Commit 1f55ee6
btrfs: fix invalid leaf access due to inline extent during lseek
During lseek, for SEEK_DATA and SEEK_HOLE modes, we access the disk_bytenr
of an extent without checking its type. However inline extents have their
data starting the offset of the disk_bytenr field, so accessing that field
when we have an inline extent can result in either of the following:
1) Interpret the inline extent's data as a disk_bytenr value;
2) In case the inline data is less than 8 bytes, we access part of some
other item in the leaf, or unused space in the leaf;
3) In case the inline data is less than 8 bytes and the extent item is
the first item in the leaf, we can access beyond the leaf's limit.
So fix this by not accessing the disk_bytenr field if we have an inline
extent.
Fixes: b6e8335 ("btrfs: make hole and data seeking a lot more efficient")
Reported-by: Matthias Schoepfer <[email protected]>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=216908
Link: https://lore.kernel.org/linux-btrfs/[email protected]/
CC: [email protected] # 6.1
Signed-off-by: Filipe Manana <[email protected]>
Reviewed-by: David Sterba <[email protected]>
Signed-off-by: David Sterba <[email protected]>1 parent 26ecf24 commit 1f55ee6
1 file changed
+10
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3541 | 3541 | | |
3542 | 3542 | | |
3543 | 3543 | | |
| 3544 | + | |
3544 | 3545 | | |
3545 | 3546 | | |
3546 | 3547 | | |
| |||
3596 | 3597 | | |
3597 | 3598 | | |
3598 | 3599 | | |
| 3600 | + | |
3599 | 3601 | | |
3600 | | - | |
3601 | | - | |
3602 | | - | |
| 3602 | + | |
| 3603 | + | |
| 3604 | + | |
| 3605 | + | |
| 3606 | + | |
| 3607 | + | |
| 3608 | + | |
| 3609 | + | |
3603 | 3610 | | |
3604 | 3611 | | |
3605 | 3612 | | |
| |||
0 commit comments