[syzbot] [ocfs2?] kernel BUG in ocfs2_move_extents

[syzbot] [ocfs2?] kernel BUG in ocfs2_move_extents

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ea1013c15392 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=179abdc2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=513255d80ab78f2b
dashboard link: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ea1013c1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ea4d0b50128d/vmlinux-ea1013c1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f2e7f1524121/bzImage-ea1013c1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 32768
=======================================================
WARNING: The mand mount option has been deprecated and
         and is ignored by this kernel. Remove the mand
         option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
(syz.0.0,5341,0):ocfs2_dio_end_io:2401 ERROR: Direct IO failed, bytes = -28
------------[ cut here ]------------
kernel BUG at fs/ocfs2/suballoc.c:1383!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:ocfs2_block_group_set_bits+0x857/0x980 fs/ocfs2/suballoc.c:1383
Code: 07 fe c1 38 c1 0f 8c b8 fe ff ff 4c 89 e7 89 f3 e8 ce ae 76 fe 89 de e9 a7 fe ff ff e8 82 c7 0e fe 90 0f 0b e8 7a c7 0e fe 90 <0f> 0b f3 0f 1e fa 65 8b 1d b0 65 ec 0e bf 07 00 00 00 89 de e8 a0
RSP: 0018:ffffc9000ec973e0 EFLAGS: 00010246
RAX: ffffffff83b2fa76 RBX: 0000000000000001 RCX: 0000000000100000
RDX: ffffc90020802000 RSI: 00000000000fffff RDI: 0000000000100000
RBP: ffffc9000ec97500 R08: 0000000000000007 R09: 00000000000000f8
R10: 00000000fffffffc R11: 0000000000000002 R12: 1ffff1100253aa01
R13: 00000000000000f8 R14: ffff8880478e4fb8 R15: dffffc0000000000
FS:  00007f460e7df6c0(0000) GS:ffff88808d22a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f46027ff000 CR3: 0000000011427000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 ocfs2_move_extent fs/ocfs2/move_extents.c:693 [inline]
 __ocfs2_move_extents_range fs/ocfs2/move_extents.c:865 [inline]
 ocfs2_move_extents+0x2c39/0x3dd0 fs/ocfs2/move_extents.c:937
 ocfs2_ioctl_move_extents+0x568/0x740 fs/ocfs2/move_extents.c:1069
 ocfs2_ioctl+0x191/0x750 fs/ocfs2/ioctl.c:942
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f460d98f7c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f460e7df038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f460dbe5fa0 RCX: 00007f460d98f7c9
RDX: 00002000000000c0 RSI: 0000000040406f06 RDI: 0000000000000004
RBP: 00007f460da13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f460dbe6038 R14: 00007f460dbe5fa0 R15: 00007fff6d300b38
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_block_group_set_bits+0x857/0x980 fs/ocfs2/suballoc.c:1383
Code: 07 fe c1 38 c1 0f 8c b8 fe ff ff 4c 89 e7 89 f3 e8 ce ae 76 fe 89 de e9 a7 fe ff ff e8 82 c7 0e fe 90 0f 0b e8 7a c7 0e fe 90 <0f> 0b f3 0f 1e fa 65 8b 1d b0 65 ec 0e bf 07 00 00 00 89 de e8 a0
RSP: 0018:ffffc9000ec973e0 EFLAGS: 00010246
RAX: ffffffff83b2fa76 RBX: 0000000000000001 RCX: 0000000000100000
RDX: ffffc90020802000 RSI: 00000000000fffff RDI: 0000000000100000
RBP: ffffc9000ec97500 R08: 0000000000000007 R09: 00000000000000f8
R10: 00000000fffffffc R11: 0000000000000002 R12: 1ffff1100253aa01
R13: 00000000000000f8 R14: ffff8880478e4fb8 R15: dffffc0000000000
FS:  00007f460e7df6c0(0000) GS:ffff88808d22a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f46027ff000 CR3: 0000000011427000 CR4: 0000000000352ef0


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_move_extents

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    8f0b4cce4481 Linux 6.19-rc1
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=12eb8bb4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8a8594efdc14f07a
dashboard link: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14838f1a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16eb8bb4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/cd4f5f43efc8/disk-8f0b4cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aafb35ac3a3c/vmlinux-8f0b4cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d221fae4ab17/Image-8f0b4cce.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/2c226c2e3d21/mount_0.gz
  fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=10838f1a580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com

=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
kernel BUG at fs/ocfs2/suballoc.c:1383!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6734 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
pstate: 83400005 (Nzcv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : ocfs2_block_group_set_bits+0x784/0x8ec fs/ocfs2/suballoc.c:1383
lr : ocfs2_block_group_set_bits+0x784/0x8ec fs/ocfs2/suballoc.c:1383
sp : ffff8000a3eb7260
x29: ffff8000a3eb7320 x28: ffff0000f60124f8 x27: ffff0000ca05c000
x26: ffff0000eaee1b00 x25: ffff0000c5c8c000 x24: 1ffff000147d6e58
x23: ffff0000c5c8c00c x22: dfff800000000000 x21: 0000000000000001
x20: 0000000000000002 x19: 0000000000000000 x18: 00000000ffffffff
x17: ffff800082225fb0 x16: ffff80008af67980 x15: 0000000000000001
x14: 0000000000000000 x13: 00000000fffffffc x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : ffff0000c8f1d580 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000002 x4 : 0000000000000001 x3 : ffff0000c1707d98
x2 : ffff0000c5c8c000 x1 : 0000000000000001 x0 : 0000000000000002
Call trace:
 ocfs2_block_group_set_bits+0x784/0x8ec fs/ocfs2/suballoc.c:1383 (P)
 ocfs2_move_extent fs/ocfs2/move_extents.c:693 [inline]
 __ocfs2_move_extents_range fs/ocfs2/move_extents.c:865 [inline]
 ocfs2_move_extents+0x213c/0x2e78 fs/ocfs2/move_extents.c:937
 ocfs2_ioctl_move_extents+0x448/0x614 fs/ocfs2/move_extents.c:1069
 ocfs2_ioctl+0x1c4/0x738 fs/ocfs2/ioctl.c:942
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Code: 17ffffa0 97944b2d d4210000 97944b2b (d4210000) 
---[ end trace 0000000000000000 ]---


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Forwarded: [PATCH] ocfs2: add debug printk to trace block group validation path

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: add debug printk to trace block group validation path
Author: kartikey406@gmail.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add temporary debug printk statements to understand how a corrupted
filesystem image bypasses validation and triggers the BUG_ON in
ocfs2_block_group_set_bits().

The existing validation in ocfs2_validate_gd_self() checks:
    bg_free_bits_count > bg_bits (static consistency)

The BUG_ON in ocfs2_block_group_set_bits() checks:
    bg_free_bits_count < num_bits (dynamic allocation request)

These are different conditions. A filesystem with bg_free_bits_count=1
and bg_bits=100 passes validation, but triggers BUG_ON when num_bits=2
is requested.

This debug patch helps confirm whether ocfs2_validate_gd_self() is
called and what values are present when the BUG_ON triggers.

NOT FOR MERGE - debug only.

Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/suballoc.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 8e6e5235b30c..7cd7eb6a9d13 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -164,7 +163,10 @@ static int ocfs2_validate_gd_self(struct super_block *sb,
 				  int resize)
 {
 	struct ocfs2_group_desc *gd = (struct ocfs2_group_desc *)bh->b_data;
-
+	printk(KERN_ERR "OCFS2 DEBUG: ocfs2_validate_gd_self called for block %llu, bg_bits=%u, bg_free_bits_count=%u\n",
+	       (unsigned long long)bh->b_blocknr,
+	       le16_to_cpu(gd->bg_bits),
+	       le16_to_cpu(gd->bg_free_bits_count));
 	if (!OCFS2_IS_VALID_GROUP_DESC(gd)) {
 		do_error("Group descriptor #%llu has bad signature %.*s\n",
 			 (unsigned long long)bh->b_blocknr, 7,
@@ -1376,7 +1375,11 @@ int ocfs2_block_group_set_bits(handle_t *handle,
 	unsigned int start = bit_off + num_bits;
 	u16 contig_bits;
 	struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
-
+
+	printk(KERN_ERR "OCFS2 DEBUG: ocfs2_block_group_set_bits called, bg_blkno=%llu, bg_free_bits_count=%u, num_bits=%u\n",
+	       (unsigned long long)le64_to_cpu(bg->bg_blkno),
+	       le16_to_cpu(bg->bg_free_bits_count),
+	       num_bits);
 	/* All callers get the descriptor via
 	 * ocfs2_read_group_descriptor().  Any corruption is a code bug. */
 	BUG_ON(!OCFS2_IS_VALID_GROUP_DESC(bg));
-- 
2.43.0

Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

Add a check to verify the group descriptor has enough free bits before
attempting allocation in ocfs2_move_extent(). This prevents a kernel
BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl
is called on a crafted or corrupted filesystem.

The existing validation in ocfs2_validate_gd_self() only checks static
metadata consistency (bg_free_bits_count <= bg_bits) when the descriptor
is first read from disk. However, during move_extents operations,
multiple allocations can exhaust the free bits count below the requested
allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count)
num_bits).

The debug trace shows the issue clearly:
  - Block group 32 validated with bg_free_bits_count=427
  - Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1
  - Final request for 2 bits with only 1 available triggers BUG_ON

By adding an early check in ocfs2_move_extent() before calling
ocfs2_block_group_set_bits(), we return -ENOSPC gracefully instead of
crashing the kernel.

Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/move_extents.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 99637e34d9da..2548a8908a1b 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -690,6 +690,11 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
 		goto out_commit;
 	}
 
+	if (le16_to_cpu(gd->bg_free_bits_count) < len) {
+		ret = -ENOSPC;
+		goto out_commit;
+	}
+
 	ret = ocfs2_block_group_set_bits(handle, gb_inode, gd, gd_bh,
 					 goal_bit, len, 0, 0);
 	if (ret) {
-- 
2.43.0

Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add a check to verify the group descriptor has enough free bits before
attempting allocation in ocfs2_move_extent(). This prevents a kernel
BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl
is called on a crafted or corrupted filesystem.

The existing validation in ocfs2_validate_gd_self() only checks static
metadata consistency (bg_free_bits_count <= bg_bits) when the descriptor
is first read from disk. However, during move_extents operations,
multiple allocations can exhaust the free bits count below the requested
allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count)
num_bits).

The debug trace shows the issue clearly:
  - Block group 32 validated with bg_free_bits_count=427
  - Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1
  - Final request for 2 bits with only 1 available triggers BUG_ON

By adding an early check in ocfs2_move_extent() before calling
ocfs2_block_group_set_bits(), we return -ENOSPC gracefully instead of
crashing the kernel.

Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ocfs2/move_extents.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 99637e34d9da..2548a8908a1b 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -690,6 +690,11 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
 		goto out_commit;
 	}
 
+	if (le16_to_cpu(gd->bg_free_bits_count) < len) {
+		ret = -ENOSPC;
+		goto out_commit;
+	}
+
 	ret = ocfs2_block_group_set_bits(handle, gb_inode, gd, gd_bh,
 					 goal_bit, len, 0, 0);
 	if (ret) {
-- 
2.43.0

Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add a check to verify the group descriptor has enough free bits before
attempting allocation in ocfs2_move_extent(). This prevents a kernel
BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl
is called on a crafted or corrupted filesystem.

The existing validation in ocfs2_validate_gd_self() only checks static
metadata consistency (bg_free_bits_count <= bg_bits) when the descriptor
is first read from disk. However, during move_extents operations,
multiple allocations can exhaust the free bits count below the requested
allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count)
num_bits).

The debug trace shows the issue clearly:
  - Block group 32 validated with bg_free_bits_count=427
  - Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1
  - Final request for 2 bits with only 1 available triggers BUG_ON

By adding an early check in ocfs2_move_extent() right after
ocfs2_find_victim_alloc_group(), we return -ENOSPC gracefully instead of
crashing the kernel. This also avoids unnecessary work in
ocfs2_probe_alloc_group() and __ocfs2_move_extent() when the allocation
will fail.

Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
v2:
  - Fixed missing '<' in commit message (Joseph)
  - Moved check right after ocfs2_find_victim_alloc_group() to fail
    early and avoid unnecessary work (Joseph)
---
 fs/ocfs2/move_extents.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 99637e34d9da..524e6ea1fa0a 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -662,6 +662,12 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
 		goto out_commit;
 	}
 
+	gd = (struct ocfs2_group_desc *)gd_bh->b_data;
+	if (le16_to_cpu(gd->bg_free_bits_count) < len) {
+		ret = -ENOSPC;
+		goto out_commit;
+	}
+
 	/*
 	 * probe the victim cluster group to find a proper
 	 * region to fit wanted movement, it even will perform
-- 
2.43.0

Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Add a check to verify the group descriptor has enough free bits before
attempting allocation in ocfs2_move_extent(). This prevents a kernel
BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl
is called on a crafted or corrupted filesystem.

The existing validation in ocfs2_validate_gd_self() only checks static
metadata consistency (bg_free_bits_count <= bg_bits) when the descriptor
is first read from disk. However, during move_extents operations,
multiple allocations can exhaust the free bits count below the requested
allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count)
num_bits).

The debug trace shows the issue clearly:
  - Block group 32 validated with bg_free_bits_count=427
  - Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1
  - Final request for 2 bits with only 1 available triggers BUG_ON

By adding an early check in ocfs2_move_extent() right after
ocfs2_find_victim_alloc_group(), we return -ENOSPC gracefully instead of
crashing the kernel. This also avoids unnecessary work in
ocfs2_probe_alloc_group() and __ocfs2_move_extent() when the allocation
will fail.

Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Link: https://lore.kernel.org/all/20251231115801.293726-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
v2:
  - Fixed missing '<' in commit message (Joseph)
  - Moved check right after ocfs2_find_victim_alloc_group() to fail
    early and avoid unnecessary work (Joseph)
---
 fs/ocfs2/move_extents.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 99637e34d9da..c037fb34b1e3 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -662,6 +662,12 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
 		goto out_commit;
 	}
 
+	gd = (struct ocfs2_group_desc *)gd_bh->b_data;
+	if (le16_to_cpu(gd->bg_free_bits_count) < len) {
+		ret = -ENOSPC;
+		goto out_commit;
+	}
+
 	/*
 	 * probe the victim cluster group to find a proper
 	 * region to fit wanted movement, it even will perform
@@ -682,7 +688,6 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
 		goto out_commit;
 	}
 
-	gd = (struct ocfs2_group_desc *)gd_bh->b_data;
 	ret = ocfs2_alloc_dinode_update_counts(gb_inode, handle, gb_bh, len,
 					       le16_to_cpu(gd->bg_chain));
 	if (ret) {
-- 
2.43.0