From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com,
ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH 3/3] ocfs2: handle invalid dinode in _ocfs2_free_suballoc_bits
Date: Fri, 3 Apr 2026 14:30:16 +0800 [thread overview]
Message-ID: <20260403063016.438287-4-gality369@gmail.com> (raw)
In-Reply-To: <20260403063016.438287-1-gality369@gmail.com>
[BUG]
A crafted filesystem can feed an invalid dinode into
_ocfs2_free_suballoc_bits() and trip:
kernel BUG at fs/ocfs2/suballoc.c:2568
[CAUSE]
The free path trusts alloc_bh returned from locked allocator reads, but
JBD-managed buffers can bypass inode validation before that buffer is
handed to _ocfs2_free_suballoc_bits().
[FIX]
Handle an invalid dinode as filesystem corruption and exit through the
existing bail path before touching any allocator accounting. This keeps
all cleanup and rollback logic intact while avoiding BUG().
Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
fs/ocfs2/suballoc.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index b99870aeaf88..34bdc18200f2 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -2868,13 +2868,14 @@ static int _ocfs2_free_suballoc_bits(handle_t *handle,
struct ocfs2_group_desc *group;
struct ocfs2_chain_rec *rec;
__le16 old_bg_contig_free_bits = 0;
- /* The alloc_bh comes from ocfs2_free_dinode() or
- * ocfs2_free_clusters(). The callers have all locked the
- * allocator and gotten alloc_bh from the lock call. This
- * validates the dinode buffer. Any corruption that has happened
- * is a code bug. */
- BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
+ /* JBD-managed buffers can bypass inode validation. */
+ if (!OCFS2_IS_VALID_DINODE(fe)) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "Invalid dinode #%llu\n",
+ (unsigned long long)OCFS2_I(alloc_inode)->ip_blkno);
+ goto bail;
+ }
BUG_ON((count + start_bit) > ocfs2_bits_per_group(cl));
trace_ocfs2_free_suballoc_bits(
--
2.43.0
next prev parent reply other threads:[~2026-04-03 6:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 6:30 [PATCH 0/3] ocfs2: stop BUG_ON crashes in suballoc invalid-dinode paths ZhengYuan Huang
2026-04-03 6:30 ` [PATCH 1/3] ocfs2: handle invalid dinode in reserve_suballoc_bits ZhengYuan Huang
2026-04-03 6:30 ` [PATCH 2/3] ocfs2: handle invalid dinode in claim_suballoc_bits ZhengYuan Huang
2026-04-03 6:30 ` ZhengYuan Huang [this message]
2026-04-03 9:30 ` [PATCH 0/3] ocfs2: stop BUG_ON crashes in suballoc invalid-dinode paths Joseph Qi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403063016.438287-4-gality369@gmail.com \
--to=gality369@gmail.com \
--cc=baijiaju1990@gmail.com \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=ocfs2-devel@lists.linux.dev \
--cc=r33s3n6@gmail.com \
--cc=zzzccc427@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox