From nobody Mon Dec 1 21:30:01 2025 Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB59A258CDF for ; Mon, 1 Dec 2025 13:07:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764594458; cv=none; b=PjXCHmF+D29ZmplWMkziPcEAnioA9egasVLDzRWDDszJ1p2MPaVKxPiHGlAoNVry/fIpnpS3R1lvTjQ1OT8IIpdYx64kMw47esrFLWCUkkffxWPdmv5uSwJD8P6keI3ethplDf3xS0+MCHaLVUKo7/o9c0OhkV/znDWf0SMkjRc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764594458; c=relaxed/simple; bh=plntT5yPstXzUw0Dpn9IFxN4qgEosGtIgjWLHWO4W/M=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Ilr/P2dsqmpIusUN2vEdoIlL6Fv1BuV0bauA+qDNowF2eCULavajkA1JOj8eyj1Jf3Xp+TR2xgUfq3nb6uJ/qWNSZXgI76jRN23WouObbzxtF1oFkMmqC3JAB6bp8AtWkLoimRUrfqy6+CycwtyDfSbKvwn53shjYXG74cQaVLk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Fh1ClINV; arc=none smtp.client-ip=209.85.210.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Fh1ClINV" Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so4000942b3a.1 for ; Mon, 01 Dec 2025 05:07:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764594456; x=1765199256; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GNXu/1jH2RyJZPkWpjl7hMV9jv2CQqUwV3vZHk8AaQc=; b=Fh1ClINVJH1m8leJY2XGabZ3WYjjUfHjJXdI8kUfSDxHXXxbFkozLc4Zb/X6kQVr7I rP/H4TjhFqmdtCv9az9ktiMR55K6kii9mrdFaobYRafGWYJSrbDxk1RW6elDcu/jO/Gn cpBWwM4chNUR6bk5yT5cRh0MonjMIgkIoEo/mZ/G5TJzsKfUfnJPpPlCUHgKdOvEWM4X ngOLAabgbdmUCI4TV9+WvJz/IWRNVygUAqOjTezdEretK9OR8CqcFdyTPoxKou9pk7fj ctZusqzflyl9bBKz3hdnGF50lZyZdlz0L6KNlJXH6XnZ6e4SeXpEaMyUR8qf2ecaLVH3 0ppQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764594456; x=1765199256; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GNXu/1jH2RyJZPkWpjl7hMV9jv2CQqUwV3vZHk8AaQc=; b=gC4egU7Ydr8hGsTRQVjgxIYMiT+r/Sg9Vbz4WVY1nOl+64blL2pnyKqmKUkhM4tMWM 6omcpM53SkoTOu/obsn7HnMpurmM+SaE+o40EOvOC4GQ7QIgdqt14QtbzlpxgKJoaOUq TeKueg0TejPVOMt1nWchLvMiAe036aTX3ClUAqjGa8SdoyKfUTFVinBYkPWSfGjjx3J8 B3N+iowlKXqVe78nxKcIzmV8XVuIzoO3wZFe6ln+VGDu/gJRxxwYbUX6BThuYU0Vq++3 JpHJrrQBW6KggEboDY3UgM/To4lYszaPYTb570abEyQDJuL7+G8YEoUY5qylIDHcknHP iZuw== X-Forwarded-Encrypted: i=1; AJvYcCXbrYoHDh7mDNgVtG1bSW8vL2lRyGPlUwwrccEHWkPk4qBwxnNFiH6U1yuzC1k7YgtUHNneXmGlaWBc2n4=@vger.kernel.org X-Gm-Message-State: AOJu0YxxkKcJq3Uz1MWdztGKqbT8R53+qkkWocL+WktMRZypmECWBr7R Hc6MSUyWAZzeJIz00+cmjfTMKGm/jYDh7U1ospd5iiG5IFQMT5fL9n0X X-Gm-Gg: ASbGncvnSCoA/W/4IFD4VP4loeD34ve/bDBcAwugFp4zFRafnNyMMKl20dMqenlkZYB eROKZ/foLrW+phewtbqZSOpeqM1SO9FfjdvcUzXLOLc4Y651/+SQk80+0G2aOGS1m4FKkCIYEhq QDIvA6WcZufJhKB/AOrOY9Tp4lAvfxvHZwQhxkXsMOsbacWb95rG+QbEnoMqLbByEVDb5sNZL3F dX938u+/npCPpW2Ai03zWNDthyvAIf2HSlewWBEGgoP3DVVuTz2nupZ4nJqLr/S6AFZw1O37RjD M0lLUuRXC1+dQ5rajHLhxxt4AgSPTyZZenxun8HFc2wqOx1q6uJkp8YwPS3+p9uj7E58u6fwZzI DqvcpNQosAd8ZUf48i/+ydO+B+VHWB+WxY2WqBRG9C7wK4FM9kbh1WLgLOjgcpLFLA/uCxSAsTS 07tk6pewsTWiztVvOB+TOcCK0X9KQ= X-Google-Smtp-Source: AGHT+IHPOrXcm13bffCEXfP6/yWgQTkgDN8RI4zKLTdSkUdTCCIaY6ua/6tI8O1gMmObE4vDOKYpRQ== X-Received: by 2002:a05:6a00:2789:b0:7a2:73a9:97e with SMTP id d2e1a72fcca58-7c58e6016fdmr38241883b3a.26.1764594455804; Mon, 01 Dec 2025 05:07:35 -0800 (PST) Received: from localhost.localdomain ([114.79.136.226]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7d15e7db6ddsm13365913b3a.34.2025.12.01.05.07.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Dec 2025 05:07:35 -0800 (PST) From: Prithvi Tambewagh To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Prithvi Tambewagh , syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH v3] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Date: Mon, 1 Dec 2025 18:37:11 +0530 Message-Id: <20251201130711.143900-1-activprithvi@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in=20 the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)=20 condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being=20 executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free=20 chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of=20 chains in the allocation chain list) Either of them being true is indicative of the fact that there are no=20 chains left for usage.=20 This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. Reported-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D96d38c6e1655c1420a72 Tested-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com=20 Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh --- v2->v3 - Revise log message for reflecting changes from v1->v2 - Format code style as suggested in v2 v1->v2: - Remove extra line before the if statement in patch - Add upper limit check for cl->cl_next_free_rec in the if condition fs/ocfs2/suballoc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 6ac4dcd54588..e93fc842bb20 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1992,6 +1992,16 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_al= loc_context *ac, } =20 cl =3D (struct ocfs2_chain_list *) &fe->id2.i_chain; + if (!le16_to_cpu(cl->cl_next_free_rec) || + le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) { + status =3D ocfs2_error(ac->ac_inode->i_sb, + "Chain allocator dinode %llu has invalid next " + "free chain record %u, but only %u total\n", + (unsigned long long)le64_to_cpu(fe->i_blkno), + le16_to_cpu(cl->cl_next_free_rec), + le16_to_cpu(cl->cl_count)); + goto bail; + } =20 victim =3D ocfs2_find_victim_chain(cl); ac->ac_chain =3D victim; base-commit: 939f15e640f193616691d3bcde0089760e75b0d3 --=20 2.34.1