From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8BF6B7262F for ; Mon, 13 Apr 2026 15:43:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776095031; cv=none; b=YRN6erplrWViWtJEbjrKIh724QPqowzaSUcNGlr9KKOLR+Dsl1PUrmYfw3FlbBAK/T+dZKjikOJNs07x7ZW/EErj1kOZ6KZ7IhG3P0rdCxYxlfakcqFPhXxwSXaWzF94uQyHhOWSzpYID9MYsSUdVJHo4/JeNsRUstnfrqbagpk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776095031; c=relaxed/simple; bh=Y9Vc77yDHBPJ4X8pnsSuv1KyvRrIFHmKy1tRMHMf49s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HFb8mAyGZxkZyg1fpkr4W0NhSbpyqnXfEeZh5sLp/MEQc6U18ZLMa3s4IFgtBNdbta4ioIMZ5mFolNZ+OcfRzIfAD5/vU+7CkfK851xCGEUOX1K5IayXXjufwoIAmj7As0FvWSUwXDwrBdtHw1gHTQaV4LSVRt3DKhrgmU1kKP0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hfXwV7Ly; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hfXwV7Ly" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3C4C5C2BCB6; Mon, 13 Apr 2026 15:43:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776095031; bh=Y9Vc77yDHBPJ4X8pnsSuv1KyvRrIFHmKy1tRMHMf49s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hfXwV7LyMbKGk9j4qQKEotkdRKtFn7wT/BpUO87HZ7m9IvJFOHpp43TZRrvBfwic+ Se0snDJ7lQYeRDJCq5rCNPbS3nqSk2F4kwapq1zT11jLKuQXlxdybHzsvSLbiYPoND sE3i2BbxzI1irz49+nAQJO33DPy68teNEbK6We683U95zuv3O5RkoIOFJOq/RcttT/ SQjyvnrOqN6vXv7REQR1SvEvmIaVEajdmoE77KKnQM+9hyX/EPILUbeNN+t1qSI91b j9VR7LQuoZ2SN8xzCVPBWkB5ATsADD0zcGXcVkHvUpxD2Sw7YWBhP+K0ReCgq1HL1C yaFsJlV2RgcXA== From: Sasha Levin To: stable@vger.kernel.org Cc: Joseph Qi , syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin Subject: [PATCH 6.1.y 3/3] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline Date: Mon, 13 Apr 2026 11:43:45 -0400 Message-ID: <20260413154345.3124558-3-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413154345.3124558-1-sashal@kernel.org> References: <2026041352-oppressor-guidable-7094@gregkh> <20260413154345.3124558-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Joseph Qi [ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ] KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it. Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com Signed-off-by: Joseph Qi Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Heming Zhao Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin --- fs/ocfs2/inode.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index bd882bf384b3f..04c8eecc66c92 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct super_block *sb, goto bail; } + if (le16_to_cpu(data->id_count) > + ocfs2_max_inline_data_with_xattr(sb, di)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n", + (unsigned long long)bh->b_blocknr, + le16_to_cpu(data->id_count), + ocfs2_max_inline_data_with_xattr(sb, di)); + goto bail; + } + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { rc = ocfs2_error(sb, "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", -- 2.53.0