lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <17daaf4c-0081-48f5-8127-0aa9ea534169@linux.alibaba.com>
Date: Thu, 27 Nov 2025 15:17:38 +0800
From: Joseph Qi <joseph.qi@...ux.alibaba.com>
To: Edward Adam Davis <eadavis@...com>,
 syzbot+f82afc4d4e74d0ef7a89@...kaller.appspotmail.com,
 akpm <akpm@...ux-foundation.org>
Cc: jlbec@...lplan.org, linux-kernel@...r.kernel.org, mark@...heh.com,
 ocfs2-devel@...ts.linux.dev, syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] ocfs2: check tl_used after reading it from trancate log
 inode



On 2025/11/27 11:26, Edward Adam Davis wrote:
> The fuzz image has a truncate log inode whose tl_used is bigger than
> tl_count so it triggers the BUG in ocfs2_truncate_log_needs_flush() [1].
> 
> As what the check in ocfs2_truncate_log_needs_flush() does, just do
> same check into ocfs2_get_truncate_log_info() when truncate log inode
> is reading in so we can bail out earlier.
> 
> [1]
> (syz.0.17,5491,0):ocfs2_truncate_log_needs_flush:5830 ERROR: bug expression: le16_to_cpu(tl->tl_used) > le16_to_cpu(tl->tl_count)
> kernel BUG at fs/ocfs2/alloc.c:5830!
> RIP: 0010:ocfs2_truncate_log_needs_flush fs/ocfs2/alloc.c:5827 [inline]
> Call Trace:
>  ocfs2_commit_truncate+0xb64/0x21d0 fs/ocfs2/alloc.c:7372
>  ocfs2_truncate_file+0xca2/0x1420 fs/ocfs2/file.c:509
>  ocfs2_setattr+0x1520/0x1b40 fs/ocfs2/file.c:1212
>  notify_change+0xc1a/0xf40 fs/attr.c:546
>  do_truncate+0x1a4/0x220 fs/open.c:68
> 
> Reported-by: syzbot+f82afc4d4e74d0ef7a89@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f82afc4d4e74d0ef7a89
> Tested-by: syzbot+f82afc4d4e74d0ef7a89@...kaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@...com>

Reviewed-by: Joseph Qi <joseph.qi@...ux.alibaba.com>

> ---
>  fs/ocfs2/alloc.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 162711cc5b20..570d747a00ca 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -6164,7 +6164,7 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
>  	struct buffer_head *bh = NULL;
>  	struct ocfs2_dinode *di;
>  	struct ocfs2_truncate_log *tl;
> -	unsigned int tl_count;
> +	unsigned int tl_count, tl_used;
>  
>  	inode = ocfs2_get_system_file_inode(osb,
>  					   TRUNCATE_LOG_SYSTEM_INODE,
> @@ -6185,8 +6185,10 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
>  	di = (struct ocfs2_dinode *)bh->b_data;
>  	tl = &di->id2.i_dealloc;
>  	tl_count = le16_to_cpu(tl->tl_count);
> +	tl_used = le16_to_cpu(tl->tl_used);
>  	if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
> -		     tl_count == 0)) {
> +		     tl_count == 0 ||
> +		     tl_used > tl_count)) {
>  		status = -EFSCORRUPTED;
>  		iput(inode);
>  		brelse(bh);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ