From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A0B3182D0 for ; Fri, 3 Apr 2026 06:30:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775197842; cv=none; b=SovfU5S0YVRbwMdFYzAiXJVc38g/IP0OgMQBeNTAEG3YrHpO2hYRfTgYxe0BtPwY3V6Fte8J4RPzQNW93kokOLaYnVVY7jSPow3gfo/NtB03jdMVRSNS11u2JTGh5UVakqWSNK8x49WEFFLm45SKoTHXpOcxo9oHwtqscEvvepw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775197842; c=relaxed/simple; bh=I738XkaqIqPAyrdvIYFc4W8KtajTj0G8CTgJ5jdeTeo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Z5ndrghHT93TfqkpLkwm64jdonrTTASreXMH6f5lzH4m39uPZKNcY1ClPhnf1Pgc6fmTjbLWQe6BQGES9O7vUOoD9/uPJoOM7AaIIRnWQ5QH7B6SFjVtFgWrVD4Nsz3WXUqHLJ24S1vk2OGVaK9SoBPduLnYC8JtXb52q1FYplQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Jb9UPbPD; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Jb9UPbPD" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-82c70e4654eso748548b3a.2 for ; Thu, 02 Apr 2026 23:30:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775197839; x=1775802639; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+Lspt40Zh32RiqO+NgTw/2WuwWFH+RhU3yTTqojwbEg=; b=Jb9UPbPDyLrG8lBLHLL2okIaOdEyVXEvvkyWvqYZtcxa9Y8gLaoyT4xp9TWSbIaxo9 Ybl8/VoIzMSrNAXRqF1mmCm0215lL1uzDPWLL4rIyfX1bXVrPI7gC+h4vFqEALL8jbLM lCPL5njPRXF35P9fBG8mXg+o0EU2RDMPiJk++LGNHfVQC1ivCBjEjq7/LHz2bUk2m/KH r3EQxVqrjpZJCfDDsVnCbMxzImnTFLdWsz0L2QUTLYRxfZebpXzE2oCqmCl89Ev6YGTK Mklj/m9maF2WgXOs8HdO5N+gTfgFVMGGM2pLuMjB8KKp14s8yuaHjax9IRqOd9pCmFyL YlxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775197839; x=1775802639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+Lspt40Zh32RiqO+NgTw/2WuwWFH+RhU3yTTqojwbEg=; b=VFkoXxyPO0eudOfIzJIMRmq59c4zQZxezGa1VlzDnkyPEjGvSdILSLoSm5lQs1OooW ZuvSuCEapDiATOrt4hImAX2dlot7Y+qN812gdEn+KssPPMWPI3yA6kQdoztMTGniURmd Q48rhagaLI0Hoq4VxSOOYUSS7QvzEp4R2CNljd2vPaxa4ASjmL1pSZcUnmNlZN2hFsmd 1YAEEK5LqCMRLORnNgGPNi+qWde19+xwcmxsVL0b2M7WyrerS3AbZTAfTPVdQTOciAkv Sap1ADsEs5wFm4DRRelW8ovRED0q4vvP7jY/vQj98VrTNfHrZIKe9tjK2L2KQAko1nS2 /JLg== X-Forwarded-Encrypted: i=1; AJvYcCWAiFX57t1LENevgXXgl2s37VCHBCTTdOGLvnilk2DLICyiU+ZU3o2Ulw/K5OaSPGGsJC29yvqmT0z2Bzg=@vger.kernel.org X-Gm-Message-State: AOJu0YwDd96SNHRUtZv1DqvFkSUNr0cbUxa0Qx0OLG3maB9UAXe/P6I8 MtsuF8GOtfmqVkCnalwnXebqJqX9peHHKouVqgjkLUqhByrpS0UDZm7RjqqOirXx X-Gm-Gg: AeBDietYWJgx3pP5vIIBxo3Q+V4dLF6+3Oneaj8Yc3K2pkeNv9XI1MInTL/TM/C5U6q PRtuAou128KNxhSRpa9MdgdZc6RylLQbZymEXA7UubmLWV8EL47COQLp3XiTqa41t/FQAfGqxMM tKl13M0HlLgAPFqMzif4e3ZviQmiou5FubXu3JAf3fgOTLLUttfWR6Kw3NTFKZfrIbmJtFzh3AZ K53VKaGU2s2PIxxRnLSkA4ns9QVtyEzF+uBfoJ4Ffi1V871Mwb50s0RIf8aWPrXqxkgFeB0PiFZ 2qbkMTZJUn3Bj7llGyGn7h4IWClTjWZVdwt6TgFraI7/fPvEv9yMxdxvEyNmZha2gL86yvj5JO5 Piwc77CigNZ4rC5OWqR/HVfj/LeegLYJsxX5uMiDf3D9jxrNvvXnABf2jfCV8Kk9VRpJTYavkuf xS1WcI+vUFuETUa9rKDulrE8hO2ky2bOGfXWNW5Yxhy5lbsfKk9FSqmY4mHVA33H+g2NstkAM9s XXWjrrMUg== X-Received: by 2002:a05:6a00:2d10:b0:81f:4884:4fed with SMTP id d2e1a72fcca58-82d0da44a86mr1882118b3a.7.1775197839328; Thu, 02 Apr 2026 23:30:39 -0700 (PDT) Received: from kernel-fuzz.. ([103.172.182.26]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82cf9c41b8dsm4572258b3a.34.2026.04.02.23.30.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 23:30:38 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH 3/3] ocfs2: handle invalid dinode in _ocfs2_free_suballoc_bits Date: Fri, 3 Apr 2026 14:30:16 +0800 Message-ID: <20260403063016.438287-4-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260403063016.438287-1-gality369@gmail.com> References: <20260403063016.438287-1-gality369@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] A crafted filesystem can feed an invalid dinode into _ocfs2_free_suballoc_bits() and trip: kernel BUG at fs/ocfs2/suballoc.c:2568 [CAUSE] The free path trusts alloc_bh returned from locked allocator reads, but JBD-managed buffers can bypass inode validation before that buffer is handed to _ocfs2_free_suballoc_bits(). [FIX] Handle an invalid dinode as filesystem corruption and exit through the existing bail path before touching any allocator accounting. This keeps all cleanup and rollback logic intact while avoiding BUG(). Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.") Signed-off-by: ZhengYuan Huang --- fs/ocfs2/suballoc.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index b99870aeaf88..34bdc18200f2 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -2868,13 +2868,14 @@ static int _ocfs2_free_suballoc_bits(handle_t *handle, struct ocfs2_group_desc *group; struct ocfs2_chain_rec *rec; __le16 old_bg_contig_free_bits = 0; - /* The alloc_bh comes from ocfs2_free_dinode() or - * ocfs2_free_clusters(). The callers have all locked the - * allocator and gotten alloc_bh from the lock call. This - * validates the dinode buffer. Any corruption that has happened - * is a code bug. */ - BUG_ON(!OCFS2_IS_VALID_DINODE(fe)); + /* JBD-managed buffers can bypass inode validation. */ + if (!OCFS2_IS_VALID_DINODE(fe)) { + status = ocfs2_error(alloc_inode->i_sb, + "Invalid dinode #%llu\n", + (unsigned long long)OCFS2_I(alloc_inode)->ip_blkno); + goto bail; + } BUG_ON((count + start_bit) > ocfs2_bits_per_group(cl)); trace_ocfs2_free_suballoc_bits( -- 2.43.0