Forwarded: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits

[syzbot <syzbot+77026564530dbc29b854@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


Add validation to check if the chain list count (cl_count) is zero
before using the chain list in ocfs2_reserve_suballoc_bits(). When
cl_count is zero, the cl_recs array is empty, but the code attempts
to access cl_recs[0] in subsequent operations, leading to an
out-of-bounds array access.

The issue was discovered by syzbot using a corrupted filesystem image
where cl_count was set to 0. This triggers a UBSAN array-index-out-of-
bounds error when ocfs2_block_group_fill() attempts to access the
first chain record.

By adding this validation early in ocfs2_reserve_suballoc_bits(), we
catch the corruption before any allocation operations begin. The
filesystem will fail to mount with a clear error message directing
users to run fsck.ocfs2.

This follows the existing pattern in the function where similar
validation checks (like OCFS2_CHAIN_FL) are performed on the
allocator inode before use.

Link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Reported-by:syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
Tested-by: syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/suballoc.c | 8 ++++++++
 1 file changed, 8 insertions(+)
---
 fs/ocfs2/suballoc.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..57ec07f9751a 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -778,6 +778,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
 	struct buffer_head *bh = NULL;
 	struct ocfs2_dinode *fe;
 	u32 free_bits;
+	struct ocfs2_chain_list *cl;
 
 	alloc_inode = ocfs2_get_system_file_inode(osb, type, slot);
 	if (!alloc_inode) {
@@ -800,7 +801,14 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
 	ac->ac_alloc_slot = slot;
 
 	fe = (struct ocfs2_dinode *) bh->b_data;
-
+	cl = &fe->id2.i_chain;
+	/* Validate chain list before use */
+	if (le16_to_cpu(cl->cl_count) == 0) {
+		status = ocfs2_error(alloc_inode->i_sb,
+			 "Chain allocator %llu has invalid chain list (cl_count=0)\n",
+			 (unsigned long long)le64_to_cpu(fe->i_blkno));
+		goto bail;
+	}
 	/* The bh was validated by the inode read inside
 	 * ocfs2_inode_lock().  Any corruption is a code bug. */
 	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
-- 
2.43.0