lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fa898d5b-ac9d-44bf-ab98-a520f89dbc28@linux.alibaba.com>
Date: Mon, 1 Dec 2025 17:56:43 +0800
From: Joseph Qi <joseph.qi@...ux.alibaba.com>
To: Prithvi Tambewagh <activprithvi@...il.com>, mark@...heh.com,
 jlbec@...lplan.org
Cc: ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org,
 linux-kernel-mentees@...ts.linux.dev, skhan@...uxfoundation.org,
 david.hunter.linux@...il.com, khalid@...nel.org,
 syzbot+96d38c6e1655c1420a72@...kaller.appspotmail.com
Subject: Re: [PATCH v2] ocfs2: fix kernel BUG in ocfs2_find_victim_chain



On 2025/12/1 17:24, Prithvi Tambewagh wrote:
> syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
> `cl_next_free_rec` field of the allocation chain list is 0, triggring the
> BUG_ON(!cl->cl_next_free_rec) condition and panicking the kernel.
> 
> To fix this, `cl_next_free_rec` is checked inside the caller of
> ocfs2_find_victim_chain() i.e. ocfs2_claim_suballoc_bits() and if it is
> equal to 0, ocfs2_error() is called, to log the corruption and force the
> filesystem into read-only mode, to prevent further damage.
> 
> Reported-by: syzbot+96d38c6e1655c1420a72@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72
> Tested-by: syzbot+96d38c6e1655c1420a72@...kaller.appspotmail.com
> Cc: stable@...r.kernel.org
> Signed-off-by: Prithvi Tambewagh <activprithvi@...il.com>
> ---
> v1->v2:
>  - Remove extra line before the if statement in patch
>  - Add upper limit check for cl->cl_next_free_rec in the if condition
> 
>  fs/ocfs2/suballoc.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
> index 6ac4dcd54588..1257c39c2c11 100644
> --- a/fs/ocfs2/suballoc.c
> +++ b/fs/ocfs2/suballoc.c
> @@ -1992,6 +1992,13 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
>  	}
>  
>  	cl = (struct ocfs2_chain_list *) &fe->id2.i_chain;
> +	if (!le16_to_cpu(cl->cl_next_free_rec) ||
> +	    le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
> +		status = ocfs2_error(ac->ac_inode->i_sb,
> +					"Chain allocator dinode %llu has 0 chains\n",

The log message also has to be updateed. How about:

if (!le16_to_cpu(cl->cl_next_free_rec) ||
    le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
	status = ocfs2_error(ac->ac_inode->i_sb,
			     "Chain allocator dinode %llu has invalid next "
			     "free chain record %u, but only %u total\n",
			     (unsigned long long)le64_to_cpu(fe->i_blkno),
			     le16_to_cpu(cl->cl_next_free_rec),
			     le16_to_cpu(cl->cl_count));

Joseph

> +					(unsigned long long)le64_to_cpu(fe->i_blkno));
> +		goto bail;
> +	}
>  
>  	victim = ocfs2_find_victim_chain(cl);
>  	ac->ac_chain = victim;
> 
> base-commit: 939f15e640f193616691d3bcde0089760e75b0d3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ