1. Patchew
  2. linux
  3. View series

[PATCH] ocfs2: handle invalid dinode in ocfs2_group_extend

ZhengYuan Huang posted 1 patch 11 hours ago 
fs/ocfs2/resize.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
[PATCH] ocfs2: handle invalid dinode in ocfs2_group_extend
Posted by ZhengYuan Huang 11 hours ago 
[BUG]
kernel BUG at fs/ocfs2/resize.c:308!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe
Call Trace:
 ...
 ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
 x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
 ...

[CAUSE]
ocfs2_group_extend() assumes that the global bitmap inode block
returned from ocfs2_inode_lock() has already been validated and
BUG_ONs when the signature is not a dinode. That assumption is too
strong for crafted filesystems because the JBD2-managed buffer path
can bypass structural validation and return an invalid dinode to the
resize ioctl.

[FIX]
Validate the dinode explicitly in ocfs2_group_extend(). If the global
bitmap buffer does not contain a valid dinode, report filesystem
corruption with ocfs2_error() and fail the resize operation instead of
crashing the kernel.

Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
 fs/ocfs2/resize.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
index b0733c08ed13..ed7ed15ad9a7 100644
--- a/fs/ocfs2/resize.c
+++ b/fs/ocfs2/resize.c
@@ -303,9 +303,13 @@ int ocfs2_group_extend(struct inode * inode, int new_clusters)
 
 	fe = (struct ocfs2_dinode *)main_bm_bh->b_data;
 
-	/* main_bm_bh is validated by inode read inside ocfs2_inode_lock(),
-	 * so any corruption is a code bug. */
-	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
+	/* JBD-managed buffers can bypass validation, so treat this as corruption. */
+	if (!OCFS2_IS_VALID_DINODE(fe)) {
+		ret = ocfs2_error(main_bm_inode->i_sb,
+				  "Invalid dinode #%llu\n",
+				  (unsigned long long)OCFS2_I(main_bm_inode)->ip_blkno);
+		goto out_unlock;
+	}
 
 	if (le16_to_cpu(fe->id2.i_chain.cl_cpg) !=
 		ocfs2_group_bitmap_size(osb->sb, 0,
-- 
2.43.0
Re: [PATCH] ocfs2: handle invalid dinode in ocfs2_group_extend
Posted by Joseph Qi 10 hours ago 

On 4/1/26 5:23 PM, ZhengYuan Huang wrote:
> [BUG]
> kernel BUG at fs/ocfs2/resize.c:308!
> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
> RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308
> Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe
> Call Trace:
>  ...
>  ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:597 [inline]
>  __se_sys_ioctl fs/ioctl.c:583 [inline]
>  __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583
>  x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>  ...
> 
> [CAUSE]
> ocfs2_group_extend() assumes that the global bitmap inode block
> returned from ocfs2_inode_lock() has already been validated and
> BUG_ONs when the signature is not a dinode. That assumption is too
> strong for crafted filesystems because the JBD2-managed buffer path
> can bypass structural validation and return an invalid dinode to the
> resize ioctl.
> 
> [FIX]
> Validate the dinode explicitly in ocfs2_group_extend(). If the global
> bitmap buffer does not contain a valid dinode, report filesystem
> corruption with ocfs2_error() and fail the resize operation instead of
> crashing the kernel.
> 
> Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.")
> Signed-off-by: ZhengYuan Huang <gality369@gmail.com>

Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>

> ---
>  fs/ocfs2/resize.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c
> index b0733c08ed13..ed7ed15ad9a7 100644
> --- a/fs/ocfs2/resize.c
> +++ b/fs/ocfs2/resize.c
> @@ -303,9 +303,13 @@ int ocfs2_group_extend(struct inode * inode, int new_clusters)
>  
>  	fe = (struct ocfs2_dinode *)main_bm_bh->b_data;
>  
> -	/* main_bm_bh is validated by inode read inside ocfs2_inode_lock(),
> -	 * so any corruption is a code bug. */
> -	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
> +	/* JBD-managed buffers can bypass validation, so treat this as corruption. */
> +	if (!OCFS2_IS_VALID_DINODE(fe)) {
> +		ret = ocfs2_error(main_bm_inode->i_sb,
> +				  "Invalid dinode #%llu\n",
> +				  (unsigned long long)OCFS2_I(main_bm_inode)->ip_blkno);
> +		goto out_unlock;
> +	}
>  
>  	if (le16_to_cpu(fe->id2.i_chain.cl_cpg) !=
>  		ocfs2_group_bitmap_size(osb->sb, 0,

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.