From nobody Tue Dec 2 02:19:44 2025 Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DA422D738F for ; Wed, 19 Nov 2025 22:17:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763590668; cv=none; b=qqNlSegCy1UbmWzT1Zgf1pTiO4llDIJBSqFav3uf4QbjVP/Lh44bMMD5T+JJGTnPFLMsQXoErSOHqW7imXQsZBVVVr9dj42faj+pCge1M/BZP1MSKpwpEPITRtJIXoxwIciUjtt+LYtPX547BXB12NYjsQCsPxnXxweVvQ8Awv0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763590668; c=relaxed/simple; bh=5k1UUQuMdAGsweONuHo9B8fjqZf4W9pmjU2lWcjjJZI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NL5Y7yW9hgOJNgvFLPw+DPUM9ndZ6UOGaySFbinUZgv89ke1et6LHRS7CyEwgeJvRAiM4aLC0cjyT3L+c6bRCfAUwZU/GJ+Ikh/FdAZ5xbREFl6GFPp5g+zaKhZCvkabuLtBmmRSN1wFA6o7N1DXWsPFvkPlr676xTizfWg6KT4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=g3BW0obb; arc=none smtp.client-ip=209.85.208.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="g3BW0obb" Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-64074f01a6eso305430a12.2 for ; Wed, 19 Nov 2025 14:17:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763590665; x=1764195465; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oB9cpue9j+IEapAl0OGonRE3KO/UfgI2fUGUdvghWZk=; b=g3BW0obbaCjA5wkLRJ17spAbHy1df05gYl/U6aGil2GrFsKRDkVQSHrw4WTa7Inzix iEpRXwaLbKlPf66wbxxRBZExJpu52PBpoXGFH9pmoymragCLo+XLwTD731IcUp6wwAEJ 9syG41mzsMAGJpa0o1YogwVCBucUf+LjVSCRazaocOuTwcgBJ/JifILzciVoGUT2NEMK 0b1ZPKNp/t5EdYfXt0N8LtBoT8bYlWloOrZog2KeoNTtRxjOta9m9gjZx+hf+XB2gnI6 jLmb0wS1hxyrxxv2QIL+1aB+3zYHWgHyr4hbI6ynYFN6PRNYeLbnT9SuxigKQBmpeCT+ s7bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763590665; x=1764195465; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=oB9cpue9j+IEapAl0OGonRE3KO/UfgI2fUGUdvghWZk=; b=Z78XX0xyJNVONtJSpX9xgWDQZGYWyZeBmrFHtB+rfi6NhwhixnzbXH/LVcygqVUVLR mCnXNQPP+2gJDDGJQDsnni8t0AXXytWVvMDlKj4uNxG6ZBNbKYu9CoFUA3vORl1BbTli DsCT0xvF9HLo3qcK2HcuspYCBIQKwBLwon2X8A34KLSbMNT5VEsL97bPaZzKg4XWahN5 kMJzX7bnw3MuLo6PFyNPUyrcNWj5Em9Me2XQ5OJ97PyACrz3DOM0cJsV73oykEd3YbGk dW9v3UCz0aLPSUwewyVnMulrOYOiiExTTf6BgjOPgxRpenxvTGLGa03swbyb697Z3lvd pAXA== X-Forwarded-Encrypted: i=1; AJvYcCUrMjvBmWhEeq7nOul/mXJv7RsXXA3IPDibK2lwkFFJWXfEjWOk8/uQy9Jldy+buuuFv7nI5LkzGGu6bzs=@vger.kernel.org X-Gm-Message-State: AOJu0YwWUrDmUS04skM/Fo3xwNKc0Sk/fTaE6uOhJLEG3jO7moCDSFWz ILKLyq/BtDb9AGt/wyfdvC38NkIQLj7qOUf0bemrL39KWCpVrJNXUaog X-Gm-Gg: ASbGncvo2T38fDl9ry1bXELj9MY0SHig1i6lcwNMIK6yR8kH3TpERi7vAiba+VriIY1 llZ7yahT8+4DrxsATl+VDVX/ftb3WlDBUQgDbR23hjdT5HK1s49L4KqhV+vPwUQoo6KsDy43b+w D/QALORnIHnwE7KM0fNU+e8ooKshEYRiBANBj5JDtRYGDFDvFFttskybOIqrQMM6b8w16fDECWx CUlbvFbq9Zk4ImKFLR7zEl1yygzXv7jCWrZsM3o7HbwMP+4X15rim3iNFk17FXE0wRKZ4CshxE2 vSGD8eJRrYQRVEIeFb6AijH0Q8gib1We9tUHR9X5Ig6LdCUK0NTukJmmVm61NfjaVmU3owFg7qk wMJYlI/mk9CcveQ0Zxjmp14LLpAcK1nyzYOthUpZXqMmftADOVUSlwhiJckgFjwmOs3bjH10ZwB sa1sQIugI/3w== X-Google-Smtp-Source: AGHT+IETxP0piQQXRfYo8MJPQjBr6mx0BVDdDI6wJbMkF2fkxXCWQ66bK1gemVwC592OH5/z0h9vpw== X-Received: by 2002:a05:6402:1ecb:b0:640:b736:6c2f with SMTP id 4fb4d7f45d1cf-6453643d0abmr850460a12.18.1763590665075; Wed, 19 Nov 2025 14:17:45 -0800 (PST) Received: from eray-kasa.. ([2a02:4e0:2d09:f53:a4ec:610:b04c:9669]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-645363ac8e3sm603716a12.2.2025.11.19.14.17.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Nov 2025 14:17:44 -0800 (PST) From: Ahmet Eray Karadag To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, david.hunter.linux@gmail.com, skhan@linuxfoundation.org, Ahmet Eray Karadag , syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com, Albin Babu Varghese Subject: [PATCH v3] ocfs2: Invalidate inode if i_mode is zero after block read Date: Thu, 20 Nov 2025 01:17:24 +0300 Message-ID: <20251119221723.171746-2-eraykrdg1@gmail.com> In-Reply-To: <20251108120133.37443-3-eraykrdg1@gmail.com> References: <20251108120133.37443-3-eraykrdg1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A panic occurs in ocfs2_unlink due to WARN_ON(inode->i_nlink =3D=3D 0) when handling a corrupted inode with i_mode=3D0 and i_nlink=3D0 in memory. This "zombie" inode is created because ocfs2_read_locked_inode proceeds even after ocfs2_validate_inode_block successfully validates a block that structurally looks okay (passes checksum, signature etc.) but contains semantically invalid data (specifically i_mode=3D0). The current validation function doesn't check for i_mode being zero. This results in an in-memory inode with i_mode=3D0 being added to the VFS cache, which later triggers the panic during unlink. Prevent this by adding an explicit check for (i_mode =3D=3D 0, i_nlink =3D= =3D 0, non-orphan) within ocfs2_validate_inode_block. If the check is true, return -EFSCORRUPT= ED to signal corruption. This causes the caller (ocfs2_read_locked_inode) to invoke make_bad_inode(), correctly preventing the zombie inode from entering the cache. Reported-by: syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=3D55c40ae8a0e5f3659f2b Co-developed-by: Albin Babu Varghese Signed-off-by: Albin Babu Varghese Signed-off-by: Ahmet Eray Karadag Previous link: https://lore.kernel.org/all/20251022222752.46758-2-eraykrdg1= @gmail.com/T/ --- v2: - Only checking either i_links_count =3D=3D 0 or i_mode =3D=3D 0 - Not performing le16_to_cpu() anymore - Tested with ocfs2-test --- v3: - Add checking both high and low bits of i_links_count --- fs/ocfs2/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index 14bf440ea4df..c8b129db756e 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1456,6 +1456,13 @@ int ocfs2_validate_inode_block(struct super_block *s= b, goto bail; } =20 + if (!ocfs2_read_links_count(di) || !di->i_mode) { + mlog(ML_ERROR, "Invalid dinode #%llu: " + "Corrupt state (nlink=3D0 or mode=3D0,) detected!\n", + (unsigned long long)bh->b_blocknr); + rc =3D -EFSCORRUPTED; + goto bail; + } /* * Errors after here are fatal. */ --=20 2.43.0