From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7D4D37187B for ; Thu, 9 Apr 2026 10:58:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775732341; cv=none; b=QpOU+A3nJbZQN2hYe0ZkgRe7XJ1zZlK6Jorh1bKirQF41T5MsPc9JDhwCz05Whv+Bhmk4cOiKQTBisgeHwLgFekUpPZveK4ZYjP8B6+mYl75U8BFoKPF60aOu5KppSRj39mhPyp1RZI27xQ6A8YcmHQvlgvR4tcpK71N2xtapsI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775732341; c=relaxed/simple; bh=QiCJhquUE3eKgN9dpSpylxp1kIMi6GJEaaVHVMTr3VY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=U35qC7S/WtGQ6tezQqOAeWSsvcOF+nW/R3wh7MtCAWr6t3l2/cv8Yfwbz+sycpSqtussXQn6Irn7nMVtF3vu6Z5RjA4QJxrDTrlp68X3x8nSw/W4jYY8BEJ+sZ+KYxWghNAV4T1u3qbwG4Jg3caF/hPC5pYSvaepPArxdlIfMcQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gTpOwNsV; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gTpOwNsV" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-82748257f5fso426717b3a.1 for ; Thu, 09 Apr 2026 03:58:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775732338; x=1776337138; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=c5CvpgPvJ3ra5jpJbzJWtxkirX7PYlZGGCkjAtCKYS0=; b=gTpOwNsVDVwtelu0oBT+nYBTRqpGTyqE6dmQvS+S5ewIab3EkDJon76QOwMpZU4FrV OC//nb0FhDzj0Sfn1TOJUVPq/rl2t/F+3fIC08tytE0SNEAVKjn/iMSnFhklO3fhD0HB OVtiD+fSeE2B3I/kynam4Tq8gZ99eCxD1cF3iG5gFgZE+Nka/zdUgFqSSpSeoTV5WrMJ tdkWCPshL5T4Q6F3zlOmbTuMLro24Un2k07TdvRipPFAadrNoCRZ2Ue8TaKAShX3lsGi f+0LT0dFJTbL/b/1hVNPwQQuITGUUs7po6QRgHgbva2T0O+Er4SvE4tqa/szU2ICCEyk rhKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775732338; x=1776337138; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=c5CvpgPvJ3ra5jpJbzJWtxkirX7PYlZGGCkjAtCKYS0=; b=rdlaxYeoH2ENVD3SLrr0gb4W3TjUPBigH8wWgjTWhzAmuJMnaTlsvQJbjqvWPWUCZA p9Q3/bYtOriTdq6NX4Hmy/zGnHyrxkiDjCqH9PwcvTV1mdFCJKgPw+xoYnFg1OvX3Bzw 0H1uMYYZypIbf0MIGqYiLvD82zXS8lz++qsMiPeshi+8L9mvHE5jY6MYT+cdMo6NV4BY 9iJYmoFWiGYeHJ9BcrSpziqIFlaYWALa3B06efDdRzU7yAW5jJWFOossWNjM7DDVrMTP fScvQBy+u3KB7D50HcmV7PHxsJgzW7ezK7EBebbXy+rxVlCbjDralZDJ5m9OwHASzqBU tZ+g== X-Forwarded-Encrypted: i=1; AJvYcCVVz1T2Yq1oc4HtiTVkMpTYWnsnCR4nN911SsOcggO1Yr4ey6aRRRj1DrEAYuqE581c2EXE0LO0bSfRn9Q=@vger.kernel.org X-Gm-Message-State: AOJu0YylsojR1cPdMaFW58EEHJRv1VrmGbepCvcCYJyFoQ+42VE7p9/N YIe+LS+HY6WQpPE0NVKCSAKFVHOIYakdRKf/XbTVJ1RGfccymegBU5lK X-Gm-Gg: AeBDievvBxJvEvP6YJQuYwHxL8RClbYqFfNx6XkygD7Pb4aTv+v+dAYyfsdTJSygb37 DsgD3Z17pNjWe2WyOHg9Fno+KW5e7BymVc4yFzjM+GVn9Yo1k6Dd1ZYxcMCtKCdmU25kkPPkcPF vy7oT9/gxi47kuGumqW092GONIwKpfAPI38/NurM74ziXMGZJPLfTZoi1DhclMKD1llRCUTt1ti R8M40u1/wdKp2+RQWcF8ahdwzp3yf/yHEeWt9LBnXapRf8BxzVFPnA5iSEhHmcOxzkxHm7yv6cx 2IGtyoTOerKh4WOMS5VZ/Z2e1QIfSWGLJBDPK75BhqpRXFTMB+gzNQZbQIqEFl0w9fzpU0O5PRq oOE9VlMlHD8OsvcxfnNyuk5UMpGVvv5GVNLFwN8xgREiDL/cYgRX9sEZm39Mjud76qN7uS+FwiL 3muspoJ3ci/N+xEjZF9xDSGtmz0dLAsazhPvrPYSPDuJXzfQyP2/OEC7lOtq745Jr7+ww8tg== X-Received: by 2002:a05:6a00:2e08:b0:82c:c390:ad77 with SMTP id d2e1a72fcca58-82dd8a1dbb5mr2728823b3a.7.1775732338058; Thu, 09 Apr 2026 03:58:58 -0700 (PDT) Received: from kernel-fuzz.. ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82cf9c6fdd7sm23943961b3a.48.2026.04.09.03.58.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 03:58:57 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH] ocfs2: handle system file flag mismatches gracefully Date: Thu, 9 Apr 2026 18:58:35 +0800 Message-ID: <20260409105835.3474103-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] Mounting a crafted OCFS2 image can trip: kernel BUG at fs/ocfs2/inode.c:609! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2_read_locked_inode+0x1038/0x10c0 fs/ocfs2/inode.c:609 Call Trace: ocfs2_iget+0x7fa/0x9b0 fs/ocfs2/inode.c:157 _ocfs2_get_system_file_inode fs/ocfs2/sysfile.c:142 [inline] ocfs2_get_system_file_inode+0x389/0x820 fs/ocfs2/sysfile.c:112 ocfs2_init_local_system_inodes fs/ocfs2/super.c:491 [inline] ocfs2_mount_volume fs/ocfs2/super.c:1756 [inline] ocfs2_fill_super+0x1330/0x3cd0 fs/ocfs2/super.c:1083 get_tree_bdev_flags+0x38b/0x640 fs/super.c:1698 get_tree_bdev+0x24/0x40 fs/super.c:1721 ocfs2_get_tree+0x21/0x30 fs/ocfs2/super.c:1184 vfs_get_tree+0x9a/0x370 fs/super.c:1758 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3642 [inline] do_new_mount fs/namespace.c:3718 [inline] path_mount+0x5b8/0x1ea0 fs/namespace.c:4028 do_mount fs/namespace.c:4041 [inline] __do_sys_mount fs/namespace.c:4229 [inline] __se_sys_mount fs/namespace.c:4206 [inline] __x64_sys_mount+0x282/0x320 fs/namespace.c:4206 ... [CAUSE] ocfs2_read_locked_inode() assumes any mismatch between OCFS2_FI_FLAG_SYSFILE and the dinode's OCFS2_SYSTEM_FL bit is a pure caller bug, so it routes the condition through mlog_bug_on_msg(). A crafted filesystem can violate that assumption by making a system directory entry point at a non-system inode that still passes generic dinode validation. [FIX] Keep the mismatch check in ocfs2_read_locked_inode(), where the caller context is available, but replace the BUG assertion with an error log and the existing bail path. That turns crafted on-disk input into a failed inode read and mount failure instead of a kernel crash. Fixes: 24c19ef40474 ("ocfs2: Remove i_generation from inode lock names") Signed-off-by: ZhengYuan Huang --- fs/ocfs2/inode.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index fcc89856ab95..0a60de5d46fe 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -602,14 +602,17 @@ static int ocfs2_read_locked_inode(struct inode *inode, fe = (struct ocfs2_dinode *) bh->b_data; /* - * This is a code bug. Right now the caller needs to - * understand whether it is asking for a system file inode or - * not so the proper lock names can be built. + * The caller has to tell us whether it expects a system file inode + * so the lock names can be built correctly. A corrupted system + * directory can violate that expectation, so fail the read instead + * of crashing. */ - mlog_bug_on_msg(!!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) != - !!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE), - "Inode %llu: system file state is ambiguous\n", - (unsigned long long)args->fi_blkno); + if (!!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) != + !!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE)) { + mlog(ML_ERROR, "Inode %llu: system file state is ambiguous\n", + (unsigned long long)args->fi_blkno); + goto bail; + } if (S_ISCHR(le16_to_cpu(fe->i_mode)) || S_ISBLK(le16_to_cpu(fe->i_mode))) -- 2.43.0