From nobody Tue Dec 16 18:34:42 2025 Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D474D2FFFB6 for ; Wed, 10 Dec 2025 19:33:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765395224; cv=none; b=hDzCfBDf6cjimxoqfJDyPhh7aE78f/5wWv/p90KZ+IubMN0+RI/zXK80T2wMgftGFKO+1Nq+g3zTuHds+yKyx5Y2OvMR4W70bc5pWrBFxIzK3uJNoIau9kUDASpzN6XZjTYQJ3WxjLHTIwzgb2PQxI9xotT0OIWXpTAMVrpRTAs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765395224; c=relaxed/simple; bh=8UjBTc/l5QErbH4PdB/3AyuN4ByBmBhkEBcnEF8mCkQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=oX/HtaGCcPGcOL4FbVGETp2BO5THuE7JYXHJSMCHo3H5T7XBbYG3cxtleSuAttSoTXZvLt5BVUd0itprS9SMvGHA1cHbRrDt1OiU5MS2HUkBnn6NnswWVTvllmpSY0nCeQA7xC1rEf2GLKJRDYrrzKPtZ2utkEyE/mANhCLLCWo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DhtbgHgZ; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DhtbgHgZ" Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-7bf0ad0cb87so191744b3a.2 for ; Wed, 10 Dec 2025 11:33:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765395222; x=1766000022; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=I/RcrEPeLqKl6bQA60QkstM/GSbzDgJ1lLxqTexZoic=; b=DhtbgHgZ+7sSiv5+qawseouOqruy86dngVXvOPN5hG0m9LLqMLYN4JmHKErgK6nnbo F/hEKQZ1sXPUp+soNfNhbcJk23tP0nNdfI+3qwTZtwi7/Kc5fSN1vG4wZ2liFzk/ZrCk 73ymBtDNlDBVqdvSIZN6g3Cqxew4LlCHgXAGpC0ZWYqiHderD3x7OMvNMNa05agwmuqR DXLEkPOQzkUnGSn0+b3z7EMj2YZLjjxcMd5NuE0b+tpf3Eq5rE3+c5uEb2QDdY6Xk6r6 DZcouNYMhdq6eRM/D8q6MfhMcd3i5qgRkV/cVdWOQwW5WADfabjBG+LHDwuqZSZrWyiH 1jLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765395222; x=1766000022; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=I/RcrEPeLqKl6bQA60QkstM/GSbzDgJ1lLxqTexZoic=; b=AsqRbg/iZTr3W5D6fWRm/ptiVndTfEODlvl+i+S4YA+2uUl0OlduWTpjbPUh5/0uhm mteuSwLJYFGjC9ZoCgHwRnZeozu68qz1uttprCX6SnzPBWWWWAo5bCJs4pjwv1k6DfRd CqHqUrUc5d7pJ6ZK/r1A9o80plLSJ+7zklqiAXWaQg6SOT/C0bdlbmwGnm1Q3JQ1AVgt 9GGavpOV18kN2/Wb2g/Qs5gsTv7aov4QJm5iEBay2j/0oI7EmnWbNCbeSolzyJP4ZY/r mZdE1DTVKOFCpzTiv7/ex6wiHgvBRIPbZpNtQoiaUeCpPK1UF0iFYDO8KzYkuJGj8tLx +UJA== X-Forwarded-Encrypted: i=1; AJvYcCWObIPjkGTAh2vjYAvkXWxoTJrpjqWJfeuvvcgBTAB4ivcp0O0gdFii4BTfJ3fhRU2tNlj3z5/q0sQA3bU=@vger.kernel.org X-Gm-Message-State: AOJu0Yzmk7sQ0aIidwp2ie8qjvMh02xBf8t1iz4u/ly3BOFwnbUqpDbs M6DAYc9h3HOOn77IMSaSHk0nOVbVMk8wuic1tX9puRyVnqnkwcV53YJg X-Gm-Gg: AY/fxX7cgZ1zCUn0mR/6MwmtJyAQ9g0cg6wzSI5vvp/ynw+uU/RPm0d9J2Udabqj/XN og14PYGx7WoOzVN0cHVrxdnLSN9LKwy2QaVStyilFl6/RT1m31gWxq2j9VXUL+4eS8CF6rRUMEz 9DBFJEmknxHR2xHkVNjMnT9NFVfG0tkwu3C4QKRprf9kiwOHn485J1+ew/FlYEPUXhSyLI6YPmM Y/wgeXyvcpo3zhP7gOGjyu3d5uK9LbkcHN8UcWkCQk6y5+ddqk7/2VprGMQoEd0oeYLwWV4b6h1 IGMyIuys8Yw86wVEsOkzuvoRvQNXwnsFx2XGQak06V30QSk2R2rqEZVueabE63sC9h8dnJwr3vR fghYkecruJjnDVXA9UdMHDqK2eNyHnrAagctMldfwhd5Ugzi3tT4W0a2xzmqdXqGS5ivMh8XW6L hZZhS5K6Yp/0iAt6IEkpzhCuAzAXENu4GPKMKa0A== X-Google-Smtp-Source: AGHT+IH/7AZHVflGDIAmJDUB8km9duB1spqmtxvC8h5wY8EGyhYSwMmwBdGOw/GUihrZdBUrNpWeqQ== X-Received: by 2002:a05:6a00:94f1:b0:7e8:43f5:bd0c with SMTP id d2e1a72fcca58-7f22f716104mr3793601b3a.33.1765395222112; Wed, 10 Dec 2025 11:33:42 -0800 (PST) Received: from localhost.localdomain ([111.125.240.40]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c27771b3sm304828b3a.27.2025.12.10.11.33.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 10 Dec 2025 11:33:41 -0800 (PST) From: Prithvi Tambewagh To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Prithvi Tambewagh , syzbot+c818e5c4559444f88aa0@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH v2] ocfs2: fix kernel BUG in ocfs2_write_block Date: Thu, 11 Dec 2025 01:02:55 +0530 Message-ID: <20251210193257.25500-1-activprithvi@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing an if condition block in ocfs2_update_disk_slot(), right before calling ocfs2_write_block(), which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned back to caller of ocfs2_update_disk_slot() i.e. ocfs2_find_slot(). If the return value is zero. then error code EIO is returned. Reported-by: syzbot+c818e5c4559444f88aa0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dc818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh --- v1->v2: - Remove usage of le16_to_cpu() from ocfs2_error() - Cast bh->b_blocknr to unsigned long long - Remove type casting for OCFS2_SUPER_BLOCK_BLKNO - Fix Sparse warnings reported in v1 by kernel test robot - Update title from 'ocfs2: Fix kernel BUG in ocfs2_write_block' to 'ocfs2: fix kernel BUG in ocfs2_write_block' v1 link: https://lore.kernel.org/all/20251206154819.175479-1-activprithvi@g= mail.com/T/ fs/ocfs2/slot_map.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..e916a2e8f92d 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -193,6 +193,16 @@ static int ocfs2_update_disk_slot(struct ocfs2_super *= osb, else ocfs2_update_disk_slot_old(si, slot_num, &bh); spin_unlock(&osb->osb_lock); + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + status =3D ocfs2_error(osb->sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >=3D %d", + (unsigned long long)bh->b_blocknr, + OCFS2_SUPER_BLOCK_BLKNO); + if (!status) + return -EIO; + return status; + } =20 status =3D ocfs2_write_block(osb, bh, INODE_CACHE(si->si_inode)); if (status < 0) base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 --=20 2.43.0