[PATCH 6.6.y] ocfs2: add extra consistency checks for chain allocator dinodes

[PATCH 6.6.y] ocfs2: add extra consistency checks for chain allocator dinodes

[driz2t]

[-- Attachment #1.1: Type: text/plain, Size: 194 bytes --]

Hi,

Please test this patch on stable 6.6.y.


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git c09fbcd31ae6d71e7c69545839bec92d8e15c13b


Thanks,
Changjian Liu

[-- Attachment #1.2: Type: text/html, Size: 269 bytes --]

[-- Attachment #2: 1dd53396e7124586dca9.patch --]
[-- Type: application/octet-stream, Size: 2139 bytes --]

commit e1c70505ee8158c1108340d9cd67182ade93af4a
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Thu Oct 30 18:30:02 2025 +0300

    ocfs2: add extra consistency checks for chain allocator dinodes
    
    When validating chain allocator dinode in 'ocfs2_validate_inode_block()',
    add an extra checks whether a) the maximum amount of chain records in
    'struct ocfs2_chain_list' matches the value calculated based on the
    filesystem block size, and b) the next free slot index is within the valid
    range.
    
    Link: https://lkml.kernel.org/r/20251030153003.1934585-1-dmantipov@yandex.ru
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Reported-by: syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
    Reported-by: syzbot+5054473a31f78f735416@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=5054473a31f78f735416
    Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Deepanshu Kartikey <kartikey406@gmail.com>
    Cc: Heming Zhao <heming.zhao@suse.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Mark Fasheh <mark@fasheh.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1513,6 +1513,23 @@ int ocfs2_validate_inode_block(struct super_block *sb,
 		goto bail;
 	}
 
+	if (le32_to_cpu(di->i_flags) & OCFS2_CHAIN_FL) {
+		struct ocfs2_chain_list *cl = &di->id2.i_chain;
+
+		if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb)) {
+			rc = ocfs2_error(sb, "Invalid dinode %llu: chain list count %u\n",
+					 (unsigned long long)bh->b_blocknr,
+					 le16_to_cpu(cl->cl_count));
+			goto bail;
+		}
+		if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
+			rc = ocfs2_error(sb, "Invalid dinode %llu: chain list index %u\n",
+					 (unsigned long long)bh->b_blocknr,
+					 le16_to_cpu(cl->cl_next_free_rec));
+			goto bail;
+		}
+	}
+
 	rc = 0;
 
 bail:

Re: [v6.6] kernel BUG in ocfs2_remove_extent

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1dd53396e7124586dca9@syzkaller.appspotmail.com
Tested-by: syzbot+1dd53396e7124586dca9@syzkaller.appspotmail.com

Tested on:

commit:         c09fbcd3 Linux 6.6.130
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10410116580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cf30d9e358c58220
dashboard link: https://syzkaller.appspot.com/bug?extid=1dd53396e7124586dca9
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11cf706a580000

Note: testing is done by a robot and is best-effort only.