From nobody Tue Dec 2 02:19:34 2025 Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4C167262D for ; Tue, 2 Dec 2025 00:33:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764635599; cv=none; b=BFot0XH8wbS0eoTOssQ5tu+1wstGsEFAI9GJ/XtcLyL5NvuymAvLVO//XwayGSpeYTBUI05/QMOyxCo/U1s9QKQsajRiJr0TJNd5YHVF2zPJBjz4MKP9Z0KiKiJhkwqk/vOFOdphR+inSzGXZ+7GRG4r+BhgWsVBu5XCKLbKVkQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764635599; c=relaxed/simple; bh=uW16PtSZ3FL7ROpLg1EtQFyrFJTu4Si5GpuvxdnYu94=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sGSLYWUreCsmdia6Ed0NzqhG9OT/2XHY3PpmixJpv39w0UwG7RyRneITHiZMeMtr6vsTox8IXQ018XreKjL3KHvt11mVCTzcHQsTEborUH4jcl5HsGEkooH5M4ggK3t4Yr2hOGh77+bVkRXyEKkckZo4gtL9FMs2996NR3QyjQE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Z1W8SScz; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Z1W8SScz" Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-b736cd741c1so743113966b.0 for ; Mon, 01 Dec 2025 16:33:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764635596; x=1765240396; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2TrsoSJtXBFVY7DoavTJ0Q4eFLJZnGfCQLuv/hSYlYA=; b=Z1W8SSczvYgEz+Iqehm14yk/wiqvrT4dDonlT5WkIiJHeqHFCN6x+gMtxp2HbUiMcw ghwTvuL1/3xzVmCpnZ7wlyfn9M8wYa3nLOs+/p1+VDHUzxrZCsI7yaudAJs9ZPxh6VH4 rWYgy3P9NQCkK58XdWgPaXUEFcrLryYW5G8mAiuogughA9FVnY5VXb6U59YF1bkD/FTO OcvElKYd6lAjIsGvxLWL8V4BOyzLfvZsFWijHOQ9RjC2LjTGIzvUw6gBiOwb0THIabQm OWCRBw7YGaJgA6XGPTNHzYMHPI1FbBsYHYBsEuunj/HWEiS7in5FKdBunRq4CaCTjKEC MXtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764635596; x=1765240396; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=2TrsoSJtXBFVY7DoavTJ0Q4eFLJZnGfCQLuv/hSYlYA=; b=WnoF5DNsGYSKmAjHdrv2J5qudxdhOcYBJHBVd2sgg9mvd6nt4BMxZxHnVz5XmzKd2z VAvaI79t0xc3VxuzvYGBrb+pwVtqxj+GwQlJxAvscIBtIO95BmR7QHafZcME6EileLS1 Mmp7U0UwJscEh7J7KNV49Hnn1HWD6IxfRRJPRaUtwjEdtReYkHnf5KZmZSCyiPW8dZqf r/ZHH4/xm/Xek69zNAe3wqOBY6iTqFsDkLdGrOdVXmwiLu2KWRFqpvGX7bd0QzMqBNLe S6v4SZ4kZtYBKeSuB74Sem52/mHrH5JGo5cpCCo3f9cWitDxoi76n1JB9Qs9uiZDHczg BOSg== X-Forwarded-Encrypted: i=1; AJvYcCWKPzKUU+RSBR/Kc38vUqKFA4wKLpJsQzjSncRDIPBX+s/frrhvQzj42pMYcx4UK/Cr+zTRpmK8OuNf2hY=@vger.kernel.org X-Gm-Message-State: AOJu0Yxy4sQhDuiDcPy5qaCp9+H8LvwxcB2/Z3MYDJj6h0HuadFvivSj 9io11p7Gocg4gV6cvybfT/tbS+bFCWCWYF8X5OlnGmOQbE3C/ZDyqz7m X-Gm-Gg: ASbGnctSwF1KunoY/yM6d8d0735ECaEJW922x5FCwY28wvBkIY2SbeHfDSOuNTSAsad 7lf2XB4Hp6/7jHu8BHDUldGm6gkpP+93IbSHQRo/aaGF4c3OXHim7d4wEkQRk7q9JRGe3knnIz8 GNVxrgn2X0ABbMkFvpXSJEQLeFOmQXPN+gqFZk/N8REDCukYX5fO3fpIIF+2SGV3g/ZVYW8Fzkj +DIcd92y6Xa4TysLnSYY80MLP8wfujQtaDq3LTeTM7rEcDpCcJ0NT4848V0uEcH+3h2Um1GUTrF b8z+2knZJF2sYPLPachyD2w/kk6b4Uiqnrs8qlD3b7/Dudau6mGByyu0OraGD3ir2sKACFxUDsg YSN3ct0HD4TcnOb6dMwTqUF/3Hzq26sXkNOjWQBBMLPdgVoxvtzgibg5TaVhTuFcxCNXwkQ9s9/ 20Wxk25zXDlSo= X-Google-Smtp-Source: AGHT+IGbxAdcsjiIWpDaKFXL1RodvXCDyjtpDDIbBfRabhhY7XPB2fC2OpKBlsnFAi4TDKiQYvEyKA== X-Received: by 2002:a17:907:7245:b0:b76:339d:63ed with SMTP id a640c23a62f3a-b767183c00emr4028307866b.52.1764635595749; Mon, 01 Dec 2025 16:33:15 -0800 (PST) Received: from eray-kasa.. ([2a02:4e0:2d02:fb4:3deb:c78e:540e:164e]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b76f5a2176csm1342823866b.57.2025.12.01.16.33.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Dec 2025 16:33:15 -0800 (PST) From: Ahmet Eray Karadag To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, david.hunter.linux@gmail.com, skhan@linuxfoundation.org, Ahmet Eray Karadag , syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com, Albin Babu Varghese Subject: [PATCH v4] ocfs2: Invalidate inode if i_mode is zero after block read Date: Tue, 2 Dec 2025 03:32:10 +0300 Message-ID: <20251202003209.188987-2-eraykrdg1@gmail.com> In-Reply-To: <20251108120133.37443-3-eraykrdg1@gmail.com> References: <20251108120133.37443-3-eraykrdg1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A panic occurs in ocfs2_unlink due to WARN_ON(inode->i_nlink =3D=3D 0) when handling a corrupted inode with i_mode=3D0 and i_nlink=3D0 in memory. This "zombie" inode is created because ocfs2_read_locked_inode proceeds even after ocfs2_validate_inode_block successfully validates a block that structurally looks okay (passes checksum, signature etc.) but contains semantically invalid data (specifically i_mode=3D0). The current validation function doesn't check for i_mode being zero. This results in an in-memory inode with i_mode=3D0 being added to the VFS cache, which later triggers the panic during unlink. Prevent this by adding an explicit check for (i_mode =3D=3D 0, i_nlink =3D= =3D 0, non-orphan) within ocfs2_validate_inode_block. If the check is true, return -EFSCORRUPT= ED to signal corruption. This causes the caller (ocfs2_read_locked_inode) to invoke make_bad_inode(), correctly preventing the zombie inode from entering the cache. Reported-by: syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=3D55c40ae8a0e5f3659f2b Co-developed-by: Albin Babu Varghese Signed-off-by: Albin Babu Varghese Signed-off-by: Ahmet Eray Karadag Previous link: https://lore.kernel.org/all/20251022222752.46758-2-eraykrdg1= @gmail.com/T/ --- v2: - Only checking either i_links_count =3D=3D 0 or i_mode =3D=3D 0 - Not performing le16_to_cpu() anymore - Tested with ocfs2-test --- v3: - Add checking both high and low bits of i_links_count --- v4: - Reading i_links_count hi and low bits without helper function to save few cpu cycles --- fs/ocfs2/inode.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index 14bf440ea4df..34c2882273ae 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1455,7 +1455,13 @@ int ocfs2_validate_inode_block(struct super_block *s= b, (unsigned long long)bh->b_blocknr); goto bail; } - + if (!(di->i_links_count | di->i_links_count_hi) || !di->i_mode) { + mlog(ML_ERROR, "Invalid dinode #%llu: " + "Corrupt state (nlink=3D0 or mode=3D0,) detected!\n", + (unsigned long long)bh->b_blocknr); + rc =3D -EFSCORRUPTED; + goto bail; + } /* * Errors after here are fatal. */ --=20 2.43.0