From nobody Sat Feb 7 15:11:44 2026 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7D9463002A6 for ; Sat, 20 Dec 2025 09:49:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766224182; cv=none; b=sL7lpshIkR4ATCXOGf4FtUq87M6OAPN9uljeE8LmBfyWVtBmj+sXow4O05eSWyh564m7yCyOQndszcebPoj5imiDy6MS5o4PIDchJxEt+vyDxwoH0eDjB7NVLebH54lAMmp8YR7kU7WGLE46/Gw+/Sm0MJF1cTCQRkzgAQBJhxk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766224182; c=relaxed/simple; bh=8vPBBIVGC/F5q2+wWMM4e4vlGTNbzIZZ4fuMbWYwOnI=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=X3RmwAuMLQmpEonT9pDn1W5XJ5gkk2gb4HVGcM90Vwlj6pUAB6zM1BS45UkWHNvyU2rJehP+6lpkPOJeSkGzUA3yqvSgkmlxA/0m3oO1kBBjQV9slfklMMwy/uEYmdpPnDZuZSBEQ2qiHrqxl8PIcsoSJhJyj0Zv9xla0J5Vzcs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KWuVbxjg; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KWuVbxjg" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2a081c163b0so24380685ad.0 for ; Sat, 20 Dec 2025 01:49:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766224181; x=1766828981; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=j7IJxF6HMphYNWv4fklqBcjfxDWSKokfkAddGStMOYE=; b=KWuVbxjg3KwXfxmai9CNjkjgxmb6duf7JQ/izyBn06seeeWlM4wdtJMetCzE5AdLTY wOlBQV20iGsOHMiSFYGiNB8kUe18ZbKyCXrAyNT5j2nyuG3ISIr5HWtBNQi4TZxfoIiW ZuvCmC+Krb2mAWLxsfVD8n3Oacay1PFA05FM5vMB1wyFnuxC1YTEteFHzFjFvqOW+H/J G/7JUPRgromvd8iX0sJUPoZUGt22gctLS6oqWg0X6Gqy5/cNXO5OI2ssrXNjXo/Dsqbb cjn66Ff7X/gcl/GLMtK0XRGS19ZIAkRvNWG3OCJqGoZZdyVOpdbBrtOYFtArcHQaWGVt tHmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766224181; x=1766828981; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=j7IJxF6HMphYNWv4fklqBcjfxDWSKokfkAddGStMOYE=; b=d8feE73eLG7m6ut2/wSPmQwmUWqfkDXK6/lj7SbAEFJU6oJy8a/hhOvn2DHUw04QfR 4/3dUNjAzzZ/eoTiWKTHmPO7afsNz4Ctdv+dFOSym4mWxA6eqPXKdWfT9R25LQadKG2B L/u3Ip3+wzsos0pjK5JKOeBUUrL1QFbOOz8JyyE2+V2Vusc/dZA7tL+0zruz7mq45UkF oi9wMJa2jTZAfkEejldtKHYSSbu0LqsgJF34NRkty9vApJSYieQRiCCMPfUT38GrCyJD LJIReSGMVK+OiCCZ+UfcNqACOPb30vEzmRQmy2M9qJfLbpjJxK7FcwyCdN5xiWzpov3X k0wQ== X-Forwarded-Encrypted: i=1; AJvYcCWGaeHpBia0ECFyTcp6kcjoEjm98/QBLEaQgeAkj+/B3o8+qQms7MHA0uJoTUdALTNiLSCvPDpXXmRPRCA=@vger.kernel.org X-Gm-Message-State: AOJu0YxnqrdSn+j0FEWUEVJzIzabAelLQyaCWBc/bXAtQpbDaF7HFBVd nfABfCgEer7MnBgoM+2ZzLt9r7kAs9KjuhF6rrCddT8nlKBvf+31xZVt X-Gm-Gg: AY/fxX7HaKKUmwc60n+YfOu8I1L5qU2YE4ZRNJMo13kbU0rMeXmsUWyIZ8KDmXu0lBo 5g31oZcUNg+Lk0TUC+/1Ia5U7z6S9DBjFdjHLZ/wxXuCcEEghI/qkAsv2QAd9t6blaQPy8BAlus EFt9u9bQ0DbdS4saT/gC54eaMLenMyuS783N0+f42Ff0gMM68wFlCVU89ij3XFTsk2M6MfycuoU UZ6/rB/AElc0REgxdY2dmjA+Zb2xWX3LahdnSez264GvRUC9LphGJ/sJFC7ss5KJ5nAe8kXdc8N yfdz0x6S5c+4HF/6OReaRMU5UB+fUnjOseO5MwUFKaxxKCTJLj7YKhhhNX/m/7sGzhZqmThvGNd JWR8u1TWiO5kGIObDxqilk5WvAn0YuffcgubxxwxoFIAcyino0TTiQazrvXuaDKF2VJnD+L36sJ CAcLy+8aE6vNF5HqGncYd1V8eunVc/ X-Google-Smtp-Source: AGHT+IHMytYlzWCq2SFmQytqElgOtJeFb21rSHQ0neO72vPgyAQ4/pAf5fT0MOb+oYKbYoeapmzQNg== X-Received: by 2002:a17:903:38c3:b0:269:82a5:f9e9 with SMTP id d9443c01a7336-2a2f2836764mr57108345ad.29.1766224180679; Sat, 20 Dec 2025 01:49:40 -0800 (PST) Received: from localhost.localdomain ([111.125.231.172]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3c66bd3sm45107635ad.1.2025.12.20.01.49.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 20 Dec 2025 01:49:40 -0800 (PST) From: Prithvi Tambewagh To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: heming.zhao@suse.com, ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Prithvi Tambewagh , syzbot+af14efe17dfa46173239@syzkaller.appspotmail.com, stable@vger.kernel.org Subject: [PATCH] ocfs2: Add check for total number of chains in chain list Date: Sat, 20 Dec 2025 15:19:28 +0530 Message-Id: <20251220094928.134849-1-activprithvi@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The functions ocfs2_reserve_suballoc_bits(), ocfs2_block_group_alloc(), ocfs2_block_group_alloc_contig() and ocfs2_find_smallest_chain() trust the on-disk values related to the allocation chain. However, KASAN bug was triggered in these functions, and the kernel panicked when accessing redzoned memory. This occurred due to the corrupted value of `cl_count` field of `struct ocfs2_chain_list`. Upon analysis, the value of `cl_count` was observed to be overwhemingly large, due to which the code accessed redzoned memory. The fix introduces an if statement which validates value of `cl_count` (both lower and upper bounds). Lower bound check ensures the value of `cl_count` is not zero and upper bound check ensures that the value of `cl_count` is in the range such that it has a value less than the total size of struct ocfs2_chain_list and maximum number of chains that can be present, so as to fill one block. Reported-by: syzbot+af14efe17dfa46173239@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Daf14efe17dfa46173239 Tested-by: syzbot+af14efe17dfa46173239@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Prithvi Tambewagh --- fs/ocfs2/suballoc.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index f7b483f0de2a..7ea63e9cc4f8 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -671,6 +671,21 @@ static int ocfs2_block_group_alloc(struct ocfs2_super = *osb, BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode)); =20 cl =3D &fe->id2.i_chain; + unsigned int block_size =3D osb->sb->s_blocksize; + unsigned int max_cl_count =3D + (block_size - offsetof(struct ocfs2_chain_list, cl_recs)) / + sizeof(struct ocfs2_chain_rec); + + if (!le16_to_cpu(cl->cl_count) || + le16_to_cpu(cl->cl_count) > max_cl_count) { + ocfs2_error(osb->sb, + "Invalid chain list: cl_count %u " + "exceeds max %u", + le16_to_cpu(cl->cl_count), max_cl_count); + status =3D -EIO; + goto bail; + } + status =3D ocfs2_reserve_clusters_with_limit(osb, le16_to_cpu(cl->cl_cpg), max_block, flags, &ac); base-commit: 36c254515dc6592c44db77b84908358979dd6b50 --=20 2.34.1