lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5563a638-6acd-46cf-b78a-75c4e7a8e836@linux.alibaba.com>
Date: Sun, 4 Jan 2026 09:50:00 +0800
From: Joseph Qi <joseph.qi@...ux.alibaba.com>
To: Deepanshu Kartikey <kartikey406@...il.com>, mark@...heh.com,
 jlbec@...lplan.org, Heming Zhao <heming.zhao@...e.com>
Cc: ocfs2-devel@...ts.linux.dev, linux-kernel@...r.kernel.org,
 syzbot+7960178e777909060224@...kaller.appspotmail.com
Subject: Re: [PATCH] ocfs2: add check for free bits before allocation in
 ocfs2_move_extent()



On 2025/12/31 19:58, Deepanshu Kartikey wrote:
> Add a check to verify the group descriptor has enough free bits before
> attempting allocation in ocfs2_move_extent(). This prevents a kernel
> BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl
> is called on a crafted or corrupted filesystem.
> 
> The existing validation in ocfs2_validate_gd_self() only checks static
> metadata consistency (bg_free_bits_count <= bg_bits) when the descriptor
> is first read from disk. However, during move_extents operations,
> multiple allocations can exhaust the free bits count below the requested
> allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count)
> num_bits).

BUG_ON(le16_to_cpu(bg->bg_free_bits_count) < num_bits)

Seems '<' is missing.

> 
> The debug trace shows the issue clearly:
>   - Block group 32 validated with bg_free_bits_count=427
>   - Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1
>   - Final request for 2 bits with only 1 available triggers BUG_ON
> 
> By adding an early check in ocfs2_move_extent() before calling
> ocfs2_block_group_set_bits(), we return -ENOSPC gracefully instead of
> crashing the kernel.
> 
> Reported-by: syzbot+7960178e777909060224@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=7960178e777909060224
> Tested-by: syzbot+7960178e777909060224@...kaller.appspotmail.com
> Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
> ---
>  fs/ocfs2/move_extents.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
> index 99637e34d9da..2548a8908a1b 100644
> --- a/fs/ocfs2/move_extents.c
> +++ b/fs/ocfs2/move_extents.c
> @@ -690,6 +690,11 @@ static int ocfs2_move_extent(struct ocfs2_move_extents_context *context,
>  		goto out_commit;
>  	}
>  
> +	if (le16_to_cpu(gd->bg_free_bits_count) < len) {
> +		ret = -ENOSPC;
> +		goto out_commit;
> +	}
> +

Why not check rightly after ocfs2_find_victim_alloc_group()?

Joseph

>  	ret = ocfs2_block_group_set_bits(handle, gb_inode, gd, gd_bh,
>  					 goal_bit, len, 0, 0);
>  	if (ret) {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ