From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 249EF3A8736 for ; Thu, 9 Apr 2026 09:03:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725387; cv=none; b=RZk3xHjbKvPK27BfUNnqOrNNfdbkSKNPmO4z4MMxAmr0kPYfX3AfQ5kXHQg6s8ia/q+W7w0ToNqVLGA148h3YjuCU5bNeMcs2pBZLT4pt2Hi8OyG5nJNUV9rWdjfkGXqIQbyymso09HddmaheSjA+UI+taHuu9yznDGLFk21IqY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775725387; c=relaxed/simple; bh=ElzV0Jl3B3VXrYXot55+Rs8cV4aZeaZvE9Za46sEpoQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=MksHa7/LqeTVRZePYK2xhwINOMZr5V8URr6EOT8/rdXBcig2yVOq7Wgv4pqAnBX+yWzV1mFidL55GtU0XT74v/Cb48vRTj981PRSVtdaIFphO+HhXD5d0Ou2nyiT3pFSy76dfYf8bodYDRE5rSiSuJp2CQ8kYopQb6w6w7MG/mQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=sd4WXNqB; arc=none smtp.client-ip=209.85.216.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="sd4WXNqB" Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-354bc7c2c46so552273a91.0 for ; Thu, 09 Apr 2026 02:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775725384; x=1776330184; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=E3H4LfnSoxfxc6KcgVFxjyOCFkNDZuESS6c7o4Xlu1w=; b=sd4WXNqBBh6cVNkVCSOF+ONfbUw2D65tHMCUqwf0I9Wu8hajKPAYlNAmNSBRWVId9e xrzb5ulRBIQ6bkvTgaMAFuIBiAwR8yWUbz4NnuZ49iawjdjGQnN1yUvMDqA9SaeCvIZD cCsXzfzBy8iN9lc2jNfVJ57++F45Jyaw/qh+oEvzfln5cv0DqowU5hhwr8Ofoq6DDkWV qJ/+ZRwmZJWSO/M/zfIfj8tLfuO2F3mVSq6gAXKgtTj3FPaNS5ANJWEX1N/dr5S+oAQt 3BjbeLi4zDnUXgnI0wTAo/ev9B7vkPfK+U1xQm4R0wD8NbQ65wIKmMgERt+Rln29PEEL gWGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775725384; x=1776330184; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=E3H4LfnSoxfxc6KcgVFxjyOCFkNDZuESS6c7o4Xlu1w=; b=Kob+es8jJckgYMP8Z1ZBhd/UbiHWDGeJikJh2p13/oPKUB5c3gePvgm+Py8rDUZuoh z5oetlEWYD41y4grlnJgkceDhE/C/Ya/lD9yL1lPgraJ3rStQyk+z4Z8t5vqyzrfgq6l ZvKS4FQZX0P5TJmQbklzhljzPJMKuWiP2IoFoHhHxZ0iEdhwRjt353KZmSbaJWsSgbhD STTd75/zzCSGNXX/J1wKZtrblcQHhnSVv76XwFuuGcCoV20KQHGFLrbzQoS4lty6stki 0wbqsBCoafqNhsPRdyjwFFduqNJAL1QXPo7SaOLgIBlZyzHV11tET/GzpgyXtTxURSJR c6EA== X-Forwarded-Encrypted: i=1; AJvYcCW8PVFVut6GEz13QD/51Qh/v44RdWf/Bvb473+V1cHuxjORE/NqNy2CyT+jkKbNRjp9TSKGOyXuMR26TjE=@vger.kernel.org X-Gm-Message-State: AOJu0Ywn+KFlP3D/FH2FHlYnrR8igqcVo2odnlrr5fpx/0zQCd/ATw/V AFaBzJqd8dsyG4Jumu5BLuGmo58CGdgkQHR1LogquIlt9F3Gn+VOIQY8 X-Gm-Gg: AeBDiescMaxUg/xoMfgFHQuzpHLUXZMJwh42U0mnD0TeyleAnQZdYoccK0YcvGrooAj UbpUXo9fEYhjStRRHOP+sdzb1MKaWQ+tE0UW1jV8EFdvWOJpS4LoLc0lbwb9GTNu800HGEaagEY zisKBk56JjKKWm9x6HaRTIv7EbBiQL8T9XPtsMC+QF+wwp5GAgirqGX2I9rNOy/8vFzRNMaCTA8 4SMdi7/2PSE596iLVJMpUGORBRVl/INXnKUau+0UJDgQwu+YfvaVrZzfUJFjLqX1a31Sd05ZPwQ G5o2KeujYqNHev9FmOCLKNN90/l20+VNX9BC+z1Wbde8Jx3ugphL5jt/4gSYiwRxu5pk9CRZ6gP 11ikjMc2e9BqvFnn+MtGy8oQjXCDLYG9IXIPlnMCbuwjN04zmzHypVK2reotmt4duPvkb1zXNZp Xxb9tt/UuTQerGGMlKh6TvaFC8ZiL4lk/+WWPKltfJfEKAmr1Cp+LNMJU7JAWhJkL/1Ll0iy2PM e3GMbXl X-Received: by 2002:a17:90b:48d2:b0:359:fdc0:4621 with SMTP id 98e67ed59e1d1-35de682817emr26707453a91.11.1775725384230; Thu, 09 Apr 2026 02:03:04 -0700 (PDT) Received: from kernel-fuzz.. ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35e35017ee3sm2325621a91.13.2026.04.09.02.03.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 02:03:03 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH] ocfs2: validate group add input before caching Date: Thu, 9 Apr 2026 17:02:55 +0800 Message-ID: <20260409090255.3430951-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] OCFS2_IOC_GROUP_ADD can trigger a BUG_ON in ocfs2_set_new_buffer_uptodate(): kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2_set_new_buffer_uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509 Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df Call Trace: ocfs2_group_add+0x3f1/0x1510 fs/ocfs2/resize.c:507 ocfs2_ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7bbfb55a966d [CAUSE] ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a user-controlled group block before ocfs2_verify_group_and_input() validates that block number. That helper is only valid for newly allocated metadata and asserts that the block is not already present in the chosen metadata cache. The code also uses INODE_CACHE(inode) even though the group descriptor belongs to main_bm_inode and later journal accesses use that cache context instead. [FIX] Validate the on-disk group descriptor before caching it, then add it to the metadata cache tracked by INODE_CACHE(main_bm_inode). Update the error path to remove the buffer from the same cache context so the group buffer lifetime stays consistent across validation, journaling, and cleanup. Signed-off-by: ZhengYuan Huang --- fs/ocfs2/resize.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c index b0733c08ed13..e45ab5592ee0 100644 --- a/fs/ocfs2/resize.c +++ b/fs/ocfs2/resize.c @@ -504,14 +504,14 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) goto out_unlock; } - ocfs2_set_new_buffer_uptodate(INODE_CACHE(inode), group_bh); - ret = ocfs2_verify_group_and_input(main_bm_inode, fe, input, group_bh); if (ret) { mlog_errno(ret); goto out_free_group_bh; } + ocfs2_set_new_buffer_uptodate(INODE_CACHE(main_bm_inode), group_bh); + trace_ocfs2_group_add((unsigned long long)input->group, input->chain, input->clusters, input->frees); @@ -575,7 +575,7 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) out_free_group_bh: if (ret < 0) - ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh); + ocfs2_remove_from_cache(INODE_CACHE(main_bm_inode), group_bh); brelse(group_bh); out_unlock: -- 2.43.0