From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39CC138D6A9
	for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 11:02:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776337362; cv=none; b=DYqOpWwFJ3eL8t1A7uo8216QjfzhaWChnxsB7dKNREQQB52Watx8HTz3gY16ebzAVFCfvKYcTSIwcAnd2MIifQ4olX7auCg2WtQZHnUIsTzZ4xm3TxUuYMhz2HJqReWafGG5cU512eL6kNAo3w7DRpNfeLeHZ6wBgF1KAmReLzI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776337362; c=relaxed/simple;
	bh=KFBXTi63vI6zjnGMRurOQ/GmieCYA7Zu6u4+QOdudWQ=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=U/48iBLYQg16dt3U+OMe88aWyfPMfEsiFv82kru+1TgeRvoaAb8EkwPIWJ3Su1Yt2RybCLst4wh4ICyQge4ZVfbOKQd4LmG8SIay7vjiZEN2tpMc2gJUalXSL0grxFDQlptJ/0Uj9DvF/9ATIV9bX6b3bfpfAz/UVItwrc+EOGc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iQd+W9if; arc=none smtp.client-ip=209.85.216.47
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iQd+W9if"
Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-35fb7c1a455so1869442a91.3
        for <linux-kernel@vger.kernel.org>; Thu, 16 Apr 2026 04:02:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776337359; x=1776942159; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=9xOMrsgK3rt7IdOfytfuUmtL+vnDHQ+MNaOsl8Gd7Is=;
        b=iQd+W9ifiSaZEEOYgHFS0UVqPtw852DVS6Lr86tWd0dE+UzzWpDMocsv5nu43fxNdx
         SoW2KEAGXE1i0bxUBn1mxWAV8qfZY8kMlxQ1n87uaAdhOjW4i4epK3z0x37sQMfxM5GN
         Ca3pKAx1ZPVTUlOUq1+668w/a8xwCxGjXYLEqgYbx4eqNAOHdE9H0Q1ijGCavmcJR8Q6
         okACEu8uHHVtS/PHt71XxdxLR+1pLF9c8SN5VWNmpjcfRFpuW5qKMy7Zeild1riQxNSv
         VGripwQqPTC00LmMWfaZ9FgNpx7jp6P52+TjNUThzwPBfKBljMiIv8VhqJxnXs7PQQrA
         zCOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776337359; x=1776942159;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9xOMrsgK3rt7IdOfytfuUmtL+vnDHQ+MNaOsl8Gd7Is=;
        b=tQscQzgzJAtosTzviVcr/sSJkj5g3IAZB9QMSbopvdqPOzPjiQG72bioZLmofdWDin
         /RgcWA0/lasSB1oMILjOgeeU0l5wqsjO+OL+sphoD/OUuF1LvAtphtI4VnSlQQ+/iSLc
         oFZljPp5XJbVTapCfqqhX6nEwJViSdDzc0sqYdrPw87Fb7ZtduKFTT9Bum7/LnjxNHek
         ZJNsIljlEQxzw3nH8s0mXZErry77txIybApdea39VXbdTI3lhxWCcOJgdeGqrySFPOII
         jsA8cLUD4RfL6FrrZ1ifLnB7TbiT/v+bgJBd2N/85KgH8Hr9DN1ww+2mMK49rQA905TY
         QENg==
X-Forwarded-Encrypted: i=1; AFNElJ/xmIefqrvaMtrx819usfrntjxP3Cv3oUxP0NG+5Hbk41PUNOo/PTpu/cKhMtK+wuDAWDIzDuLNbocB9FI=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxu+1VI56c6RxUuUcDftnwdGEdXkE75Dw4a/ZHVZYjR2tull6IM
	mEAHHkmmB1Ux8LcekJn9QE6F46R0aCsCuv2rTj35MIQZUhp8FkajKMRU
X-Gm-Gg: AeBDieu9la6mEjBMC2Bluy42Zdl6snRjEWI6HNYKJoBSOVUK4YZ2+WzcGU4XgCycOX+
	VvTKNHD+6T08U1prN2EGFlSnKDKdDjG3UM3eifJqManKs6zAJ9eIF6BGtTCd6ORE2QC/8dMFD3t
	Ok/hotw/SMdgyp8/Xi3ZaW179269M/1H2q5HIUkx+dIol019OqWDeygXhF07f7th0wFzzMt6A1Z
	sQ7wfN27QlVXv+Sj/2wAcNcWoLSR5rcuUMupc6E6DHQ5nRYVPP0Xuk5g7lPNCQm18u2DJWvbrUo
	kw4mFqGauX2wvd9U86bbFtbIXDYGxN9raLhNLBRQT4ukdj/m4jRbNyW1BVnA969gkGW3d1cni/z
	u3Yb2RMy6WK427CuSFTPPZ1gwazlJLvMPzXzFemZcKxTezVj8MXMzCj5Ap050U/MlNOvHEf/XWt
	i7JieGHnFtu+KIBeHgow1BjFre+t2LueQA8ds//jo2tmZLYPQpOWIBt7n4+g+Zfkx/GOZHhrM=
X-Received: by 2002:a17:90a:ec86:b0:35a:cf:64a6 with SMTP id 98e67ed59e1d1-35e42874998mr24558448a91.23.1776337359207;
        Thu, 16 Apr 2026 04:02:39 -0700 (PDT)
Received: from kernel-fuzz.. ([103.172.182.26])
        by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35fce7d792csm2765203a91.1.2026.04.16.04.02.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 Apr 2026 04:02:38 -0700 (PDT)
From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com,
	jlbec@evilplan.org,
	joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com,
	r33s3n6@gmail.com,
	zzzccc427@gmail.com,
	ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH] ocfs2: validate root extent tree depth during inode read
Date: Thu, 16 Apr 2026 19:02:29 +0800
Message-ID: <20260416110229.3283682-1-gality369@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

[BUG]
A corrupt dinode can carry an extent root whose l_tree_depth exceeds
OCFS2_MAX_PATH_DEPTH. When truncate builds a path from that root, OCFS2
hits the internal BUG_ON() in ocfs2_new_path():

kernel BUG at fs/ocfs2/alloc.c:686!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_new_path+0x1d5/0x240 fs/ocfs2/alloc.c:686
Call Trace:
 ocfs2_commit_truncate+0x29f/0x1aa0 fs/ocfs2/alloc.c:7253
 ocfs2_truncate_file+0xcdd/0x13c0 fs/ocfs2/file.c:509
 ocfs2_setattr+0xa6d/0x1fd0 fs/ocfs2/file.c:1212
 notify_change+0x4b5/0x1030 fs/attr.c:546
 do_truncate+0x1d2/0x230 fs/open.c:68
 handle_truncate fs/namei.c:3596 [inline]
 do_open fs/namei.c:3979 [inline]
 path_openat+0x260f/0x2ce0 fs/namei.c:4134
 do_filp_open+0x1f6/0x430 fs/namei.c:4161
 do_sys_openat2+0x117/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x15b/0x220 fs/open.c:1463
 ...

[CAUSE]
Extent blocks and __ocfs2_find_path() already treat oversized
l_tree_depth values as on-disk corruption, but the dinode root extent
list is never checked when the inode is read.

That lets a corrupt root extent list reach ocfs2_new_path(), which
stores the tree depth in a fixed-size struct ocfs2_path and therefore
expects the root metadata to have been validated already.

[FIX]
Validate the dinode root extent tree depth in ocfs2_validate_inode_block(),
which is the same cold metadata-read boundary where OCFS2 already checks
other on-disk geometry fields.

Also report this condition as unsupported from online filecheck so the
checker does not try to invent a replacement tree depth for a corrupt
extent tree root.

Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
No Fixes tag is included because this is a missing metadata validation
check at inode-read time, not a regression that can be cleanly tied to a
single introducing commit.
---
 fs/ocfs2/inode.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index a510a0eb1adc..b3456e627689 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1525,6 +1525,15 @@ int ocfs2_validate_inode_block(struct super_block *sb,
 		}
 	}
 
+	if (ocfs2_dinode_has_extents(di) &&
+	    le16_to_cpu(di->id2.i_list.l_tree_depth) >= OCFS2_MAX_PATH_DEPTH) {
+		rc = ocfs2_error(sb,
+				 "Invalid dinode %llu: extent list tree depth %u\n",
+				 (unsigned long long)bh->b_blocknr,
+				 le16_to_cpu(di->id2.i_list.l_tree_depth));
+		goto bail;
+	}
+
 	if (le32_to_cpu(di->i_flags) & OCFS2_CHAIN_FL) {
 		struct ocfs2_chain_list *cl = &di->id2.i_chain;
 		u16 bpc = 1 << (OCFS2_SB(sb)->s_clustersize_bits -
@@ -1626,6 +1635,15 @@ static int ocfs2_filecheck_validate_inode_block(struct super_block *sb,
 		rc = -OCFS2_FILECHECK_ERR_GENERATION;
 	}
 
+	if (ocfs2_dinode_has_extents(di) &&
+	    le16_to_cpu(di->id2.i_list.l_tree_depth) >= OCFS2_MAX_PATH_DEPTH) {
+		mlog(ML_ERROR,
+		     "Filecheck: invalid dinode #%llu: extent list tree depth %u\n",
+		     (unsigned long long)bh->b_blocknr,
+		     le16_to_cpu(di->id2.i_list.l_tree_depth));
+		rc = -OCFS2_FILECHECK_ERR_UNSUPPORTED;
+	}
+
 bail:
 	return rc;
 }
@@ -1633,11 +1651,14 @@ static int ocfs2_filecheck_validate_inode_block(struct super_block *sb,
 static int ocfs2_filecheck_repair_inode_block(struct super_block *sb,
 					      struct buffer_head *bh)
 {
-	int changed = 0;
+	int changed = 0, rc;
 	struct ocfs2_dinode *di = (struct ocfs2_dinode *)bh->b_data;
 
-	if (!ocfs2_filecheck_validate_inode_block(sb, bh))
+	rc = ocfs2_filecheck_validate_inode_block(sb, bh);
+	if (!rc)
 		return 0;
+	if (rc == -OCFS2_FILECHECK_ERR_UNSUPPORTED)
+		return rc;
 
 	trace_ocfs2_filecheck_repair_inode_block(
 		(unsigned long long)bh->b_blocknr);
-- 
2.49.0