* [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id
@ 2026-04-10 6:22 ZhengYuan Huang
2026-04-10 10:03 ` Joseph Qi
0 siblings, 1 reply; 3+ messages in thread
From: ZhengYuan Huang @ 2026-04-10 6:22 UTC (permalink / raw)
To: mark, jlbec, joseph.qi
Cc: ocfs2-devel, linux-kernel, baijiaju1990, r33s3n6, zzzccc427,
ZhengYuan Huang
[BUG]
A crafted inline-data directory can set i_size larger than id_count.
readdir then walks past data->id_data and KASAN reports:
BUG: KASAN: use-after-free in ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
Read of size 2 at addr ffff8880088f0008 by task syz.0.1936/4656
Call Trace:
...
ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
ocfs2_dir_foreach_blk_id+0x203/0xa70 fs/ocfs2/dir.c:1805
ocfs2_dir_foreach_blk fs/ocfs2/dir.c:1933 [inline]
ocfs2_readdir+0x4ba/0x520 fs/ocfs2/dir.c:1977
wrap_directory_iterator+0x9c/0xe0 fs/readdir.c:65
shared_ocfs2_readdir+0x29/0x40 fs/ocfs2/file.c:2822
iterate_dir+0x276/0x9e0 fs/readdir.c:108
__do_sys_getdents64 fs/readdir.c:410 [inline]
__se_sys_getdents64 fs/readdir.c:396 [inline]
__x64_sys_getdents64+0x143/0x2a0 fs/readdir.c:396
...
[CAUSE]
ocfs2_dir_foreach_blk_id() uses i_size_read(inode) as the loop bound
after reading the inode block. Inline directories are only valid while
i_size <= le16_to_cpu(data->id_count), but that invariant is never
checked on read. Once ctx->pos reaches id_count, data->id_data +
ctx->pos points past the inode block and can land in a freed neighbor
page.
[FIX]
Validate i_size_read(inode) against data->id_count immediately after
ocfs2_read_inode_block(). If the inline directory size exceeds its
on-disk capacity, return -EFSCORRUPTED before constructing any dirent
pointer. Keep the change local to ocfs2_dir_foreach_blk_id() so the
patch stays scoped to the readdir bug.
Fixes: 23193e513d1c ("ocfs2: Read support for directories with inline data")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
fs/ocfs2/dir.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 8c9c4825f984..fa537505d1a9 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -1761,6 +1761,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
struct dir_context *ctx)
{
int ret, i;
+ int error = 0;
unsigned long offset = ctx->pos;
struct buffer_head *di_bh = NULL;
struct ocfs2_dinode *di;
@@ -1777,6 +1778,12 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
di = (struct ocfs2_dinode *)di_bh->b_data;
data = &di->id2.i_data;
+ if (unlikely(i_size_read(inode) > le16_to_cpu(data->id_count))) {
+ error = -EFSCORRUPTED;
+ mlog_errno(error);
+ goto out;
+ }
+
while (ctx->pos < i_size_read(inode)) {
/* If the dir block has changed since the last call to
* readdir(2), then we might be pointing to an invalid
@@ -1819,7 +1826,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
}
out:
brelse(di_bh);
- return 0;
+ return error;
}
/*
--
2.49.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id
2026-04-10 6:22 [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id ZhengYuan Huang
@ 2026-04-10 10:03 ` Joseph Qi
2026-04-10 10:35 ` ZhengYuan Huang
0 siblings, 1 reply; 3+ messages in thread
From: Joseph Qi @ 2026-04-10 10:03 UTC (permalink / raw)
To: ZhengYuan Huang
Cc: ocfs2-devel, linux-kernel, baijiaju1990, r33s3n6, zzzccc427,
Mark Fasheh, Joel Becker
On 4/10/26 2:22 PM, ZhengYuan Huang wrote:
> [BUG]
> A crafted inline-data directory can set i_size larger than id_count.
> readdir then walks past data->id_data and KASAN reports:
>
> BUG: KASAN: use-after-free in ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
> Read of size 2 at addr ffff8880088f0008 by task syz.0.1936/4656
> Call Trace:
> ...
> ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
> ocfs2_dir_foreach_blk_id+0x203/0xa70 fs/ocfs2/dir.c:1805
> ocfs2_dir_foreach_blk fs/ocfs2/dir.c:1933 [inline]
> ocfs2_readdir+0x4ba/0x520 fs/ocfs2/dir.c:1977
> wrap_directory_iterator+0x9c/0xe0 fs/readdir.c:65
> shared_ocfs2_readdir+0x29/0x40 fs/ocfs2/file.c:2822
> iterate_dir+0x276/0x9e0 fs/readdir.c:108
> __do_sys_getdents64 fs/readdir.c:410 [inline]
> __se_sys_getdents64 fs/readdir.c:396 [inline]
> __x64_sys_getdents64+0x143/0x2a0 fs/readdir.c:396
> ...
>
> [CAUSE]
> ocfs2_dir_foreach_blk_id() uses i_size_read(inode) as the loop bound
> after reading the inode block. Inline directories are only valid while
> i_size <= le16_to_cpu(data->id_count), but that invariant is never
> checked on read. Once ctx->pos reaches id_count, data->id_data +
> ctx->pos points past the inode block and can land in a freed neighbor
> page.
>
ocfs2_read_inode_block() has already validated dinode->i_size.
So how it happens for the corrupted in-memory i_size?
Thanks,
Joseph
> [FIX]
> Validate i_size_read(inode) against data->id_count immediately after
> ocfs2_read_inode_block(). If the inline directory size exceeds its
> on-disk capacity, return -EFSCORRUPTED before constructing any dirent
> pointer. Keep the change local to ocfs2_dir_foreach_blk_id() so the
> patch stays scoped to the readdir bug.
>
> Fixes: 23193e513d1c ("ocfs2: Read support for directories with inline data")
> Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
> ---
> fs/ocfs2/dir.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
> index 8c9c4825f984..fa537505d1a9 100644
> --- a/fs/ocfs2/dir.c
> +++ b/fs/ocfs2/dir.c
> @@ -1761,6 +1761,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
> struct dir_context *ctx)
> {
> int ret, i;
> + int error = 0;
> unsigned long offset = ctx->pos;
> struct buffer_head *di_bh = NULL;
> struct ocfs2_dinode *di;
> @@ -1777,6 +1778,12 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
> di = (struct ocfs2_dinode *)di_bh->b_data;
> data = &di->id2.i_data;
>
> + if (unlikely(i_size_read(inode) > le16_to_cpu(data->id_count))) {
> + error = -EFSCORRUPTED;
> + mlog_errno(error);
> + goto out;
> + }
> +
> while (ctx->pos < i_size_read(inode)) {
> /* If the dir block has changed since the last call to
> * readdir(2), then we might be pointing to an invalid
> @@ -1819,7 +1826,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode,
> }
> out:
> brelse(di_bh);
> - return 0;
> + return error;
> }
>
> /*
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id
2026-04-10 10:03 ` Joseph Qi
@ 2026-04-10 10:35 ` ZhengYuan Huang
0 siblings, 0 replies; 3+ messages in thread
From: ZhengYuan Huang @ 2026-04-10 10:35 UTC (permalink / raw)
To: Joseph Qi
Cc: ocfs2-devel, linux-kernel, baijiaju1990, r33s3n6, zzzccc427,
Mark Fasheh, Joel Becker
On Fri, Apr 10, 2026 at 6:03 PM Joseph Qi <joseph.qi@linux.alibaba.com> wrote:
> On 4/10/26 2:22 PM, ZhengYuan Huang wrote:
> > [BUG]
> > A crafted inline-data directory can set i_size larger than id_count.
> > readdir then walks past data->id_data and KASAN reports:
> >
> > BUG: KASAN: use-after-free in ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
> > Read of size 2 at addr ffff8880088f0008 by task syz.0.1936/4656
> > Call Trace:
> > ...
> > ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305
> > ocfs2_dir_foreach_blk_id+0x203/0xa70 fs/ocfs2/dir.c:1805
> > ocfs2_dir_foreach_blk fs/ocfs2/dir.c:1933 [inline]
> > ocfs2_readdir+0x4ba/0x520 fs/ocfs2/dir.c:1977
> > wrap_directory_iterator+0x9c/0xe0 fs/readdir.c:65
> > shared_ocfs2_readdir+0x29/0x40 fs/ocfs2/file.c:2822
> > iterate_dir+0x276/0x9e0 fs/readdir.c:108
> > __do_sys_getdents64 fs/readdir.c:410 [inline]
> > __se_sys_getdents64 fs/readdir.c:396 [inline]
> > __x64_sys_getdents64+0x143/0x2a0 fs/readdir.c:396
> > ...
> >
> > [CAUSE]
> > ocfs2_dir_foreach_blk_id() uses i_size_read(inode) as the loop bound
> > after reading the inode block. Inline directories are only valid while
> > i_size <= le16_to_cpu(data->id_count), but that invariant is never
> > checked on read. Once ctx->pos reaches id_count, data->id_data +
> > ctx->pos points past the inode block and can land in a freed neighbor
> > page.
> >
>
> ocfs2_read_inode_block() has already validated dinode->i_size.
> So how it happens for the corrupted in-memory i_size?
>
> Thanks,
> Joseph
Thanks, my previous description was inaccurate.
The issue is not that inode->i_size becomes corrupted in memory after
ocfs2_read_inode_block() validates the dinode. The issue is that the
current dinode validation does not check the inline-directory
invariant i_size <= id_count.
ocfs2_validate_inode_block() does basic dinode validation, but it does
not verify that inline directory size fits within id_count. Then
ocfs2_populate_inode() / ocfs2_refresh_inode() /
ocfs2_refresh_inode_from_lvb() copy that unchecked size into the VFS
inode.
So the actual problem is an unchecked corrupted on-disk i_size, not a
post-validation in-memory corruption.
Once such an inode is loaded, readdir can legally reach
ocfs2_dir_foreach_blk_id(), which uses i_size_read(inode) as the upper
bound.
Based on your comment, I think the cleaner fix is to reject such
inline directories when the inode is loaded or refreshed, rather than
only checking in ocfs2_dir_foreach_blk_id(). I will respin the patch
accordingly.
Thanks,
ZhengYuan Huang
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-10 10:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-10 6:22 [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id ZhengYuan Huang
2026-04-10 10:03 ` Joseph Qi
2026-04-10 10:35 ` ZhengYuan Huang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox