From: syzbot <syzbot+7960178e777909060224@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()
Date: Tue, 30 Dec 2025 23:51:06 -0800 [thread overview]
Message-ID: <6954d5ea.050a0220.a1b6.0314.GAE@google.com> (raw)
In-Reply-To: <69441a92.a70a0220.207337.00e4.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add a check to verify the group descriptor has enough free bits before
attempting allocation in ocfs2_move_extent(). This prevents a kernel
BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl
is called on a crafted or corrupted filesystem.
The existing validation in ocfs2_validate_gd_self() only checks static
metadata consistency (bg_free_bits_count <= bg_bits) when the descriptor
is first read from disk. However, during move_extents operations,
multiple allocations can exhaust the free bits count below the requested
allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count)
num_bits).
The debug trace shows the issue clearly:
- Block group 32 validated with bg_free_bits_count=427
- Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1
- Final request for 2 bits with only 1 available triggers BUG_ON
By adding an early check in ocfs2_move_extent() before calling
ocfs2_block_group_set_bits(), we return -ENOSPC gracefully instead of
crashing the kernel.
Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
fs/ocfs2/move_extents.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 99637e34d9da..2548a8908a1b 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -690,6 +690,11 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
goto out_commit;
}
+ if (le16_to_cpu(gd->bg_free_bits_count) < len) {
+ ret = -ENOSPC;
+ goto out_commit;
+ }
+
ret = ocfs2_block_group_set_bits(handle, gb_inode, gd, gd_bh,
goal_bit, len, 0, 0);
if (ret) {
--
2.43.0
next prev parent reply other threads:[~2025-12-31 7:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 15:15 [syzbot] [ocfs2?] kernel BUG in ocfs2_move_extents syzbot
2025-12-23 20:31 ` syzbot
2025-12-31 5:05 ` Forwarded: [PATCH] ocfs2: add debug printk to trace block group validation path syzbot
2025-12-31 7:51 ` syzbot [this message]
2025-12-31 7:52 ` Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent() syzbot
2026-01-04 11:49 ` syzbot
2026-01-04 12:26 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6954d5ea.050a0220.a1b6.0314.GAE@google.com \
--to=syzbot+7960178e777909060224@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.