Forwarded: [PATCH] ocfs2: validate allocator type to prevent BUG_ON in ocfs2_block_group_search

[syzbot <syzbot+44c564a3cb08605f34a1@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: validate allocator type to prevent BUG_ON in ocfs2_block_group_search
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

A corrupted filesystem image can have an inode allocator with the
OCFS2_BITMAP_FL flag incorrectly set, making ocfs2_is_cluster_bitmap()
return true. When the code later calls ocfs2_block_group_search(),
it triggers BUG_ON(ocfs2_is_cluster_bitmap(inode)) causing a kernel panic.

Call trace:
  ocfs2_block_group_search+0x1c7/0x2c0 fs/ocfs2/suballoc.c:1611
  ocfs2_search_chain+0x38a/0x1010 fs/ocfs2/suballoc.c:1764
  ocfs2_claim_suballoc_bits+0x3a4/0x650 fs/ocfs2/suballoc.c:1978
  ocfs2_claim_new_inode+0x95/0x130 fs/ocfs2/suballoc.c:2137
  ocfs2_mknod_locked+0x129/0x510 fs/ocfs2/namei.c:568
  ocfs2_mknod+0x5c7/0x11d0 fs/ocfs2/namei.c:802
  ocfs2_create+0x136/0x170 fs/ocfs2/namei.c:852

Add validation in ocfs2_reserve_suballoc_bits() to check that the
allocator inode type matches the expected type:
- Global bitmap allocator must have OCFS2_BITMAP_FL flag set
- Other allocators (inode, extent) must NOT have OCFS2_BITMAP_FL set

This follows the existing pattern of validating OCFS2_CHAIN_FL in the
same function and uses ocfs2_error() for graceful error handling.

Reported-by: syzbot+44c564a3cb08605f34a1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=44c564a3cb08605f34a1
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/suballoc.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 8e6e5235b30c..fb72c062a8d5 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -813,6 +813,26 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
 		goto bail;
 	}
 
+	/*
+	 * Validate allocator type matches expected bitmap type.
+	 * Global bitmap must have BITMAP flag, other allocators must not.
+	 * This prevents a corrupted filesystem from triggering BUG_ON
+	 * in ocfs2_block_group_search() or ocfs2_cluster_group_search().
+	 */
+	if (type == GLOBAL_BITMAP_SYSTEM_INODE) {
+		if (!ocfs2_is_cluster_bitmap(alloc_inode)) {
+			status = ocfs2_error(alloc_inode->i_sb,
+					     "Global bitmap %llu missing bitmap flag\n",
+					     (unsigned long long)le64_to_cpu(fe->i_blkno));
+			goto bail;
+		}
+	} else if (ocfs2_is_cluster_bitmap(alloc_inode)) {
+		status = ocfs2_error(alloc_inode->i_sb,
+				     "Allocator %llu has invalid bitmap flag\n",
+				     (unsigned long long)le64_to_cpu(fe->i_blkno));
+		goto bail;
+	}
+
 	free_bits = le32_to_cpu(fe->id1.bitmap1.i_total) -
 		le32_to_cpu(fe->id1.bitmap1.i_used);
 
-- 
2.43.0