Btrfs: add a helper to retrive extent inline ref type

An invalid value of extent inline ref type may be read from a
malicious image which may force btrfs to crash.

This adds a helper which does sanity check for the ref type, so we can
know if it's sane, return he type, otherwise return an error.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ minimal tweak const types, causing warnings due to other cleanup patches ]
Signed-off-by: David Sterba <dsterba@suse.com>

2 files changed, 48 insertions, 0 deletions

diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
index ca087ad5ac48..542db9d0dbcd 100644
--- a/fs/btrfs/ctree.h
+++ b/fs/btrfs/ctree.h
@@ -2567,6 +2567,17 @@ static inline gfp_t btrfs_alloc_write_mask(struct address_space *mapping)
 
 /* extent-tree.c */
 
+enum btrfs_inline_ref_type {
+        BTRFS_REF_TYPE_INVALID =         0,
+        BTRFS_REF_TYPE_BLOCK =           1,
+        BTRFS_REF_TYPE_DATA =            2,
+        BTRFS_REF_TYPE_ANY =             3,
+};
+
+int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
+                                     struct btrfs_extent_inline_ref *iref,
+                                     enum btrfs_inline_ref_type is_data);
+
 u64 btrfs_csum_bytes_to_leaves(struct btrfs_fs_info *fs_info, u64 csum_bytes);
 
 static inline u64 btrfs_calc_trans_metadata_size(struct btrfs_fs_info *fs_info,
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 1a80f6e58296..794b06dd824a 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -1148,6 +1148,43 @@ static int convert_extent_item_v0(struct btrfs_trans_handle *trans,
 }
 #endif
 
+/*
+ * is_data == BTRFS_REF_TYPE_BLOCK, tree block type is required,
+ * is_data == BTRFS_REF_TYPE_DATA, data type is requried,
+ * is_data == BTRFS_REF_TYPE_ANY, either type is OK.
+ */
+int btrfs_get_extent_inline_ref_type(const struct extent_buffer *eb,
+                                     struct btrfs_extent_inline_ref *iref,
+                                     enum btrfs_inline_ref_type is_data)
+{
+        int type = btrfs_extent_inline_ref_type(eb, iref);
+
+        if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+            type == BTRFS_SHARED_BLOCK_REF_KEY ||
+            type == BTRFS_SHARED_DATA_REF_KEY ||
+            type == BTRFS_EXTENT_DATA_REF_KEY) {
+                if (is_data == BTRFS_REF_TYPE_BLOCK) {
+                        if (type == BTRFS_TREE_BLOCK_REF_KEY ||
+                            type == BTRFS_SHARED_BLOCK_REF_KEY)
+                                return type;
+                } else if (is_data == BTRFS_REF_TYPE_DATA) {
+                        if (type == BTRFS_EXTENT_DATA_REF_KEY ||
+                            type == BTRFS_SHARED_DATA_REF_KEY)
+                                return type;
+                } else {
+                        ASSERT(is_data == BTRFS_REF_TYPE_ANY);
+                        return type;
+                }
+        }
+
+        btrfs_print_leaf((struct extent_buffer *)eb);
+        btrfs_err(eb->fs_info, "eb %llu invalid extent inline ref type %d",
+                  eb->start, type);
+        WARN_ON(1);
+
+        return BTRFS_REF_TYPE_INVALID;
+}
+
 static u64 hash_extent_data_ref(u64 root_objectid, u64 owner, u64 offset)
 {
         u32 high_crc = ~(u32)0;