From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7913D32AABA for ; Fri, 10 Apr 2026 02:02:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775786555; cv=none; b=L70TVHPV/bZ/fFh3YZRQB1RqAOX3PvRnYTbhodwRri6kErozDWfkGGWNVIEMMSA+EN4XClZBd+3nf3m2ZCAVfb468PPPDPd87vV7Om/630v/5RbL0criueE6cFiuZK1Q+lNi7awM+k7J8iU/OxM5CQbrDGCKAdmQ/UvlYBZG910= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775786555; c=relaxed/simple; bh=1x1o3izrN5E2kluyZpoIKpfp3yuq0g44oixGstSh75A=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Num0FfBbr9KIqCqpA2cmJ9YbqjNaXcPKo4v0sjp5w1wtGyqJn0q3ESykX5Z1Qrt7aaIRUc/5bTzK7Tg81jJeDaJlGpmmpIOhzBH8P5Ea74fw+mUzeEAXuRW4KjFjGUZTSfVgVh61ZH8sO8d3I/Xb+6kn6ZQezZWoXmjXFnwsek4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lxHMqynl; arc=none smtp.client-ip=209.85.215.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lxHMqynl" Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-c76d797b180so854917a12.2 for ; Thu, 09 Apr 2026 19:02:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775786554; x=1776391354; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=otfCIiZTFuJX/HFbuSk3FZpc1fHYY9CXa1topBDeWiA=; b=lxHMqynl6J7jUs9/iHkte29BB9S9JI73xh4me/Mt0RFApXLQyDSPqmjvoPTrlQ6woQ U4asVLU4A4QVDpIyZguLLc1t0HhNXoXq1VS3OgPMouPhA4b3DcuJ+WM8pJjAR8iZyaQc TmtQTzCSKcpFBAfIV8eKgEWDpiYU2w0KXs27KGETy7jCl6tF/l7HFZPyr7aJZuO2UnK3 q4MUBsbcpNOVzVVR6NR8YS3uaJigWd8ceWer4hWs+Xh9TX2z1wWzh06NwB8EPVfr2hGb W7WPP0bMzLCsy4XUlFmj+xtdPPCtI7GxoP8TkAPFJjPL0oMaU1js0TSpYJGKie3fjpOy NDhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775786554; x=1776391354; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=otfCIiZTFuJX/HFbuSk3FZpc1fHYY9CXa1topBDeWiA=; b=iZZed1ZM6YOze83hTs+f1FryqWwYHoC4lHNeLuxEAeZG2Fl+8X8xmik/Oj/HcuD2tt XNKo/6MHrg/6W/zRtNeNFXWiCtvs3LaG998RADU8+LxWElHeUgkjDK1n4WPVY8xlLE5v RK2RP2ChAosvf55eko631K8EZsyJX06gYZMJhI4sqAk+MNgDLvZZ79HniHHTwXO1bOWI NZJ3iJO8MCyuC0M/3sx9meXvmGyOMqPZLt4V275QN4NrXW0q/MiPcG4dA6/iAno1wGzr M8skZx5iscHbRE7up8z1n39dohMNCQoYrx1qmXrVv0+HJfRbu8yAkrXzUDf4L2ZkMPoq QDiQ== X-Forwarded-Encrypted: i=1; AJvYcCUwHyr+HuIuca7yqk8fFBMvZAwzq5YFEQZi+aEUdqN7mNqA2YiEMR2Kc5NAOjp5ERS7T1EaJ3YPWwesw+s=@vger.kernel.org X-Gm-Message-State: AOJu0YwDJP1nqyKT1Wm5rOzPq7G2Iv9Nmf3q7cszRjwDoDkzUQeHwQ0B 3aNJhR6vfCldcA8pjfBoBMhLd1kX6zoi7MezTmYNBqxkXXT479ibW0oE9UmgUdlRNqo= X-Gm-Gg: AeBDieugqxEegipqv+PxoTGySdIyUopJTifmIZwrGyqYQ9zFs2G1jnbmvRmN3kc2Uaw EU23tnWvAloHEEGIoa8zrED8oaM1x1VRNkkzaBJsmiADEkhYAP+NOrUXWfsUiJdrPKpqhTnnezk kFud28NxBWbe6/yL/dqadPEqElET1bj4fFcJuf8tvrv6YxRtXS5ApkmtFqsImc1wcfpcuaR9TQP JBpta7lB4Jae8D9GWi/Zf7QpZQFUVgvXt1NH0B9LMJEenTy+VxXN2OMqxBecRsBgr1vp7HaqTPG u6MRX2lq8Z3TYJwzwvJc6XDk8AvuXOMjF75t5HhCF1nUW/nN1xjcNCb/aJqYDTyf5Eog8yvoRPM oPvQufwNs8Wm+E7AyCQx8ZI/2JBRxk2yKc5vHl7cdOXN5rRL04F6//zmrK+d6o0C1O4w8v96un4 nF3qOC5CNbMo9MuNHN1m0qZ4oY7dF5i2luf1p/wjBU6I3FbzyOdWCMILAWkeV8tm/wu3Rxxyxef 7LHit5S X-Received: by 2002:a17:903:4502:b0:2b2:53f5:4627 with SMTP id d9443c01a7336-2b2d5939409mr9093285ad.4.1775786553548; Thu, 09 Apr 2026 19:02:33 -0700 (PDT) Received: from kernel-fuzz.. ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b2d4f099d6sm10512285ad.50.2026.04.09.19.02.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 19:02:33 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH v3] ocfs2: validate group add input before caching Date: Fri, 10 Apr 2026 10:02:08 +0800 Message-ID: <20260410020209.3786348-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] OCFS2_IOC_GROUP_ADD can trigger a BUG_ON in ocfs2_set_new_buffer_uptodate(): kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2_set_new_buffer_uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509 Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df Call Trace: ocfs2_group_add+0x3f1/0x1510 fs/ocfs2/resize.c:507 ocfs2_ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7bbfb55a966d [CAUSE] ocfs2_group_add() calls ocfs2_set_new_buffer_uptodate() on a user-controlled group block before ocfs2_verify_group_and_input() validates that block number. That helper is only valid for newly allocated metadata and asserts that the block is not already present in the chosen metadata cache. The code also uses INODE_CACHE(inode) even though the group descriptor belongs to main_bm_inode and later journal accesses use that cache context instead. [FIX] Validate the on-disk group descriptor before caching it, then add it to the metadata cache tracked by INODE_CACHE(main_bm_inode). Keep the validation failure path separate from the later cleanup path so we only remove the buffer from that cache after it has actually been inserted. This keeps the group buffer lifetime consistent across validation, journaling, and cleanup. Fixes: 7909f2bf8353 ("[PATCH 2/2] ocfs2: Implement group add for online resize") Signed-off-by: ZhengYuan Huang --- v3: - keep out_free_group_bh as the brelse() label - add out_remove_cache for failures after cache insertion - send ocfs2_start_trans() failure to out_remove_cache v2: - add the missing Fixes tag for the group-add introduction commit - keep the validation failure path separate so cache removal only happens after the buffer has been inserted into main_bm_inode's cache --- fs/ocfs2/resize.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c index b0733c08ed13..5c6975d90ad6 100644 --- a/fs/ocfs2/resize.c +++ b/fs/ocfs2/resize.c @@ -504,14 +504,14 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) goto out_unlock; } - ocfs2_set_new_buffer_uptodate(INODE_CACHE(inode), group_bh); - ret = ocfs2_verify_group_and_input(main_bm_inode, fe, input, group_bh); if (ret) { mlog_errno(ret); goto out_free_group_bh; } + ocfs2_set_new_buffer_uptodate(INODE_CACHE(main_bm_inode), group_bh); + trace_ocfs2_group_add((unsigned long long)input->group, input->chain, input->clusters, input->frees); @@ -519,7 +519,7 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) if (IS_ERR(handle)) { mlog_errno(PTR_ERR(handle)); ret = -EINVAL; - goto out_free_group_bh; + goto out_remove_cache; } cl_bpc = le16_to_cpu(fe->id2.i_chain.cl_bpc); @@ -573,9 +573,11 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) out_commit: ocfs2_commit_trans(osb, handle); -out_free_group_bh: +out_remove_cache: if (ret < 0) - ocfs2_remove_from_cache(INODE_CACHE(inode), group_bh); + ocfs2_remove_from_cache(INODE_CACHE(main_bm_inode), group_bh); + +out_free_group_bh: brelse(group_bh); out_unlock: -- 2.43.0