From nobody Fri Dec 19 21:50:26 2025 Received: from mail-ej1-f54.google.com (mail-ej1-f54.google.com [209.85.218.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FE5B1427A for ; Tue, 2 Dec 2025 22:46:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764715617; cv=none; b=mucXR4nTZRAfulq5rXaLX+rbkSHCF2/Vo15j7xX1XQwXztl/ETgGmwA3fubYx/3aqSezoWPmDIngcWKZ4UmE+y6LvI6OF5TPZmK5SSCLtThBlkMymc76BB/P+PrXPrlLCSW7SxlB8xAPZ/rzJBtG7IDjDYYVecitxxIyj+Ozo9o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764715617; c=relaxed/simple; bh=9Bf9ujHcjcq8ovaOcju2Y/IU6fHMb1AsAo1VIBD2RUo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TboWE2O39coaj9sB9iK0HUBSRyVx+y7T9ZhKcp2BuP1mcaqTDY3axko3DV3LVqgPRNA8bEd693HVhYdq/vPdDSQuqqGaJjPTcLfrhU9y/f9kJsb7fm+VxvX/Kysdkcl3I+B/XynvEdwAuC74LmN48H3IMp9ffGK/fzep61BSEmU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nY7jIPsy; arc=none smtp.client-ip=209.85.218.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nY7jIPsy" Received: by mail-ej1-f54.google.com with SMTP id a640c23a62f3a-b7355f6ef12so1196203466b.3 for ; Tue, 02 Dec 2025 14:46:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764715614; x=1765320414; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=y9BP0JD/Gk+5eWk3Fw3SO8aUPDHyheQIxFJmlzr1Sdg=; b=nY7jIPsy1nvw0Lx97TOC4N5KLmXGVKbKj/XVgGLJphfe09KTv5YMNZ9cgPIcGfqtRJ 1a+CZkRTdRY/cR1Yb+LB1zqmMGLPBQX/FWOfZCooGDfSmIytZw7DT7oY9otYw5rb3TjD U8lT6iZXtkL/xLWIH1j+lCC4AVdcBxcEEpehW9aBNHaW6hlN53g1UQa92BtqK5y8VW2K 78LqPZh9BHT1hCQNvpkcME+G6hj+4yUvf3c4OOz0Khn9ab41nfhMaxk3ObqFmoqaLf9c rUePIvqirE3eyOsWXxq9HFKHWFYgfd0BrA/Sp32EPUe10sHH4fEIxeLvc1IZzrh6EGDx h5Dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764715614; x=1765320414; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=y9BP0JD/Gk+5eWk3Fw3SO8aUPDHyheQIxFJmlzr1Sdg=; b=Y5YC7r3v4cUBsdTIMQsZcatjLsYiO1LlSur4AzNIrRnd6m9hVqOjCkjGNUTtTsTufZ 41mKAyCUukSuc8L/l4Lemo7PPiOGsGafdIFHVXpYI51XWqJYGuvGfVzNNSiCafwp9Eo1 Ct+B6Rism17ETKFTt5b3FhAZ/WGrvPkg6bSHjHOgbN6t0jZisT5UaeA7tVAvHzUz2Eab UF1fJxGK1B3+p3UiN34Hxx8uDeiUK63GnlwPBPLUVZhSKrnBVRTNm6h4MsZPAkGFutfr QC8+LsedJIgygSBkkG7Q854e05iQwMjiaZds30CD/eFGWbRk652jHDedWRihVN4CPeGg MFTQ== X-Forwarded-Encrypted: i=1; AJvYcCUhWObVBEOSinU+lQwmWo+qfY94z7jvI5VDS/2M2q8Pd50bs6a5TdsjQwPwX4A55/9MDjq9vwEkDkrWPw8=@vger.kernel.org X-Gm-Message-State: AOJu0Yznt2Kj1rnTMPxXftNo1i8jkvobYtMLzcIMh2lg6nJebKVQTmkt GSu+OpnT6I9PLLKkG7FlCf4piqIQVl0k3osxodZx9iBA5WTstOfROCzjHW7oHBVY X-Gm-Gg: ASbGnctbhR9Kw/+BOVN7Yyaxuu/d2VQHFq5rmjh2xUKoCIPZKeNcaubHAJrIKlkPvOi 3vHTGCv13JG3CI60156WSxMH5layNUiUO/kSyiq9+D+KAUXtBbxrgyG/fU9Aci3nlgqUYjRy9g8 AIczrUbZ2Tw9qdfwIWafv5RD+eIcbQju2Zw2yBmgjAhIzsFaZBhL9BUWBDuRn7LmhPW9JwS6e1h MUPsuX5vbaViZrXY83AfEyZpwEGFOFPZ3T5JfcqzIg6ixnhJmKdIQ3opkxwut+x6Utq/gAxF/xz 3RyIVTItx163aZyfjZZ3Qq+Jtqaels5K1pBZIYbgxwb+Jjtdr/N85/a6BTm+5h1oCxeX2pzQKIw giY56d40kfHQ4khhOgLnH2RrgZbd69muHghj90HnzkymDMbfIzRz3WrLznV7NXY9Ko0Y14Htcty SQ8LsBRg0JLSQ= X-Google-Smtp-Source: AGHT+IGtTAR9cbqkqFVQ4UMW/RQSbo4Ss5u4i8LZNHdHqSxLPQnqcGFpVV11DTB9AMVc7wURNK5Rvw== X-Received: by 2002:a17:907:c1f:b0:b73:4fbb:37a8 with SMTP id a640c23a62f3a-b79dbe8e16fmr6649966b.12.1764715613366; Tue, 02 Dec 2025 14:46:53 -0800 (PST) Received: from eray-kasa.. ([2a02:4e0:2d14:1a1:acf7:8de5:59bc:44c3]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b79c7c49d35sm215051966b.49.2025.12.02.14.46.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Dec 2025 14:46:52 -0800 (PST) From: Ahmet Eray Karadag To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, david.hunter.linux@gmail.com, skhan@linuxfoundation.org, Ahmet Eray Karadag , syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com, Albin Babu Varghese Subject: [PATCH v6] ocfs2: Invalidate inode if i_mode is zero after block read Date: Wed, 3 Dec 2025 01:45:08 +0300 Message-ID: <20251202224507.53452-2-eraykrdg1@gmail.com> In-Reply-To: <20251108120133.37443-3-eraykrdg1@gmail.com> References: <20251108120133.37443-3-eraykrdg1@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A panic occurs in ocfs2_unlink due to WARN_ON(inode->i_nlink =3D=3D 0) when handling a corrupted inode with i_mode=3D0 and i_nlink=3D0 in memory. This "zombie" inode is created because ocfs2_read_locked_inode proceeds even after ocfs2_validate_inode_block successfully validates a block that structurally looks okay (passes checksum, signature etc.) but contains semantically invalid data (specifically i_mode=3D0). The current validation function doesn't check for i_mode being zero. This results in an in-memory inode with i_mode=3D0 being added to the VFS cache, which later triggers the panic during unlink. Prevent this by adding an explicit check for (i_mode =3D=3D 0, i_nlink =3D= =3D 0, non-orphan) within ocfs2_validate_inode_block. If the check is true, return -EFSCORRUPT= ED to signal corruption. This causes the caller (ocfs2_read_locked_inode) to invoke make_bad_inode(), correctly preventing the zombie inode from entering the cache. Reported-by: syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=3D55c40ae8a0e5f3659f2b Co-developed-by: Albin Babu Varghese Signed-off-by: Albin Babu Varghese Signed-off-by: Ahmet Eray Karadag Previous link: https://lore.kernel.org/all/20251022222752.46758-2-eraykrdg1= @gmail.com/T/ Reviewed-by: Joseph Qi --- v2: - Only checking either i_links_count =3D=3D 0 or i_mode =3D=3D 0 - Not performing le16_to_cpu() anymore - Tested with ocfs2-test --- v3: - Add checking both high and low bits of i_links_count --- v4: - Reading i_links_count hi and low bits without helper function to save few cpu cycles --- v5: - Clear i_links_count check - Log the actual i_nlink/i_mode --- v6: - Use `ocfs2_read_links_count` to get nlink - Convert di->imode to cpu endian --- fs/ocfs2/inode.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index 14bf440ea4df..f83b8e4f4d8b 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1456,6 +1456,14 @@ int ocfs2_validate_inode_block(struct super_block *s= b, goto bail; } =20 + if ((!di->i_links_count && !di->i_links_count_hi) || !di->i_mode) { + mlog(ML_ERROR, "Invalid dinode #%llu: " + "Corrupt state (nlink =3D %u or mode =3D %u) detected!\n", + (unsigned long long)bh->b_blocknr, + ocfs2_read_links_count(di), le16_to_cpu(di->i_mode)); + rc =3D -EFSCORRUPTED; + goto bail; + } /* * Errors after here are fatal. */ --=20 2.43.0