev_item_err(leaf, slot,
1021 : "devid mismatch: key has=%llu item has=%llu",
1022 : key->offset, btrfs_device_id(leaf, ditem));
1023 0 : return -EUCLEAN;
1024 : }
1025 :
1026 : /*
1027 : * For device total_bytes, we don't have reliable way to check it, as
1028 : * it can be 0 for device removal. Device size check can only be done
1029 : * by dev extents check.
1030 : */
1031 9248 : if (unlikely(btrfs_device_bytes_used(leaf, ditem) >
1032 : btrfs_device_total_bytes(leaf, ditem))) {
1033 0 : dev_item_err(leaf, slot,
1034 : "invalid bytes used: have %llu expect [0, %llu]",
1035 : btrfs_device_bytes_used(leaf, ditem),
1036 : btrfs_device_total_bytes(leaf, ditem));
1037 0 : return -EUCLEAN;
1038 : }
1039 : /*
1040 : * Remaining members like io_align/type/gen/dev_group aren't really
1041 : * utilized. Skip them to make later usage of them easier.
1042 : */
1043 : return 0;
1044 : }
1045 :
1046 40910153 : static int check_inode_item(struct extent_buffer *leaf,
1047 : struct btrfs_key *key, int slot)
1048 : {
1049 40910153 : struct btrfs_fs_info *fs_info = leaf->fs_info;
1050 40910153 : struct btrfs_inode_item *iitem;
1051 40910153 : u64 super_gen = btrfs_super_generation(fs_info->super_copy);
1052 40910153 : u32 valid_mask = (S_IFMT | S_ISUID | S_ISGID | S_ISVTX | 0777);
1053 40910153 : const u32 item_size = btrfs_item_size(leaf, slot);
1054 40910081 : u32 mode;
1055 40910081 : int ret;
1056 40910081 : u32 flags;
1057 40910081 : u32 ro_flags;
1058 :
1059 40910081 : ret = check_inode_key(leaf, key, slot);
1060 40910165 : if (unlikely(ret < 0))
1061 : return ret;
1062 :
1063 40910165 : if (unlikely(item_size != sizeof(*iitem))) {
1064 0 : generic_err(leaf, slot, "invalid item size: has %u expect %zu",
1065 : item_size, sizeof(*iitem));
1066 0 : return -EUCLEAN;
1067 : }
1068 :
1069 40910165 : iitem = btrfs_item_ptr(leaf, slot, struct btrfs_inode_item);
1070 :
1071 : /* Here we use super block generation + 1 to handle log tree */
1072 40910157 : if (unlikely(btrfs_inode_generation(leaf, iitem) > super_gen + 1)) {
1073 0 : inode_item_err(leaf, slot,
1074 : "invalid inode generation: has %llu expect (0, %llu]",
1075 : btrfs_inode_generation(leaf, iitem),
1076 : super_gen + 1);
1077 0 : return -EUCLEAN;
1078 : }
1079 : /* Note for ROOT_TREE_DIR_ITEM, mkfs could set its transid 0 */
1080 40910153 : if (unlikely(btrfs_inode_transid(leaf, iitem) > super_gen + 1)) {
1081 0 : inode_item_err(leaf, slot,
1082 : "invalid inode transid: has %llu expect [0, %llu]",
1083 : btrfs_inode_transid(leaf, iitem), super_gen + 1);
1084 0 : return -EUCLEAN;
1085 : }
1086 :
1087 : /*
1088 : * For size and nbytes it's better not to be too strict, as for dir
1089 : * item its size/nbytes can easily get wrong, but doesn't affect
1090 : * anything in the fs. So here we skip the check.
1091 : */
1092 40910135 : mode = btrfs_inode_mode(leaf, iitem);
1093 40910119 : if (unlikely(mode & ~valid_mask)) {
1094 0 : inode_item_err(leaf, slot,
1095 : "unknown mode bit detected: 0x%x",
1096 : mode & ~valid_mask);
1097 0 : return -EUCLEAN;
1098 : }
1099 :
1100 : /*
1101 : * S_IFMT is not bit mapped so we can't completely rely on
1102 : * is_power_of_2/has_single_bit_set, but it can save us from checking
1103 : * FIFO/CHR/DIR/REG. Only needs to check BLK, LNK and SOCKS
1104 : */
1105 81820238 : if (!has_single_bit_set(mode & S_IFMT)) {
1106 3931938 : if (unlikely(!S_ISLNK(mode) && !S_ISBLK(mode) && !S_ISSOCK(mode))) {
1107 0 : inode_item_err(leaf, slot,
1108 : "invalid mode: has 0%o expect valid S_IF* bit(s)",
1109 : mode & S_IFMT);
1110 0 : return -EUCLEAN;
1111 : }
1112 : }
1113 46239576 : if (unlikely(S_ISDIR(mode) && btrfs_inode_nlink(leaf, iitem) > 1)) {
1114 0 : inode_item_err(leaf, slot,
1115 : "invalid nlink: has %u expect no more than 1 for dir",
1116 : btrfs_inode_nlink(leaf, iitem));
1117 0 : return -EUCLEAN;
1118 : }
1119 40910120 : btrfs_inode_split_flags(btrfs_inode_flags(leaf, iitem), &flags, &ro_flags);
1120 40910138 : if (unlikely(flags & ~BTRFS_INODE_FLAG_MASK)) {
1121 0 : inode_item_err(leaf, slot,
1122 : "unknown incompat flags detected: 0x%x", flags);
1123 0 : return -EUCLEAN;
1124 : }
1125 40910138 : if (unlikely(!sb_rdonly(fs_info->sb) &&
1126 : (ro_flags & ~BTRFS_INODE_RO_FLAG_MASK))) {
1127 0 : inode_item_err(leaf, slot,
1128 : "unknown ro-compat flags detected on writeable mount: 0x%x",
1129 : ro_flags);
1130 0 : return -EUCLEAN;
1131 : }
1132 : return 0;
1133 : }
1134 :
1135 1764162 : static int check_root_item(struct extent_buffer *leaf, struct btrfs_key *key,
1136 : int slot)
1137 : {
1138 1764162 : struct btrfs_fs_info *fs_info = leaf->fs_info;
1139 1764162 : struct btrfs_root_item ri = { 0 };
1140 1764162 : const u64 valid_root_flags = BTRFS_ROOT_SUBVOL_RDONLY |
1141 : BTRFS_ROOT_SUBVOL_DEAD;
1142 1764162 : int ret;
1143 :
1144 1764162 : ret = check_root_key(leaf, key, slot);
1145 1764162 : if (unlikely(ret < 0))
1146 : return ret;
1147 :
1148 1764162 : if (unlikely(btrfs_item_size(leaf, slot) != sizeof(ri) &&
1149 : btrfs_item_size(leaf, slot) !=
1150 : btrfs_legacy_root_item_size())) {
1151 0 : generic_err(leaf, slot,
1152 : "invalid root item size, have %u expect %zu or %u",
1153 : btrfs_item_size(leaf, slot), sizeof(ri),
1154 : btrfs_legacy_root_item_size());
1155 0 : return -EUCLEAN;
1156 : }
1157 :
1158 : /*
1159 : * For legacy root item, the members starting at generation_v2 will be
1160 : * all filled with 0.
1161 : * And since we allow geneartion_v2 as 0, it will still pass the check.
1162 : */
1163 1764162 : read_extent_buffer(leaf, &ri, btrfs_item_ptr_offset(leaf, slot),
1164 : btrfs_item_size(leaf, slot));
1165 :
1166 : /* Generation related */
1167 1764162 : if (unlikely(btrfs_root_generation(&ri) >
1168 : btrfs_super_generation(fs_info->super_copy) + 1)) {
1169 0 : generic_err(leaf, slot,
1170 : "invalid root generation, have %llu expect (0, %llu]",
1171 : btrfs_root_generation(&ri),
1172 : btrfs_super_generation(fs_info->super_copy) + 1);
1173 0 : return -EUCLEAN;
1174 : }
1175 1764162 : if (unlikely(btrfs_root_generation_v2(&ri) >
1176 : btrfs_super_generation(fs_info->super_copy) + 1)) {
1177 0 : generic_err(leaf, slot,
1178 : "invalid root v2 generation, have %llu expect (0, %llu]",
1179 : btrfs_root_generation_v2(&ri),
1180 : btrfs_super_generation(fs_info->super_copy) + 1);
1181 0 : return -EUCLEAN;
1182 : }
1183 1764162 : if (unlikely(btrfs_root_last_snapshot(&ri) >
1184 : btrfs_super_generation(fs_info->super_copy) + 1)) {
1185 0 : generic_err(leaf, slot,
1186 : "invalid root last_snapshot, have %llu expect (0, %llu]",
1187 : btrfs_root_last_snapshot(&ri),
1188 : btrfs_super_generation(fs_info->super_copy) + 1);
1189 0 : return -EUCLEAN;
1190 : }
1191 :
1192 : /* Alignment and level check */
1193 1764162 : if (unlikely(!IS_ALIGNED(btrfs_root_bytenr(&ri), fs_info->sectorsize))) {
1194 0 : generic_err(leaf, slot,
1195 : "invalid root bytenr, have %llu expect to be aligned to %u",
1196 : btrfs_root_bytenr(&ri), fs_info->sectorsize);
1197 0 : return -EUCLEAN;
1198 : }
1199 1764162 : if (unlikely(btrfs_root_level(&ri) >= BTRFS_MAX_LEVEL)) {
1200 0 : generic_err(leaf, slot,
1201 : "invalid root level, have %u expect [0, %u]",
1202 : btrfs_root_level(&ri), BTRFS_MAX_LEVEL - 1);
1203 0 : return -EUCLEAN;
1204 : }
1205 1764162 : if (unlikely(btrfs_root_drop_level(&ri) >= BTRFS_MAX_LEVEL)) {
1206 0 : generic_err(leaf, slot,
1207 : "invalid root level, have %u expect [0, %u]",
1208 : btrfs_root_drop_level(&ri), BTRFS_MAX_LEVEL - 1);
1209 0 : return -EUCLEAN;
1210 : }
1211 :
1212 : /* Flags check */
1213 1764162 : if (unlikely(btrfs_root_flags(&ri) & ~valid_root_flags)) {
1214 0 : generic_err(leaf, slot,
1215 : "invalid root flags, have 0x%llx expect mask 0x%llx",
1216 : btrfs_root_flags(&ri), valid_root_flags);
1217 0 : return -EUCLEAN;
1218 : }
1219 : return 0;
1220 : }
1221 :
1222 : __printf(3,4)
1223 : __cold
1224 0 : static void extent_err(const struct extent_buffer *eb, int slot,
1225 : const char *fmt, ...)
1226 : {
1227 0 : struct btrfs_key key;
1228 0 : struct va_format vaf;
1229 0 : va_list args;
1230 0 : u64 bytenr;
1231 0 : u64 len;
1232 :
1233 0 : btrfs_item_key_to_cpu(eb, &key, slot);
1234 0 : bytenr = key.objectid;
1235 0 : if (key.type == BTRFS_METADATA_ITEM_KEY ||
1236 0 : key.type == BTRFS_TREE_BLOCK_REF_KEY ||
1237 : key.type == BTRFS_SHARED_BLOCK_REF_KEY)
1238 0 : len = eb->fs_info->nodesize;
1239 : else
1240 0 : len = key.offset;
1241 0 : va_start(args, fmt);
1242 :
1243 0 : vaf.fmt = fmt;
1244 0 : vaf.va = &args;
1245 :
1246 0 : btrfs_crit(eb->fs_info,
1247 : "corrupt %s: block=%llu slot=%d extent bytenr=%llu len=%llu %pV",
1248 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
1249 : eb->start, slot, bytenr, len, &vaf);
1250 0 : va_end(args);
1251 0 : }
1252 :
1253 197075177 : static int check_extent_item(struct extent_buffer *leaf,
1254 : struct btrfs_key *key, int slot,
1255 : struct btrfs_key *prev_key)
1256 : {
1257 197075177 : struct btrfs_fs_info *fs_info = leaf->fs_info;
1258 197075177 : struct btrfs_extent_item *ei;
1259 197075177 : bool is_tree_block = false;
1260 197075177 : unsigned long ptr; /* Current pointer inside inline refs */
1261 197075177 : unsigned long end; /* Extent item end */
1262 197075177 : const u32 item_size = btrfs_item_size(leaf, slot);
1263 197074902 : u64 flags;
1264 197074902 : u64 generation;
1265 197074902 : u64 total_refs; /* Total refs in btrfs_extent_item */
1266 197074902 : u64 inline_refs = 0; /* found total inline refs */
1267 :
1268 197074902 : if (unlikely(key->type == BTRFS_METADATA_ITEM_KEY &&
1269 : !btrfs_fs_incompat(fs_info, SKINNY_METADATA))) {
1270 0 : generic_err(leaf, slot,
1271 : "invalid key type, METADATA_ITEM type invalid when SKINNY_METADATA feature disabled");
1272 0 : return -EUCLEAN;
1273 : }
1274 : /* key->objectid is the bytenr for both key types */
1275 197074902 : if (unlikely(!IS_ALIGNED(key->objectid, fs_info->sectorsize))) {
1276 0 : generic_err(leaf, slot,
1277 : "invalid key objectid, have %llu expect to be aligned to %u",
1278 : key->objectid, fs_info->sectorsize);
1279 0 : return -EUCLEAN;
1280 : }
1281 :
1282 : /* key->offset is tree level for METADATA_ITEM_KEY */
1283 197074902 : if (unlikely(key->type == BTRFS_METADATA_ITEM_KEY &&
1284 : key->offset >= BTRFS_MAX_LEVEL)) {
1285 0 : extent_err(leaf, slot,
1286 : "invalid tree level, have %llu expect [0, %u]",
1287 : key->offset, BTRFS_MAX_LEVEL - 1);
1288 0 : return -EUCLEAN;
1289 : }
1290 :
1291 : /*
1292 : * EXTENT/METADATA_ITEM consists of:
1293 : * 1) One btrfs_extent_item
1294 : * Records the total refs, type and generation of the extent.
1295 : *
1296 : * 2) One btrfs_tree_block_info (for EXTENT_ITEM and tree backref only)
1297 : * Records the first key and level of the tree block.
1298 : *
1299 : * 2) Zero or more btrfs_extent_inline_ref(s)
1300 : * Each inline ref has one btrfs_extent_inline_ref shows:
1301 : * 2.1) The ref type, one of the 4
1302 : * TREE_BLOCK_REF Tree block only
1303 : * SHARED_BLOCK_REF Tree block only
1304 : * EXTENT_DATA_REF Data only
1305 : * SHARED_DATA_REF Data only
1306 : * 2.2) Ref type specific data
1307 : * Either using btrfs_extent_inline_ref::offset, or specific
1308 : * data structure.
1309 : */
1310 197074902 : if (unlikely(item_size < sizeof(*ei))) {
1311 0 : extent_err(leaf, slot,
1312 : "invalid item size, have %u expect [%zu, %u)",
1313 : item_size, sizeof(*ei),
1314 : BTRFS_LEAF_DATA_SIZE(fs_info));
1315 0 : return -EUCLEAN;
1316 : }
1317 197074902 : end = item_size + btrfs_item_ptr_offset(leaf, slot);
1318 :
1319 : /* Checks against extent_item */
1320 197074530 : ei = btrfs_item_ptr(leaf, slot, struct btrfs_extent_item);
1321 197074402 : flags = btrfs_extent_flags(leaf, ei);
1322 197074481 : total_refs = btrfs_extent_refs(leaf, ei);
1323 197074329 : generation = btrfs_extent_generation(leaf, ei);
1324 197075389 : if (unlikely(generation >
1325 : btrfs_super_generation(fs_info->super_copy) + 1)) {
1326 0 : extent_err(leaf, slot,
1327 : "invalid generation, have %llu expect (0, %llu]",
1328 : generation,
1329 : btrfs_super_generation(fs_info->super_copy) + 1);
1330 0 : return -EUCLEAN;
1331 : }
1332 394150778 : if (unlikely(!has_single_bit_set(flags & (BTRFS_EXTENT_FLAG_DATA |
1333 : BTRFS_EXTENT_FLAG_TREE_BLOCK)))) {
1334 0 : extent_err(leaf, slot,
1335 : "invalid extent flag, have 0x%llx expect 1 bit set in 0x%llx",
1336 : flags, BTRFS_EXTENT_FLAG_DATA |
1337 : BTRFS_EXTENT_FLAG_TREE_BLOCK);
1338 0 : return -EUCLEAN;
1339 : }
1340 197075389 : is_tree_block = !!(flags & BTRFS_EXTENT_FLAG_TREE_BLOCK);
1341 197075389 : if (is_tree_block) {
1342 115435660 : if (unlikely(key->type == BTRFS_EXTENT_ITEM_KEY &&
1343 : key->offset != fs_info->nodesize)) {
1344 0 : extent_err(leaf, slot,
1345 : "invalid extent length, have %llu expect %u",
1346 : key->offset, fs_info->nodesize);
1347 0 : return -EUCLEAN;
1348 : }
1349 : } else {
1350 81639729 : if (unlikely(key->type != BTRFS_EXTENT_ITEM_KEY)) {
1351 0 : extent_err(leaf, slot,
1352 : "invalid key type, have %u expect %u for data backref",
1353 : key->type, BTRFS_EXTENT_ITEM_KEY);
1354 0 : return -EUCLEAN;
1355 : }
1356 81639729 : if (unlikely(!IS_ALIGNED(key->offset, fs_info->sectorsize))) {
1357 0 : extent_err(leaf, slot,
1358 : "invalid extent length, have %llu expect aligned to %u",
1359 : key->offset, fs_info->sectorsize);
1360 0 : return -EUCLEAN;
1361 : }
1362 81639729 : if (unlikely(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF)) {
1363 0 : extent_err(leaf, slot,
1364 : "invalid extent flag, data has full backref set");
1365 0 : return -EUCLEAN;
1366 : }
1367 : }
1368 197075389 : ptr = (unsigned long)(struct btrfs_extent_item *)(ei + 1);
1369 :
1370 : /* Check the special case of btrfs_tree_block_info */
1371 197075389 : if (is_tree_block && key->type != BTRFS_METADATA_ITEM_KEY) {
1372 0 : struct btrfs_tree_block_info *info;
1373 :
1374 0 : info = (struct btrfs_tree_block_info *)ptr;
1375 0 : if (unlikely(btrfs_tree_block_level(leaf, info) >= BTRFS_MAX_LEVEL)) {
1376 0 : extent_err(leaf, slot,
1377 : "invalid tree block info level, have %u expect [0, %u]",
1378 : btrfs_tree_block_level(leaf, info),
1379 : BTRFS_MAX_LEVEL - 1);
1380 0 : return -EUCLEAN;
1381 : }
1382 0 : ptr = (unsigned long)(struct btrfs_tree_block_info *)(info + 1);
1383 : }
1384 :
1385 : /* Check inline refs */
1386 539066398 : while (ptr < end) {
1387 341992071 : struct btrfs_extent_inline_ref *iref;
1388 341992071 : struct btrfs_extent_data_ref *dref;
1389 341992071 : struct btrfs_shared_data_ref *sref;
1390 341992071 : u64 dref_offset;
1391 341992071 : u64 inline_offset;
1392 341992071 : u8 inline_type;
1393 :
1394 341992071 : if (unlikely(ptr + sizeof(*iref) > end)) {
1395 0 : extent_err(leaf, slot,
1396 : "inline ref item overflows extent item, ptr %lu iref size %zu end %lu",
1397 : ptr, sizeof(*iref), end);
1398 0 : return -EUCLEAN;
1399 : }
1400 341992071 : iref = (struct btrfs_extent_inline_ref *)ptr;
1401 341992071 : inline_type = btrfs_extent_inline_ref_type(leaf, iref);
1402 341988107 : inline_offset = btrfs_extent_inline_ref_offset(leaf, iref);
1403 555766532 : if (unlikely(ptr + btrfs_extent_inline_ref_size(inline_type) > end)) {
1404 0 : extent_err(leaf, slot,
1405 : "inline ref item overflows extent item, ptr %lu iref size %u end %lu",
1406 : ptr, inline_type, end);
1407 0 : return -EUCLEAN;
1408 : }
1409 :
1410 341990595 : switch (inline_type) {
1411 : /* inline_offset is subvolid of the owner, no need to check */
1412 104390940 : case BTRFS_TREE_BLOCK_REF_KEY:
1413 104390940 : inline_refs++;
1414 104390940 : break;
1415 : /* Contains parent bytenr */
1416 23823737 : case BTRFS_SHARED_BLOCK_REF_KEY:
1417 23823737 : if (unlikely(!IS_ALIGNED(inline_offset,
1418 : fs_info->sectorsize))) {
1419 0 : extent_err(leaf, slot,
1420 : "invalid tree parent bytenr, have %llu expect aligned to %u",
1421 : inline_offset, fs_info->sectorsize);
1422 0 : return -EUCLEAN;
1423 : }
1424 23823737 : inline_refs++;
1425 23823737 : break;
1426 : /*
1427 : * Contains owner subvolid, owner key objectid, adjusted offset.
1428 : * The only obvious corruption can happen in that offset.
1429 : */
1430 81961320 : case BTRFS_EXTENT_DATA_REF_KEY:
1431 81961320 : dref = (struct btrfs_extent_data_ref *)(&iref->offset);
1432 81961320 : dref_offset = btrfs_extent_data_ref_offset(leaf, dref);
1433 81961199 : if (unlikely(!IS_ALIGNED(dref_offset,
1434 : fs_info->sectorsize))) {
1435 0 : extent_err(leaf, slot,
1436 : "invalid data ref offset, have %llu expect aligned to %u",
1437 : dref_offset, fs_info->sectorsize);
1438 0 : return -EUCLEAN;
1439 : }
1440 81961199 : inline_refs += btrfs_extent_data_ref_count(leaf, dref);
1441 81961281 : break;
1442 : /* Contains parent bytenr and ref count */
1443 131814598 : case BTRFS_SHARED_DATA_REF_KEY:
1444 131814598 : sref = (struct btrfs_shared_data_ref *)(iref + 1);
1445 131814598 : if (unlikely(!IS_ALIGNED(inline_offset,
1446 : fs_info->sectorsize))) {
1447 0 : extent_err(leaf, slot,
1448 : "invalid data parent bytenr, have %llu expect aligned to %u",
1449 : inline_offset, fs_info->sectorsize);
1450 0 : return -EUCLEAN;
1451 : }
1452 131814598 : inline_refs += btrfs_shared_data_ref_count(leaf, sref);
1453 131815051 : break;
1454 0 : default:
1455 0 : extent_err(leaf, slot, "unknown inline ref type: %u",
1456 : inline_type);
1457 0 : return -EUCLEAN;
1458 : }
1459 555767341 : ptr += btrfs_extent_inline_ref_size(inline_type);
1460 : }
1461 : /* No padding is allowed */
1462 197074327 : if (unlikely(ptr != end)) {
1463 0 : extent_err(leaf, slot,
1464 : "invalid extent item size, padding bytes found");
1465 0 : return -EUCLEAN;
1466 : }
1467 :
1468 : /* Finally, check the inline refs against total refs */
1469 197074327 : if (unlikely(inline_refs > total_refs)) {
1470 0 : extent_err(leaf, slot,
1471 : "invalid extent refs, have %llu expect >= inline %llu",
1472 : total_refs, inline_refs);
1473 0 : return -EUCLEAN;
1474 : }
1475 :
1476 197074327 : if ((prev_key->type == BTRFS_EXTENT_ITEM_KEY) ||
1477 : (prev_key->type == BTRFS_METADATA_ITEM_KEY)) {
1478 193861906 : u64 prev_end = prev_key->objectid;
1479 :
1480 193861906 : if (prev_key->type == BTRFS_METADATA_ITEM_KEY)
1481 114689116 : prev_end += fs_info->nodesize;
1482 : else
1483 79172790 : prev_end += prev_key->offset;
1484 :
1485 193861906 : if (unlikely(prev_end > key->objectid)) {
1486 0 : extent_err(leaf, slot,
1487 : "previous extent [%llu %u %llu] overlaps current extent [%llu %u %llu]",
1488 : prev_key->objectid, prev_key->type,
1489 0 : prev_key->offset, key->objectid, key->type,
1490 : key->offset);
1491 0 : return -EUCLEAN;
1492 : }
1493 : }
1494 :
1495 : return 0;
1496 : }
1497 :
1498 48051783 : static int check_simple_keyed_refs(struct extent_buffer *leaf,
1499 : struct btrfs_key *key, int slot)
1500 : {
1501 48051783 : u32 expect_item_size = 0;
1502 :
1503 48051783 : if (key->type == BTRFS_SHARED_DATA_REF_KEY)
1504 48051788 : expect_item_size = sizeof(struct btrfs_shared_data_ref);
1505 :
1506 48051783 : if (unlikely(btrfs_item_size(leaf, slot) != expect_item_size)) {
1507 0 : generic_err(leaf, slot,
1508 : "invalid item size, have %u expect %u for key type %u",
1509 : btrfs_item_size(leaf, slot),
1510 0 : expect_item_size, key->type);
1511 0 : return -EUCLEAN;
1512 : }
1513 48051677 : if (unlikely(!IS_ALIGNED(key->objectid, leaf->fs_info->sectorsize))) {
1514 0 : generic_err(leaf, slot,
1515 : "invalid key objectid for shared block ref, have %llu expect aligned to %u",
1516 : key->objectid, leaf->fs_info->sectorsize);
1517 0 : return -EUCLEAN;
1518 : }
1519 48051677 : if (unlikely(key->type != BTRFS_TREE_BLOCK_REF_KEY &&
1520 : !IS_ALIGNED(key->offset, leaf->fs_info->sectorsize))) {
1521 0 : extent_err(leaf, slot,
1522 : "invalid tree parent bytenr, have %llu expect aligned to %u",
1523 : key->offset, leaf->fs_info->sectorsize);
1524 0 : return -EUCLEAN;
1525 : }
1526 : return 0;
1527 : }
1528 :
1529 116679076 : static int check_extent_data_ref(struct extent_buffer *leaf,
1530 : struct btrfs_key *key, int slot)
1531 : {
1532 116679076 : struct btrfs_extent_data_ref *dref;
1533 116679076 : unsigned long ptr = btrfs_item_ptr_offset(leaf, slot);
1534 116678901 : const unsigned long end = ptr + btrfs_item_size(leaf, slot);
1535 :
1536 116678826 : if (unlikely(btrfs_item_size(leaf, slot) % sizeof(*dref) != 0)) {
1537 0 : generic_err(leaf, slot,
1538 : "invalid item size, have %u expect aligned to %zu for key type %u",
1539 : btrfs_item_size(leaf, slot),
1540 0 : sizeof(*dref), key->type);
1541 0 : return -EUCLEAN;
1542 : }
1543 116678821 : if (unlikely(!IS_ALIGNED(key->objectid, leaf->fs_info->sectorsize))) {
1544 0 : generic_err(leaf, slot,
1545 : "invalid key objectid for shared block ref, have %llu expect aligned to %u",
1546 : key->objectid, leaf->fs_info->sectorsize);
1547 0 : return -EUCLEAN;
1548 : }
1549 233357745 : for (; ptr < end; ptr += sizeof(*dref)) {
1550 116678811 : u64 offset;
1551 :
1552 : /*
1553 : * We cannot check the extent_data_ref hash due to possible
1554 : * overflow from the leaf due to hash collisions.
1555 : */
1556 116678811 : dref = (struct btrfs_extent_data_ref *)ptr;
1557 116678811 : offset = btrfs_extent_data_ref_offset(leaf, dref);
1558 116678924 : if (unlikely(!IS_ALIGNED(offset, leaf->fs_info->sectorsize))) {
1559 0 : extent_err(leaf, slot,
1560 : "invalid extent data backref offset, have %llu expect aligned to %u",
1561 : offset, leaf->fs_info->sectorsize);
1562 0 : return -EUCLEAN;
1563 : }
1564 : }
1565 : return 0;
1566 : }
1567 :
1568 : #define inode_ref_err(eb, slot, fmt, args...) \
1569 : inode_item_err(eb, slot, fmt, ##args)
1570 42859757 : static int check_inode_ref(struct extent_buffer *leaf,
1571 : struct btrfs_key *key, struct btrfs_key *prev_key,
1572 : int slot)
1573 : {
1574 42859757 : struct btrfs_inode_ref *iref;
1575 42859757 : unsigned long ptr;
1576 42859757 : unsigned long end;
1577 :
1578 42859757 : if (unlikely(!check_prev_ino(leaf, key, slot, prev_key)))
1579 : return -EUCLEAN;
1580 : /* namelen can't be 0, so item_size == sizeof() is also invalid */
1581 42859756 : if (unlikely(btrfs_item_size(leaf, slot) <= sizeof(*iref))) {
1582 0 : inode_ref_err(leaf, slot,
1583 : "invalid item size, have %u expect (%zu, %u)",
1584 : btrfs_item_size(leaf, slot),
1585 : sizeof(*iref), BTRFS_LEAF_DATA_SIZE(leaf->fs_info));
1586 0 : return -EUCLEAN;
1587 : }
1588 :
1589 42859677 : ptr = btrfs_item_ptr_offset(leaf, slot);
1590 42859682 : end = ptr + btrfs_item_size(leaf, slot);
1591 85761822 : while (ptr < end) {
1592 42902143 : u16 namelen;
1593 :
1594 42902143 : if (unlikely(ptr + sizeof(iref) > end)) {
1595 0 : inode_ref_err(leaf, slot,
1596 : "inode ref overflow, ptr %lu end %lu inode_ref_size %zu",
1597 : ptr, end, sizeof(iref));
1598 0 : return -EUCLEAN;
1599 : }
1600 :
1601 42902143 : iref = (struct btrfs_inode_ref *)ptr;
1602 42902143 : namelen = btrfs_inode_ref_name_len(leaf, iref);
1603 42902136 : if (unlikely(ptr + sizeof(*iref) + namelen > end)) {
1604 0 : inode_ref_err(leaf, slot,
1605 : "inode ref overflow, ptr %lu end %lu namelen %u",
1606 : ptr, end, namelen);
1607 0 : return -EUCLEAN;
1608 : }
1609 :
1610 : /*
1611 : * NOTE: In theory we should record all found index numbers
1612 : * to find any duplicated indexes, but that will be too time
1613 : * consuming for inodes with too many hard links.
1614 : */
1615 : ptr += sizeof(*iref) + namelen;
1616 : }
1617 : return 0;
1618 : }
1619 :
1620 : /*
1621 : * Common point to switch the item-specific validation.
1622 : */
1623 883440644 : static enum btrfs_tree_block_status check_leaf_item(struct extent_buffer *leaf,
1624 : struct btrfs_key *key,
1625 : int slot,
1626 : struct btrfs_key *prev_key)
1627 : {
1628 883440644 : int ret = 0;
1629 883440644 : struct btrfs_chunk *chunk;
1630 :
1631 883440644 : switch (key->type) {
1632 155679308 : case BTRFS_EXTENT_DATA_KEY:
1633 155679308 : ret = check_extent_data_item(leaf, key, slot, prev_key);
1634 155679308 : break;
1635 133555440 : case BTRFS_EXTENT_CSUM_KEY:
1636 133555440 : ret = check_csum_item(leaf, key, slot, prev_key);
1637 133555440 : break;
1638 127820160 : case BTRFS_DIR_ITEM_KEY:
1639 : case BTRFS_DIR_INDEX_KEY:
1640 : case BTRFS_XATTR_ITEM_KEY:
1641 127820160 : ret = check_dir_item(leaf, key, prev_key, slot);
1642 127820160 : break;
1643 42859761 : case BTRFS_INODE_REF_KEY:
1644 42859761 : ret = check_inode_ref(leaf, key, prev_key, slot);
1645 42859761 : break;
1646 679667 : case BTRFS_BLOCK_GROUP_ITEM_KEY:
1647 679667 : ret = check_block_group_item(leaf, key, slot);
1648 679667 : break;
1649 : case BTRFS_CHUNK_ITEM_KEY:
1650 30469 : chunk = btrfs_item_ptr(leaf, slot, struct btrfs_chunk);
1651 30469 : ret = check_leaf_chunk_item(leaf, chunk, key, slot);
1652 30469 : break;
1653 4624 : case BTRFS_DEV_ITEM_KEY:
1654 4624 : ret = check_dev_item(leaf, key, slot);
1655 4624 : break;
1656 40910166 : case BTRFS_INODE_ITEM_KEY:
1657 40910166 : ret = check_inode_item(leaf, key, slot);
1658 40910166 : break;
1659 1764162 : case BTRFS_ROOT_ITEM_KEY:
1660 1764162 : ret = check_root_item(leaf, key, slot);
1661 1764162 : break;
1662 197075170 : case BTRFS_EXTENT_ITEM_KEY:
1663 : case BTRFS_METADATA_ITEM_KEY:
1664 197075170 : ret = check_extent_item(leaf, key, slot, prev_key);
1665 197075170 : break;
1666 48051787 : case BTRFS_TREE_BLOCK_REF_KEY:
1667 : case BTRFS_SHARED_DATA_REF_KEY:
1668 : case BTRFS_SHARED_BLOCK_REF_KEY:
1669 48051787 : ret = check_simple_keyed_refs(leaf, key, slot);
1670 48051787 : break;
1671 116679069 : case BTRFS_EXTENT_DATA_REF_KEY:
1672 116679069 : ret = check_extent_data_ref(leaf, key, slot);
1673 116679069 : break;
1674 : }
1675 :
1676 865106568 : if (ret)
1677 0 : return BTRFS_TREE_BLOCK_INVALID_ITEM;
1678 : return BTRFS_TREE_BLOCK_CLEAN;
1679 : }
1680 :
1681 7903107 : enum btrfs_tree_block_status __btrfs_check_leaf(struct extent_buffer *leaf)
1682 : {
1683 7903107 : struct btrfs_fs_info *fs_info = leaf->fs_info;
1684 : /* No valid key type is 0, so all key should be larger than this key */
1685 7903107 : struct btrfs_key prev_key = {0, 0, 0};
1686 7903107 : struct btrfs_key key;
1687 7903107 : u32 nritems = btrfs_header_nritems(leaf);
1688 7903107 : int slot;
1689 :
1690 7903107 : if (unlikely(btrfs_header_level(leaf) != 0)) {
1691 0 : generic_err(leaf, 0,
1692 : "invalid level for leaf, have %d expect 0",
1693 : btrfs_header_level(leaf));
1694 0 : return BTRFS_TREE_BLOCK_INVALID_LEVEL;
1695 : }
1696 :
1697 : /*
1698 : * Extent buffers from a relocation tree have a owner field that
1699 : * corresponds to the subvolume tree they are based on. So just from an
1700 : * extent buffer alone we can not find out what is the id of the
1701 : * corresponding subvolume tree, so we can not figure out if the extent
1702 : * buffer corresponds to the root of the relocation tree or not. So
1703 : * skip this check for relocation trees.
1704 : */
1705 7903107 : if (nritems == 0 && !btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_RELOC)) {
1706 1753 : u64 owner = btrfs_header_owner(leaf);
1707 :
1708 : /* These trees must never be empty */
1709 1753 : if (unlikely(owner == BTRFS_ROOT_TREE_OBJECTID ||
1710 : owner == BTRFS_CHUNK_TREE_OBJECTID ||
1711 : owner == BTRFS_DEV_TREE_OBJECTID ||
1712 : owner == BTRFS_FS_TREE_OBJECTID ||
1713 : owner == BTRFS_DATA_RELOC_TREE_OBJECTID)) {
1714 0 : generic_err(leaf, 0,
1715 : "invalid root, root %llu must never be empty",
1716 : owner);
1717 0 : return BTRFS_TREE_BLOCK_INVALID_NRITEMS;
1718 : }
1719 :
1720 : /* Unknown tree */
1721 1753 : if (unlikely(owner == 0)) {
1722 0 : generic_err(leaf, 0,
1723 : "invalid owner, root 0 is not defined");
1724 0 : return BTRFS_TREE_BLOCK_INVALID_OWNER;
1725 : }
1726 :
1727 : /* EXTENT_TREE_V2 can have empty extent trees. */
1728 1753 : if (btrfs_fs_incompat(fs_info, EXTENT_TREE_V2))
1729 : return BTRFS_TREE_BLOCK_CLEAN;
1730 :
1731 1753 : if (unlikely(owner == BTRFS_EXTENT_TREE_OBJECTID)) {
1732 0 : generic_err(leaf, 0,
1733 : "invalid root, root %llu must never be empty",
1734 : owner);
1735 0 : return BTRFS_TREE_BLOCK_INVALID_NRITEMS;
1736 : }
1737 :
1738 : return BTRFS_TREE_BLOCK_CLEAN;
1739 : }
1740 :
1741 7901354 : if (unlikely(nritems == 0))
1742 : return BTRFS_TREE_BLOCK_CLEAN;
1743 :
1744 : /*
1745 : * Check the following things to make sure this is a good leaf, and
1746 : * leaf users won't need to bother with similar sanity checks:
1747 : *
1748 : * 1) key ordering
1749 : * 2) item offset and size
1750 : * No overlap, no hole, all inside the leaf.
1751 : * 3) item content
1752 : * If possible, do comprehensive sanity check.
1753 : * NOTE: All checks must only rely on the item data itself.
1754 : */
1755 891324297 : for (slot = 0; slot < nritems; slot++) {
1756 883422856 : u32 item_end_expected;
1757 883422856 : u64 item_data_end;
1758 :
1759 883422856 : btrfs_item_key_to_cpu(leaf, &key, slot);
1760 :
1761 : /* Make sure the keys are in the right order */
1762 883436274 : if (unlikely(btrfs_comp_cpu_keys(&prev_key, &key) >= 0)) {
1763 0 : generic_err(leaf, slot,
1764 : "bad key order, prev (%llu %u %llu) current (%llu %u %llu)",
1765 0 : prev_key.objectid, prev_key.type,
1766 0 : prev_key.offset, key.objectid, key.type,
1767 : key.offset);
1768 0 : return BTRFS_TREE_BLOCK_BAD_KEY_ORDER;
1769 : }
1770 :
1771 883436274 : item_data_end = (u64)btrfs_item_offset(leaf, slot) +
1772 883424747 : btrfs_item_size(leaf, slot);
1773 : /*
1774 : * Make sure the offset and ends are right, remember that the
1775 : * item data starts at the end of the leaf and grows towards the
1776 : * front.
1777 : */
1778 883424747 : if (slot == 0)
1779 7901387 : item_end_expected = BTRFS_LEAF_DATA_SIZE(fs_info);
1780 : else
1781 875523360 : item_end_expected = btrfs_item_offset(leaf,
1782 : slot - 1);
1783 883427113 : if (unlikely(item_data_end != item_end_expected)) {
1784 0 : generic_err(leaf, slot,
1785 : "unexpected item end, have %llu expect %u",
1786 : item_data_end, item_end_expected);
1787 0 : return BTRFS_TREE_BLOCK_INVALID_OFFSETS;
1788 : }
1789 :
1790 : /*
1791 : * Check to make sure that we don't point outside of the leaf,
1792 : * just in case all the items are consistent to each other, but
1793 : * all point outside of the leaf.
1794 : */
1795 883427113 : if (unlikely(item_data_end > BTRFS_LEAF_DATA_SIZE(fs_info))) {
1796 0 : generic_err(leaf, slot,
1797 : "slot end outside of leaf, have %llu expect range [0, %u]",
1798 : item_data_end, BTRFS_LEAF_DATA_SIZE(fs_info));
1799 0 : return BTRFS_TREE_BLOCK_INVALID_OFFSETS;
1800 : }
1801 :
1802 : /* Also check if the item pointer overlaps with btrfs item. */
1803 883427113 : if (unlikely(btrfs_item_ptr_offset(leaf, slot) <
1804 : btrfs_item_nr_offset(leaf, slot) + sizeof(struct btrfs_item))) {
1805 0 : generic_err(leaf, slot,
1806 : "slot overlaps with its data, item end %lu data start %lu",
1807 : btrfs_item_nr_offset(leaf, slot) +
1808 : sizeof(struct btrfs_item),
1809 0 : btrfs_item_ptr_offset(leaf, slot));
1810 0 : return BTRFS_TREE_BLOCK_INVALID_OFFSETS;
1811 : }
1812 :
1813 : /*
1814 : * We only want to do this if WRITTEN is set, otherwise the leaf
1815 : * may be in some intermediate state and won't appear valid.
1816 : */
1817 883425562 : if (btrfs_header_flag(leaf, BTRFS_HEADER_FLAG_WRITTEN)) {
1818 883425480 : enum btrfs_tree_block_status ret;
1819 :
1820 : /*
1821 : * Check if the item size and content meet other
1822 : * criteria
1823 : */
1824 883425480 : ret = check_leaf_item(leaf, &key, slot, &prev_key);
1825 883422861 : if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN))
1826 0 : return ret;
1827 : }
1828 :
1829 883422943 : prev_key.objectid = key.objectid;
1830 883422943 : prev_key.type = key.type;
1831 883422943 : prev_key.offset = key.offset;
1832 : }
1833 :
1834 : return BTRFS_TREE_BLOCK_CLEAN;
1835 : }
1836 :
1837 7903127 : int btrfs_check_leaf(struct extent_buffer *leaf)
1838 : {
1839 7903127 : enum btrfs_tree_block_status ret;
1840 :
1841 7903127 : ret = __btrfs_check_leaf(leaf);
1842 7903193 : if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN))
1843 0 : return -EUCLEAN;
1844 : return 0;
1845 : }
1846 : ALLOW_ERROR_INJECTION(btrfs_check_leaf, ERRNO);
1847 :
1848 872234 : enum btrfs_tree_block_status __btrfs_check_node(struct extent_buffer *node)
1849 : {
1850 872234 : struct btrfs_fs_info *fs_info = node->fs_info;
1851 872234 : unsigned long nr = btrfs_header_nritems(node);
1852 872234 : struct btrfs_key key, next_key;
1853 872234 : int slot;
1854 872234 : int level = btrfs_header_level(node);
1855 872234 : u64 bytenr;
1856 :
1857 872234 : if (unlikely(level <= 0 || level >= BTRFS_MAX_LEVEL)) {
1858 0 : generic_err(node, 0,
1859 : "invalid level for node, have %d expect [1, %d]",
1860 : level, BTRFS_MAX_LEVEL - 1);
1861 0 : return BTRFS_TREE_BLOCK_INVALID_LEVEL;
1862 : }
1863 872234 : if (unlikely(nr == 0 || nr > BTRFS_NODEPTRS_PER_BLOCK(fs_info))) {
1864 0 : btrfs_crit(fs_info,
1865 : "corrupt node: root=%llu block=%llu, nritems too %s, have %lu expect range [1,%u]",
1866 : btrfs_header_owner(node), node->start,
1867 : nr == 0 ? "small" : "large", nr,
1868 : BTRFS_NODEPTRS_PER_BLOCK(fs_info));
1869 0 : return BTRFS_TREE_BLOCK_INVALID_NRITEMS;
1870 : }
1871 :
1872 102312113 : for (slot = 0; slot < nr - 1; slot++) {
1873 101439879 : bytenr = btrfs_node_blockptr(node, slot);
1874 101440105 : btrfs_node_key_to_cpu(node, &key, slot);
1875 101439851 : btrfs_node_key_to_cpu(node, &next_key, slot + 1);
1876 :
1877 101439879 : if (unlikely(!bytenr)) {
1878 0 : generic_err(node, slot,
1879 : "invalid NULL node pointer");
1880 0 : return BTRFS_TREE_BLOCK_INVALID_BLOCKPTR;
1881 : }
1882 101439879 : if (unlikely(!IS_ALIGNED(bytenr, fs_info->sectorsize))) {
1883 0 : generic_err(node, slot,
1884 : "unaligned pointer, have %llu should be aligned to %u",
1885 : bytenr, fs_info->sectorsize);
1886 0 : return BTRFS_TREE_BLOCK_INVALID_BLOCKPTR;
1887 : }
1888 :
1889 101439879 : if (unlikely(btrfs_comp_cpu_keys(&key, &next_key) >= 0)) {
1890 0 : generic_err(node, slot,
1891 : "bad key order, current (%llu %u %llu) next (%llu %u %llu)",
1892 0 : key.objectid, key.type, key.offset,
1893 0 : next_key.objectid, next_key.type,
1894 : next_key.offset);
1895 0 : return BTRFS_TREE_BLOCK_BAD_KEY_ORDER;
1896 : }
1897 : }
1898 : return BTRFS_TREE_BLOCK_CLEAN;
1899 : }
1900 :
1901 872234 : int btrfs_check_node(struct extent_buffer *node)
1902 : {
1903 872234 : enum btrfs_tree_block_status ret;
1904 :
1905 872234 : ret = __btrfs_check_node(node);
1906 872234 : if (unlikely(ret != BTRFS_TREE_BLOCK_CLEAN))
1907 0 : return -EUCLEAN;
1908 : return 0;
1909 : }
1910 : ALLOW_ERROR_INJECTION(btrfs_check_node, ERRNO);
1911 :
1912 23875052 : int btrfs_check_eb_owner(const struct extent_buffer *eb, u64 root_owner)
1913 : {
1914 23875052 : const bool is_subvol = is_fstree(root_owner);
1915 23875052 : const u64 eb_owner = btrfs_header_owner(eb);
1916 :
1917 : /*
1918 : * Skip dummy fs, as selftests don't create unique ebs for each dummy
1919 : * root.
1920 : */
1921 47750104 : if (test_bit(BTRFS_FS_STATE_DUMMY_FS_INFO, &eb->fs_info->fs_state))
1922 : return 0;
1923 : /*
1924 : * There are several call sites (backref walking, qgroup, and data
1925 : * reloc) passing 0 as @root_owner, as they are not holding the
1926 : * tree root. In that case, we can not do a reliable ownership check,
1927 : * so just exit.
1928 : */
1929 23875052 : if (root_owner == 0)
1930 : return 0;
1931 : /*
1932 : * These trees use key.offset as their owner, our callers don't have
1933 : * the extra capacity to pass key.offset here. So we just skip them.
1934 : */
1935 20511089 : if (root_owner == BTRFS_TREE_LOG_OBJECTID ||
1936 20511089 : root_owner == BTRFS_TREE_RELOC_OBJECTID)
1937 : return 0;
1938 :
1939 20418874 : if (!is_subvol) {
1940 : /* For non-subvolume trees, the eb owner should match root owner */
1941 3751928 : if (unlikely(root_owner != eb_owner)) {
1942 0 : btrfs_crit(eb->fs_info,
1943 : "corrupted %s, root=%llu block=%llu owner mismatch, have %llu expect %llu",
1944 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
1945 : root_owner, btrfs_header_bytenr(eb), eb_owner,
1946 : root_owner);
1947 0 : return -EUCLEAN;
1948 : }
1949 : return 0;
1950 : }
1951 :
1952 : /*
1953 : * For subvolume trees, owners can mismatch, but they should all belong
1954 : * to subvolume trees.
1955 : */
1956 33333892 : if (unlikely(is_subvol != is_fstree(eb_owner))) {
1957 0 : btrfs_crit(eb->fs_info,
1958 : "corrupted %s, root=%llu block=%llu owner mismatch, have %llu expect [%llu, %llu]",
1959 : btrfs_header_level(eb) == 0 ? "leaf" : "node",
1960 : root_owner, btrfs_header_bytenr(eb), eb_owner,
1961 : BTRFS_FIRST_FREE_OBJECTID, BTRFS_LAST_FREE_OBJECTID);
1962 0 : return -EUCLEAN;
1963 : }
1964 : return 0;
1965 : }
1966 :
1967 541602535 : int btrfs_verify_level_key(struct extent_buffer *eb, int level,
1968 : struct btrfs_key *first_key, u64 parent_transid)
1969 : {
1970 541602535 : struct btrfs_fs_info *fs_info = eb->fs_info;
1971 541602535 : int found_level;
1972 541602535 : struct btrfs_key found_key;
1973 541602535 : int ret;
1974 :
1975 541602535 : found_level = btrfs_header_level(eb);
1976 541602535 : if (found_level != level) {
1977 0 : WARN(IS_ENABLED(CONFIG_BTRFS_DEBUG),
1978 : KERN_ERR "BTRFS: tree level check failed\n");
1979 0 : btrfs_err(fs_info,
1980 : "tree level mismatch detected, bytenr=%llu level expected=%u has=%u",
1981 : eb->start, level, found_level);
1982 0 : return -EIO;
1983 : }
1984 :
1985 541602535 : if (!first_key)
1986 : return 0;
1987 :
1988 : /*
1989 : * For live tree block (new tree blocks in current transaction),
1990 : * we need proper lock context to avoid race, which is impossible here.
1991 : * So we only checks tree blocks which is read from disk, whose
1992 : * generation <= fs_info->last_trans_committed.
1993 : */
1994 541602535 : if (btrfs_header_generation(eb) > fs_info->last_trans_committed)
1995 : return 0;
1996 :
1997 : /* We have @first_key, so this @eb must have at least one item */
1998 164490607 : if (btrfs_header_nritems(eb) == 0) {
1999 0 : btrfs_err(fs_info,
2000 : "invalid tree nritems, bytenr=%llu nritems=0 expect >0",
2001 : eb->start);
2002 0 : WARN_ON(IS_ENABLED(CONFIG_BTRFS_DEBUG));
2003 0 : return -EUCLEAN;
2004 : }
2005 :
2006 164490607 : if (found_level)
2007 65196665 : btrfs_node_key_to_cpu(eb, &found_key, 0);
2008 : else
2009 99293942 : btrfs_item_key_to_cpu(eb, &found_key, 0);
2010 164465032 : ret = btrfs_comp_cpu_keys(first_key, &found_key);
2011 :
2012 164465032 : if (ret) {
2013 0 : WARN(IS_ENABLED(CONFIG_BTRFS_DEBUG),
2014 : KERN_ERR "BTRFS: tree first key check failed\n");
2015 0 : btrfs_err(fs_info,
2016 : "tree first key mismatch detected, bytenr=%llu parent_transid=%llu key expected=(%llu,%u,%llu) has=(%llu,%u,%llu)",
2017 : eb->start, parent_transid, first_key->objectid,
2018 : first_key->type, first_key->offset,
2019 : found_key.objectid, found_key.type,
2020 : found_key.offset);
2021 : }
2022 : return ret;
2023 : }
|
