lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <7901a72a-0ba3-4093-a2f3-692e642e970f@linux.alibaba.com>
Date: Thu, 9 Oct 2025 17:14:58 +0800
From: Joseph Qi <joseph.qi@...ux.alibaba.com>
To: Deepanshu Kartikey <kartikey406@...il.com>, mark@...heh.com,
 jlbec@...lplan.org
Cc: ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org,
 syzbot+6fdd8fa3380730a4b22c@...kaller.appspotmail.com
Subject: Re: [PATCH] ocfs2: fix stale extent map cache during COW operations

Hi,

On 2025/10/8 12:23, Deepanshu Kartikey wrote:
> The extent map cache can become stale during COW operations, causing
> ocfs2_refcount_cal_cow_clusters() to see an outdated extent state.
> 
> The problem occurs when:
> 1. ocfs2_get_clusters() reads and caches an extent with OCFS2_EXT_REFCOUNTED
> 2. ocfs2_refcount_cow_hunk() performs COW, clearing the REFCOUNTED flag
> 3. The extent map cache still contains the stale REFCOUNTED flag
> 4. Subsequent access on the same extent via the cache gets incorrect flags,
>    triggering BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED))
> 

At the end of ocfs2_refcount_cow_hunk(), it has:

	/*
	 * truncate the extent map here since no matter whether we meet with
	 * any error during the action, we shouldn't trust cached extent map
	 * any more.
	 */
	ocfs2_extent_map_trunc(inode, cow_start);

It seems the cached extent record has already been forgotten. So how
does the above step 3 happen?

Thanks,
Joseph


> Fix by clearing the extent map cache at the start of COW operations.
> This ensures that ocfs2_get_clusters() always reads fresh extent data
> from disk during COW instead of using stale cached data.
> 
> Reported-by: syzbot+6fdd8fa3380730a4b22c@...kaller.appspotmail.com
> Tested-by: syzbot+6fdd8fa3380730a4b22c@...kaller.appspotmail.com
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
> ---
>  fs/ocfs2/refcounttree.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
> index 267b50e8e42e..e8c8fcdc3dd9 100644
> --- a/fs/ocfs2/refcounttree.c
> +++ b/fs/ocfs2/refcounttree.c
> @@ -3451,7 +3451,8 @@ int ocfs2_refcount_cow(struct inode *inode,
>  	int ret = 0;
>  	u32 p_cluster, num_clusters;
>  	unsigned int ext_flags;
> -
> +	/* Clear extent map cache before COW operations to avoid stale data */
> +	ocfs2_extent_map_trunc(inode, 0);
>  	while (write_len) {
>  		ret = ocfs2_get_clusters(inode, cpos, &p_cluster,
>  					 &num_clusters, &ext_flags);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ