[PATCH V2] bcachefs: Prevent written from exceeding sectors

Fri, 17 Oct 2025 14:32:39 -0700 

syzbot reported btree node oob in bch2_btree_node_read_done. [1]

Add sanity check for written, avoid exceeding the allowed access limits
for btree node.

[1]
BUG: KASAN: slab-out-of-bounds in bch2_btree_node_read_done+0x950/0x5550 
fs/bcachefs/btree_io.c:1128
Call Trace:
 bch2_btree_node_read_done+0x950/0x5550 fs/bcachefs/btree_io.c:1128
 btree_node_read_work+0x40e/0xe60 fs/bcachefs/btree_io.c:1440
 bch2_btree_root_read+0x5f0/0x760 fs/bcachefs/btree_io.c:1928
 read_btree_roots+0x2c6/0x840 fs/bcachefs/recovery.c:615
 bch2_fs_recovery+0x261f/0x3a50 fs/bcachefs/recovery.c:1006
 bch2_fs_start+0xaaf/0xda0 fs/bcachefs/super.c:1213
 bch2_fs_get_tree+0xb39/0x1520 fs/bcachefs/fs.c:2488
 vfs_get_tree+0x8f/0x2b0 fs/super.c:1815
 do_new_mount+0x2a2/0x9e0 fs/namespace.c:3808

Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=ba71155d3eacc8f42477
Tested-by: [email protected]
Signed-off-by: Edward Adam Davis <[email protected]>
---
V1 -> V2: change msg data type to unsigned int for btree_sectors()

 fs/bcachefs/btree_io.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/bcachefs/btree_io.c b/fs/bcachefs/btree_io.c
index 590cd29f3e86..ab14fff1452f 100644
--- a/fs/bcachefs/btree_io.c
+++ b/fs/bcachefs/btree_io.c
@@ -1087,6 +1087,13 @@ int bch2_btree_node_read_done(struct bch_fs *c, struct 
bch_dev *ca,
                     "bad magic: want %llx, got %llx",
                     bset_magic(c), le64_to_cpu(b->data->magic));
 
+       btree_err_on(ptr_written >= btree_sectors(c),
+                    -BCH_ERR_btree_node_read_err_must_retry,
+                    c, ca, b, NULL, NULL,
+                    btree_node_bad_magic,
+                    "wrong written %u, btree sectors is %u",
+                    ptr_written, btree_sectors(c));
+
        if (b->key.k.type == KEY_TYPE_btree_ptr_v2) {
                struct bch_btree_ptr_v2 *bp =
                        &bkey_i_to_btree_ptr_v2(&b->key)->v;
-- 
2.43.0

Reply via email to