From nobody Thu Dec 18 14:46:28 2025 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 33C241F92E for ; Mon, 15 Dec 2025 18:46:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765824393; cv=none; b=gJN02NLU1Iis+he9gl70/5WEYoh13gUkRC9WSlFEs2/k3bzMWATg5pFzpvIKzSBuheEP8fRlSwH9yi1y3orHxDkRYtAWVQUbGVNVXI2Of9QsklaNEIpinJDyR9cgfoL0hsn/xrBrpoXXPIQr77WgbUkP3ALM2rUo1sHP3QfTq/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765824393; c=relaxed/simple; bh=rXKDAwDaGJawhQ8dUhZSGN3gqkdAL1GpjLf21JyUd2Q=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=FWZLcXiXvuAc9Kom6ytWQdzPrgxoXAnBQ1imugYMjrsI7epnuFFn+Ft8aTuCIrIRYSC1z2GOhPE5QNb1yFoxCzblEy8Qm1f/roHMAtVHo6CuguMoRIrKn4NtnwLLbkkoFHMAAiIh5NFXtJB0emcyfmKXlHhvwyIqafuqkC8AYuE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=T87gxSxX; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="T87gxSxX" Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-7aab061e7cbso4716632b3a.1 for ; Mon, 15 Dec 2025 10:46:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765824390; x=1766429190; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=so5tlyJR9to0BdTSCEFt4jR4nZcyYj14BTL5CiJJyXw=; b=T87gxSxXVW58NKjWeHFCuw2etvOu66EU6aVSM7eomu4v1lyFSOq05gWTep3z/jTmw1 j4yUQ6lWt4DcnHzT6AqR4MvRDgFa5ySfMOi9rmFg8lev5W8aU+D2SmixAOaIOgm+As80 PgNOMNXcs/tWzQFCe7ZI8gtMq5fpXcuDcERuRbcfMKr3YIf+0klM7JCLk6mA86guOWaq HKgFFb2bP8fGkIU57Doo/R4KfMXjqcoe07AgSpYBi8krX7ACuPCOewxm8knVfDnGE3+H 2m/fsL/pPHwF/iusTVFvAGC0z/fmNPP7iORZVGS+GQD9cxAffhAqSLDVuKwvXBz7ypMw hu1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765824390; x=1766429190; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=so5tlyJR9to0BdTSCEFt4jR4nZcyYj14BTL5CiJJyXw=; b=mYh79HEsLcUxG0m/fohKA76UGf3tXe8ova7dxGVOqfHT1/bBDzpge9d6PLCpHdF9T0 ESa02ZBpFKyHDc13XBi3fNBy90V0VjS0RU1HmX2JrbPhe3GdfJZs3XzcMJUhWiz6u1bh +DJRJO7DxFopQGAmX1heiCOKV9fx2YZyAFpNNZb4v0imZXS+8s0cFT/LacsgbNaa7nkK 0kVocWF0GBIaqqZJlf2z+TrRmue2yDwiZyTl/shOL3MJQC46AleD2fsQNP77wEo73UD5 Cb4zkYVAtMZtB3AVK5/F+aWeVorAvfgNIrBQ2iZ3mjR9slnQuOQZxIZrwVHaTAX32DrX bhLQ== X-Forwarded-Encrypted: i=1; AJvYcCWI2hAY+nfUG36wE8Zh5BA2CS/+8+fhhw2WDCy32eX1n9BpUYyYXbrDLA+whziaEyueEjGvNS9pLQrRDnQ=@vger.kernel.org X-Gm-Message-State: AOJu0YycpPpiqKI0CtEDZaDlt1ZSJVcvn7YQKJ9F8g7oG8NSbXLbRLSs hS8yvPU1vAu1G9mJXZdpA1VKO6dYi79rRokTqpUf66i760nBryxdPAAd X-Gm-Gg: AY/fxX5Uh9/ja1MSBhpa0Ay/6qBxvNNuKrXzPJLLMPrtuUR3YzAVxQCMe8c1Y2kw43D ptMYc7XXcNkR1iaHaswfAqk6dC27+kGfnxBcpjzMziCyVLC2E5dDu8nRT1bnSoy5YMqUcjow4sE G1/DsMxdQ+OAM+pQqRH++7DvkjAzVcZpf5qNDY+2SuvCD2uJdyCGgGFSuJ3PjyyKC+82h781LYp uKG3kosUECvhrE+fcPeCaEKQBWmFSY6Pi28TBD+JATwp2dK4cbH5ZlRyR09kM84ptgzvoxD6g5m XlJUl8l5yZHEr8hZFYzZVeKD2Dc13/DG1u5kJcbYwuuKormrX5NNwRISV46PcN2FGmTy3ecCh8o 0a8/cEam0WIwjiZAawgeClkS8vZMbY7BuIsxAQb8k0AgGDbiz5l8rEjXs4yxdRlFDXvhOQeYXCp gnNUmZBKJsiB8HW7cQ+28JVdfUWi4= X-Google-Smtp-Source: AGHT+IGu6ea6lc8otFEMzkERQIvMyATBlenq1D78I8JVDiZScI5uemRxzsl4ZB4dFPjwQC5mO4tCcQ== X-Received: by 2002:a05:6a00:8c11:b0:783:9b67:e96a with SMTP id d2e1a72fcca58-7f664d05098mr11417784b3a.0.1765824390440; Mon, 15 Dec 2025 10:46:30 -0800 (PST) Received: from localhost.localdomain ([111.125.240.40]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7f4c4aa91d0sm13244346b3a.32.2025.12.15.10.46.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Dec 2025 10:46:30 -0800 (PST) From: Prithvi Tambewagh To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, heming.zhao@suse.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Prithvi Tambewagh , syzbot+c818e5c4559444f88aa0@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH v4] ocfs2: Add validate function for slot map blocks Date: Tue, 16 Dec 2025 00:15:57 +0530 Message-ID: <20251215184600.13147-1-activprithvi@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing function ocfs2_validate_slot_map_block() to validate slot map blocks. It first checks if the buffer head passed to it is up to date and valid, else it panics the kernel at that point itself. Further, it contains an if condition block, which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned. If the if condition is false, value 0 is returned by ocfs2_validate_slot_map_block(). This function is used as validate function in calls to ocfs2_read_blocks() in ocfs2_refresh_slot_info() and ocfs2_map_slot_buffers(). Reported-by: syzbot+c818e5c4559444f88aa0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dc818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh Reviewed-by: Heming Zhao Reviewed-by: Joseph Qi --- v3->v4: - Remove if condition in ocfs2_validate_slot_map_block() which checks if=20 `rc` is zero - Update commit log message=20 v3 link: https://lore.kernel.org/ocfs2-devel/tagu2npibmto5bgonhorg5krbvqho4= zxsv5pulvgbtp53aobas@6qk4twoysbnz/T/#m6f357a93c9426c3d2f0c2d18d71f4c5460108= 9ec v2->v3: - Create new function ocfs2_validate_slot_map_block() to validate block=20 number of slot map blocks, to be greater then or equal to=20 OCFS2_SUPER_BLOCK_BLKNO - Use ocfs2_validate_slot_map_block() in calls to ocfs2_read_blocks() in ocfs2_refresh_slot_info() and ocfs2_map_slot_buffers() - In addition to using previously formulated if block in=20 ocfs2_validate_slot_map_block(), also check if the buffer head passed=20 in this function is up to date; if not, then kernel panics at that point - Update title of patch to 'ocfs2: Add validate function for slot map bloc= ks' v2 link: https://lore.kernel.org/ocfs2-devel/nwkfpkm2wlajswykywnpt4sc6gdkes= akw2sw7etuw2u2w23hul@6oby33bscwdw/T/#m39bc7dbb208e09a78e0913905c6dfdfd666f3= a05 v1->v2: - Remove usage of le16_to_cpu() from ocfs2_error() - Cast bh->b_blocknr to unsigned long long - Remove type casting for OCFS2_SUPER_BLOCK_BLKNO - Fix Sparse warnings reported in v1 by kernel test robot - Update title from 'ocfs2: Fix kernel BUG in ocfs2_write_block' to 'ocfs2: fix kernel BUG in ocfs2_write_block' v1 link: https://lore.kernel.org/all/20251206154819.175479-1-activprithvi@g= mail.com/T/#mba4a0b092d8c5ba5b390b5d6a5c3ec7bc6caa6ae fs/ocfs2/slot_map.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..ea4a68abc25b 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -44,6 +44,9 @@ struct ocfs2_slot_info { static int __ocfs2_node_num_to_slot(struct ocfs2_slot_info *si, unsigned int node_num); =20 +static int ocfs2_validate_slot_map_block(struct super_block *sb, + struct buffer_head *bh); + static void ocfs2_invalidate_slot(struct ocfs2_slot_info *si, int slot_num) { @@ -132,7 +135,8 @@ int ocfs2_refresh_slot_info(struct ocfs2_super *osb) * this is not true, the read of -1 (UINT64_MAX) will fail. */ ret =3D ocfs2_read_blocks(INODE_CACHE(si->si_inode), -1, si->si_blocks, - si->si_bh, OCFS2_BH_IGNORE_CACHE, NULL); + si->si_bh, OCFS2_BH_IGNORE_CACHE, + ocfs2_validate_slot_map_block); if (ret =3D=3D 0) { spin_lock(&osb->osb_lock); ocfs2_update_slot_info(si); @@ -332,6 +336,24 @@ int ocfs2_clear_slot(struct ocfs2_super *osb, int slot= _num) return ocfs2_update_disk_slot(osb, osb->slot_info, slot_num); } =20 +static int ocfs2_validate_slot_map_block(struct super_block *sb, + struct buffer_head *bh) +{ + int rc; + + BUG_ON(!buffer_uptodate(bh)); + + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + rc =3D ocfs2_error(sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >=3D %d", + (unsigned long long)bh->b_blocknr, + OCFS2_SUPER_BLOCK_BLKNO); + return rc; + } + return 0; +} + static int ocfs2_map_slot_buffers(struct ocfs2_super *osb, struct ocfs2_slot_info *si) { @@ -383,7 +405,8 @@ static int ocfs2_map_slot_buffers(struct ocfs2_super *o= sb, =20 bh =3D NULL; /* Acquire a fresh bh */ status =3D ocfs2_read_blocks(INODE_CACHE(si->si_inode), blkno, - 1, &bh, OCFS2_BH_IGNORE_CACHE, NULL); + 1, &bh, OCFS2_BH_IGNORE_CACHE, + ocfs2_validate_slot_map_block); if (status < 0) { mlog_errno(status); goto bail; base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 --=20 2.43.0