[PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com,
	ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id
Date: Fri, 10 Apr 2026 14:22:27 +0800	[thread overview]
Message-ID: <20260410062227.3881209-1-gality369@gmail.com> (raw)

[BUG]
A crafted inline-data directory can set i_size larger than id_count.
readdir then walks past data->id_data and KASAN reports:

BUG: KASAN: use-after-free in ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
Read of size 2 at addr ffff8880088f0008 by task syz.0.1936/4656
Call Trace:
 ...
 ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
 ocfs2_dir_foreach_blk_id+0x203/0xa70 fs/ocfs2/dir.c:1805
 ocfs2_dir_foreach_blk fs/ocfs2/dir.c:1933 [inline]
 ocfs2_readdir+0x4ba/0x520 fs/ocfs2/dir.c:1977
 wrap_directory_iterator+0x9c/0xe0 fs/readdir.c:65
 shared_ocfs2_readdir+0x29/0x40 fs/ocfs2/file.c:2822
 iterate_dir+0x276/0x9e0 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:410 [inline]
 __se_sys_getdents64 fs/readdir.c:396 [inline]
 __x64_sys_getdents64+0x143/0x2a0 fs/readdir.c:396
 ...

[CAUSE]
ocfs2_dir_foreach_blk_id() uses i_size_read(inode) as the loop bound
after reading the inode block. Inline directories are only valid while
i_size <= le16_to_cpu(data->id_count), but that invariant is never
checked on read. Once ctx->pos reaches id_count, data->id_data +
ctx->pos points past the inode block and can land in a freed neighbor
page.

[FIX]
Validate i_size_read(inode) against data->id_count immediately after
ocfs2_read_inode_block(). If the inline directory size exceeds its
on-disk capacity, return -EFSCORRUPTED before constructing any dirent
pointer. Keep the change local to ocfs2_dir_foreach_blk_id() so the
patch stays scoped to the readdir bug.

Fixes: 23193e513d1c ("ocfs2: Read support for directories with inline data")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
 fs/ocfs2/dir.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 8c9c4825f984..fa537505d1a9 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -1761,6 +1761,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
 				    struct dir_context *ctx)
 {
 	int ret, i;
+	int error = 0;
 	unsigned long offset = ctx->pos;
 	struct buffer_head *di_bh = NULL;
 	struct ocfs2_dinode *di;
@@ -1777,6 +1778,12 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
 	di = (struct ocfs2_dinode *)di_bh->b_data;
 	data = &di->id2.i_data;

+	if (unlikely(i_size_read(inode) > le16_to_cpu(data->id_count))) {
+		error = -EFSCORRUPTED;
+		mlog_errno(error);
+		goto out;
+	}
+
 	while (ctx->pos < i_size_read(inode)) {
 		/* If the dir block has changed since the last call to
 		 * readdir(2), then we might be pointing to an invalid
@@ -1819,7 +1826,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
 	}
 out:
 	brelse(di_bh);
-	return 0;
+	return error;
 }

 /*
-- 
2.49.0

next             reply	other threads:[~2026-04-10  6:22 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-10  6:22 ZhengYuan Huang [this message]
2026-04-10 10:03 ` [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id Joseph Qi
2026-04-10 10:35   ` ZhengYuan Huang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8c9c4825f98 dfblob:fa537505d1a )
 OR (
bs:"[PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260410062227.3881209-1-gality369@gmail.com \
    --to=gality369@gmail.com \
    --cc=baijiaju1990@gmail.com \
    --cc=jlbec@evilplan.org \
    --cc=joseph.qi@linux.alibaba.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mark@fasheh.com \
    --cc=ocfs2-devel@lists.linux.dev \
    --cc=r33s3n6@gmail.com \
    --cc=zzzccc427@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox