lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6954af28.050a0220.a1b6.030e.GAE@google.com>
Date: Tue, 30 Dec 2025 21:05:44 -0800
From: syzbot <syzbot+7960178e777909060224@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] ocfs2: add debug printk to trace block group
 validation path

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] ocfs2: add debug printk to trace block group validation path
Author: kartikey406@...il.com

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Add temporary debug printk statements to understand how a corrupted
filesystem image bypasses validation and triggers the BUG_ON in
ocfs2_block_group_set_bits().

The existing validation in ocfs2_validate_gd_self() checks:
    bg_free_bits_count > bg_bits (static consistency)

The BUG_ON in ocfs2_block_group_set_bits() checks:
    bg_free_bits_count < num_bits (dynamic allocation request)

These are different conditions. A filesystem with bg_free_bits_count=1
and bg_bits=100 passes validation, but triggers BUG_ON when num_bits=2
is requested.

This debug patch helps confirm whether ocfs2_validate_gd_self() is
called and what values are present when the BUG_ON triggers.

NOT FOR MERGE - debug only.

Reported-by: syzbot+7960178e777909060224@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/ocfs2/suballoc.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 8e6e5235b30c..7cd7eb6a9d13 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -164,7 +163,10 @@ static int ocfs2_validate_gd_self(struct super_block *sb,
 				  int resize)
 {
 	struct ocfs2_group_desc *gd = (struct ocfs2_group_desc *)bh->b_data;
-
+	printk(KERN_ERR "OCFS2 DEBUG: ocfs2_validate_gd_self called for block %llu, bg_bits=%u, bg_free_bits_count=%u\n",
+	       (unsigned long long)bh->b_blocknr,
+	       le16_to_cpu(gd->bg_bits),
+	       le16_to_cpu(gd->bg_free_bits_count));
 	if (!OCFS2_IS_VALID_GROUP_DESC(gd)) {
 		do_error("Group descriptor #%llu has bad signature %.*s\n",
 			 (unsigned long long)bh->b_blocknr, 7,
@@ -1376,7 +1375,11 @@ int ocfs2_block_group_set_bits(handle_t *handle,
 	unsigned int start = bit_off + num_bits;
 	u16 contig_bits;
 	struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
-
+
+	printk(KERN_ERR "OCFS2 DEBUG: ocfs2_block_group_set_bits called, bg_blkno=%llu, bg_free_bits_count=%u, num_bits=%u\n",
+	       (unsigned long long)le64_to_cpu(bg->bg_blkno),
+	       le16_to_cpu(bg->bg_free_bits_count),
+	       num_bits);
 	/* All callers get the descriptor via
 	 * ocfs2_read_group_descriptor().  Any corruption is a code bug. */
 	BUG_ON(!OCFS2_IS_VALID_GROUP_DESC(bg));
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ