From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D4EA2DAFBB for ; Fri, 10 Apr 2026 06:22:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775802159; cv=none; b=MM4NYKNLomrBXvtBQQ/tZI3kUdSISmss4QgitBwIbP7UZ2avd5Wxy95KRc73ym1yjm3D6k5ztW8QaxLescNpb0xKXQTo8TNpXwCcQH4gGjL12UCOqyv+SBAi8tMHc1vRm3gG6J7+e7ItQ0BU8OJOjsaEE1hJa9ZOVjWnOW17++E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775802159; c=relaxed/simple; bh=ztkayzzo0bgWeNLdK9unurMrG7IYOcEVI9HQ4tBu8sQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Avc1CRiDWifw5HXa+mdKqyx8oobGbLK8nZ1bGbedCJSml3+yY0llX5Z9j/Pu/dYfhUWkoXcRAbCEOqrLvfcd3uTAV47jMwHgXPA6OU8hVDmHjn6FjAPIGxzb0NJjQmd+m0Ql+p9W3izZ5saNWEW91//QrkNuCrmIRrQ6wva0nDE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=M0TWNZDF; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="M0TWNZDF" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-82a655cfab5so1635899b3a.1 for ; Thu, 09 Apr 2026 23:22:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775802157; x=1776406957; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OFrYQXdupMVyTwUKDSAAmtUoDt1iQIIGZs4BQXeH8gY=; b=M0TWNZDFnYhigqxagUnLA1QxKhKib5J2odi1of2yGkA3KHdrKDCkE4d5L9gIk4IGTb DW5D61utNutoF7v6ynXU5xfwrgV25V15NhzH4XLgqIrqrIRKbEmibQTaes2nA2Uh/Nuk L8GB156IGE14chhutLxr9UeuUKn3/rG6MhkTNIf9dxZwXQq4fHRqhLZXSkDMcTWpNG5E ygJe2WEsIBekgzTRFEUSqDvPWBroO7OnkH5LRrPLZC40gnUXBhE/qNbZJGPbj5uii4+e Qh5IicgUXgEFetYlICyN3LA24dyW/C3xL1d2G/o7Y0nTvWhePKGaw63SOXfAaqTmZz5J 5mIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775802157; x=1776406957; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OFrYQXdupMVyTwUKDSAAmtUoDt1iQIIGZs4BQXeH8gY=; b=BV+vPa7nzS5XeF4dxOJCiBc6FJ5BbsMqlfFKVBOE5jnWqMcgQMjZz/N0wal10hBux4 o8SDLzHJxec5q9k6+DXFdxKb0OHe7BWBN/v5ecjGQh7s0QB5aekLvCAil4H3wsk+Vxkw gTXUEUlCUd+DAarMEqIRjfFT8JrXjUhtlNSGtO4tU6zt5Dk65h3Q0JW7uGRAMVzCABu7 8gmSYxTsqgAN5VfYUC325n6NetDio/zA2lNqtzGHXNua/y/w0rp1scEdIQ9/7+cZNgoo T+GdekgRGsbppEdKrLIJh6VHoMI1Ij9QkWvr7GnMRGD1+RVcrRk+tJ9x7beT6dNPydNV vsQQ== X-Forwarded-Encrypted: i=1; AJvYcCWUp99fAGnjeWiqHOBo1w0cQJiwh75nxy48mxp8MIqL5JOd8Rwtpupn7BYftOKiRYg1Hht8sPFeXe8wiTk=@vger.kernel.org X-Gm-Message-State: AOJu0Yw6p6GYT98Il/ZIxlV6Jx8Mx2FLZgnm4KPo1N/lAIBwKxbaPkil aUbPsRfO3upJYQ5JH8vP3T03AD8PsZHNnhjvXqpldzC/0k3Ro/qMJ0Xv X-Gm-Gg: AeBDiev3Iq1gpBoR9KT86XxX1upnw9KhDvgLjpl9ns8BsnXWCS1t42Urk59ScEJP6Lg 0mH650uVKDlrQepdbwMtysJfvUTXv9rDqOUekyCQWowjZ3UsZPNWM/U8NegXzM5f4bDjK6wiHLD DXbcFzkvDDS6MOha02imM10vyw1Mf2o3BmZ1XMDpbI27UidSSvT1KLwqG2VIlJ+OhX4mQ6TbvfM CK8i4nXxrkd9hY22jxLMB1u/bt0DGcrCRBBdd1hrdQBbusFX9x+B9oYBXLYWnfJ4+pe6jYk3xh6 8M+Kr83qHE6em+hrCzgP46SRos+ZwtcIvZkRMQ9EQHBfD3iDdjFJ2i/hFOU0YpI/JsSgT9ImOUY gMY/zOiH+zzIJOWSCJp1nLOXqdO6eiGYB36RtV7y0ZWtmN7535a79AVH89jZ/komOgM+K45guSd fdf8dpmv+yk9V6WWIh1j8Fz87ate/Y/jBuRj9Bg7dM5UeRqsyHndJxIC9KvouFEcE345u1Pw== X-Received: by 2002:a05:6a00:35c8:b0:82c:e83d:a9b0 with SMTP id d2e1a72fcca58-82f0c21952fmr2302547b3a.21.1775802157381; Thu, 09 Apr 2026 23:22:37 -0700 (PDT) Received: from kernel-fuzz.. ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f0c3145acsm1802344b3a.6.2026.04.09.23.22.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 23:22:36 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH] ocfs2: validate inline dir size in ocfs2_dir_foreach_blk_id Date: Fri, 10 Apr 2026 14:22:27 +0800 Message-ID: <20260410062227.3881209-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] A crafted inline-data directory can set i_size larger than id_count. readdir then walks past data->id_data and KASAN reports: BUG: KASAN: use-after-free in ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305 Read of size 2 at addr ffff8880088f0008 by task syz.0.1936/4656 Call Trace: ... ocfs2_check_dir_entry.isra.0+0x31f/0x370 fs/ocfs2/dir.c:305 ocfs2_dir_foreach_blk_id+0x203/0xa70 fs/ocfs2/dir.c:1805 ocfs2_dir_foreach_blk fs/ocfs2/dir.c:1933 [inline] ocfs2_readdir+0x4ba/0x520 fs/ocfs2/dir.c:1977 wrap_directory_iterator+0x9c/0xe0 fs/readdir.c:65 shared_ocfs2_readdir+0x29/0x40 fs/ocfs2/file.c:2822 iterate_dir+0x276/0x9e0 fs/readdir.c:108 __do_sys_getdents64 fs/readdir.c:410 [inline] __se_sys_getdents64 fs/readdir.c:396 [inline] __x64_sys_getdents64+0x143/0x2a0 fs/readdir.c:396 ... [CAUSE] ocfs2_dir_foreach_blk_id() uses i_size_read(inode) as the loop bound after reading the inode block. Inline directories are only valid while i_size <= le16_to_cpu(data->id_count), but that invariant is never checked on read. Once ctx->pos reaches id_count, data->id_data + ctx->pos points past the inode block and can land in a freed neighbor page. [FIX] Validate i_size_read(inode) against data->id_count immediately after ocfs2_read_inode_block(). If the inline directory size exceeds its on-disk capacity, return -EFSCORRUPTED before constructing any dirent pointer. Keep the change local to ocfs2_dir_foreach_blk_id() so the patch stays scoped to the readdir bug. Fixes: 23193e513d1c ("ocfs2: Read support for directories with inline data") Signed-off-by: ZhengYuan Huang --- fs/ocfs2/dir.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c index 8c9c4825f984..fa537505d1a9 100644 --- a/fs/ocfs2/dir.c +++ b/fs/ocfs2/dir.c @@ -1761,6 +1761,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode, struct dir_context *ctx) { int ret, i; + int error = 0; unsigned long offset = ctx->pos; struct buffer_head *di_bh = NULL; struct ocfs2_dinode *di; @@ -1777,6 +1778,12 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode, di = (struct ocfs2_dinode *)di_bh->b_data; data = &di->id2.i_data; + if (unlikely(i_size_read(inode) > le16_to_cpu(data->id_count))) { + error = -EFSCORRUPTED; + mlog_errno(error); + goto out; + } + while (ctx->pos < i_size_read(inode)) { /* If the dir block has changed since the last call to * readdir(2), then we might be pointing to an invalid @@ -1819,7 +1826,7 @@ static int ocfs2_dir_foreach_blk_id(struct inode *inode, } out: brelse(di_bh); - return 0; + return error; } /* -- 2.49.0