From nobody Sun Jun 14 14:28:51 2026
Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com
 [209.85.210.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44EE53264E5
	for <linux-kernel@vger.kernel.org>; Fri,  3 Apr 2026 06:30:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775197834; cv=none;
 b=e9KF/FPGEmIelYRenllb0ybLqDLhYLddRWnv6XcBgmGKpr0PYYij+CIE/2JgmFYCj04kmICmZeNeIwR8qHt1J/UhnMLFyDhRg4IBVHTEPRdHiIUp6PI4EEGCiBHJwvwGIQ7AtixJTYfkosy5bP/GQbEV4svfKAjdmaeENpzNCMs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775197834; c=relaxed/simple;
	bh=wflK+Q0rdwZILUEehzxtt+ZmI9qWCqp2RSyvZDs2OvA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=sB8xXiG+tn/Kld9zjBLKUZHzF09Bx+mpQ0DD6B2/zDcS51hQhZdF8vKW/+Tkx6EjyFKMR/bhN8Eg+w/Rd81ykzIY9/xrZyI+q+IcVyVbrpFy+03STr3dqBDKWU+/F6NcffuufUkX/P93vU6LVdZvFOv/JxA/sZ4ZiEj4M2mBq5Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=iS4HJ7NH; arc=none smtp.client-ip=209.85.210.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="iS4HJ7NH"
Received: by mail-pf1-f182.google.com with SMTP id
 d2e1a72fcca58-827270d50d4so1457657b3a.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 02 Apr 2026 23:30:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775197831; x=1775802631;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zNcCckldB93xLM/JDGzLlnsXuLvNw7uNddJEgP2ONrY=;
        b=iS4HJ7NHX4QBXBd6miamtW8GyKWfa07rvuOtDH4OgJK71Vv+7e/Q/1In4pbTz50Fu+
         2u68zYDQ1erGrWH3nRa9PtMYFb0a6JjKsr1hv0j6cbk3eCMdmCjXG/lncVj3xsS5feZ+
         laAIOI2ru85UIr5Y6WywTWtH9Kwx9+IpsHneaHOWqdZPmMubrreDukUyPO9fosvzsweb
         xBP7hDy/AbGNwl9Df6C6r4umKhMxIzCzx7ruLW/WuZxV72MjElSM1eT0wrg7Jr/VWkX4
         dF518t0DiN5zMSExdXcBD98n9q3WTZuN8RfbOYx9W/A/cji9nXk2j+6UJ2Dztd/bSKnw
         ZPkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775197831; x=1775802631;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=zNcCckldB93xLM/JDGzLlnsXuLvNw7uNddJEgP2ONrY=;
        b=kKSdkOWRe2OnBR8JozZVrs/jyNe8UiNUpr1P+/nPBiAMeWGVdibiXimDo51eXaEvSE
         wcv3QqQDgtiTzX82t4oHNZW0NimfMDYd8KtB/dbmNtDZABzXhcfSifPdZTU8UFUbZwcG
         fnKLBvJgXJyT8OoAnZDKRkubmE8uCBWvqyUhykaMyJRvTorw8vqMnWxdMTT7cKoNfSCk
         PLETMY9lK9zpOhuPF0vRI2q0I7dTuHJeut6UjVpBEnTQCKm2yciOQIIdrzzPSpWi96c6
         T6aePrpHG9Z3Ds4tn6UTikaNNT+QS5EikzXAI2upvsdFoU/8h+M6Qd9QY2OMM5eSnwVt
         I3kQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCXRk76Ilv7IuL7a7uhz+sOdW1+wJ5htPEQyf9vQkIrP7a81qVw7DUrjPUkzr4DlCcEjtUA3S2MTxldKHPk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz5tq+j268jHgwLsensky/GEiypxHecbelUvvxSwvDQ7wR0vAHO
	yO1/pTlw62IQ72ewWamna9Tm0x8aVF2rPXStRXN3heahjBT+KjTWGgxb
X-Gm-Gg: AeBDievtLKqM4Is2xEXvWdz4YCkfxKQXPsrF40tWyEACJgbJ0u9kf8L9xF7nlRPPUWF
	dmay2U2igrsZXQNTHXD2ICPAl98IUKxCJyWDVnUfy6KEGqtn+WzU/V3c85MPeVphtWgpOt1QBD/
	nyzS2IpyZbn8x2yI/B79NrYnYZ+JMZ5HV6RNo/GRK/kN1BSSazAdHA5nW2IalJZPK/ARVwOESsb
	XD3yz+K4EYQc//No4nSJ/6HBK8pMG9LpDLaRqegySSdg+ehiey/S7o2ud+Qo5rNM1H3oIu0V7lr
	AMKkgcKRLdi9ltmzqXKcb1/TJl2XUckrTihIhT4JNiWF5atLIRkIvchAHM0IUkuQ4w7l8wL3x/P
	c/4uyEgm0mQXWly74GO63oe5Uu/n8v91XynmHQtXjMCTeBmgvVIO7wp0v99XC0q9foJpM++9mvA
	lRj0MwViL70OpHPQ7r38P6/Dyo7m1i5n3f9ildnX2vhNFgnuA5+JhlMkFQCRSErCIi/L5Aw2I=
X-Received: by 2002:a05:6a00:909a:b0:82c:77cd:50e8 with SMTP id
 d2e1a72fcca58-82d0db7e890mr2033087b3a.27.1775197831231;
        Thu, 02 Apr 2026 23:30:31 -0700 (PDT)
Received: from kernel-fuzz.. ([103.172.182.26])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9c41b8dsm4572258b3a.34.2026.04.02.23.30.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Apr 2026 23:30:30 -0700 (PDT)
From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com,
	jlbec@evilplan.org,
	joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com,
	r33s3n6@gmail.com,
	zzzccc427@gmail.com,
	ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH 1/3] ocfs2: handle invalid dinode in reserve_suballoc_bits
Date: Fri,  3 Apr 2026 14:30:14 +0800
Message-ID: <20260403063016.438287-2-gality369@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260403063016.438287-1-gality369@gmail.com>
References: <20260403063016.438287-1-gality369@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[BUG]
A crafted filesystem can feed an invalid dinode into
ocfs2_reserve_suballoc_bits() and trip:

kernel BUG at fs/ocfs2/suballoc.c:806!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
RIP: 0010:ocfs2_reserve_suballoc_bits+0xccd/0x3e00 fs/ocfs2/suballoc.c:806
Code: c0fe488b 9d58ffff ff4885db 740de8fa
Call Trace:
 <TASK>
 ocfs2_reserve_cluster_bitmap_bits+0xe5/0x1c0 fs/ocfs2/suballoc.c:1134
 ocfs2_local_alloc_reserve_for_window fs/ocfs2/localalloc.c:1108 [inline]
 ocfs2_local_alloc_slide_window+0x2cb/0x1570 fs/ocfs2/localalloc.c:1244
 ocfs2_reserve_local_alloc_bits+0x654/0xa10 fs/ocfs2/localalloc.c:669
 ocfs2_reserve_clusters_with_limit+0x785/0xe40 fs/ocfs2/suballoc.c:1168
 ocfs2_reserve_clusters fs/ocfs2/suballoc.c:1229 [inline]
 ocfs2_lock_allocators+0x319/0x520 fs/ocfs2/suballoc.c:2772
 ocfs2_write_begin_nolock+0x256a/0x5f30 fs/ocfs2/aops.c:1719
 ocfs2_write_begin+0x1b6/0x2e0 fs/ocfs2/aops.c:1884
 generic_perform_write+0x409/0x8c0 mm/filemap.c:4255
 __generic_file_write_iter+0x1bb/0x200 mm/filemap.c:4372
 ocfs2_file_write_iter+0xa87/0x1e10 fs/ocfs2/file.c:2469
 do_iter_readv_writev+0x61d/0x850 fs/read_write.c:827
 vfs_writev+0x323/0xca0 fs/read_write.c:1057
 do_pwritev+0x193/0x250 fs/read_write.c:1153
 __do_sys_pwritev2 fs/read_write.c:1211 [inline]
 __se_sys_pwritev2 fs/read_write.c:1202 [inline]
 __x64_sys_pwritev2+0xe8/0x160 fs/read_write.c:1202
 ...

[CAUSE]
ocfs2_reserve_suballoc_bits() assumes ocfs2_inode_lock() always returns
an already validated dinode buffer. commit 10995aa2451a ("ocfs2: Morph
the haphazard OCFS2_IS_VALID_DINODE() checks.") replaced the old
corruption handling with BUG_ON() under that assumption. However,
JBD-managed buffers can still bypass inode validation in the read path,
so corrupted dinode data can reach this function.

[FIX]
Treat an invalid dinode as filesystem corruption and return through the
existing bail-out path instead of BUG()ing. This matches the nearby
OCFS2_CHAIN_FL handling and keeps allocator cleanup unchanged.

Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() ch=
ecks.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
 fs/ocfs2/suballoc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..12ac2bb3f10b 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -801,9 +801,13 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_su=
per *osb,
=20
 	fe =3D (struct ocfs2_dinode *) bh->b_data;
=20
-	/* The bh was validated by the inode read inside
-	 * ocfs2_inode_lock().  Any corruption is a code bug. */
-	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
+	/* JBD-managed buffers can bypass inode validation. */
+	if (!OCFS2_IS_VALID_DINODE(fe)) {
+		status =3D ocfs2_error(alloc_inode->i_sb,
+				     "Invalid dinode #%llu\n",
+				     (unsigned long long)OCFS2_I(alloc_inode)->ip_blkno);
+		goto bail;
+	}
=20
 	if (!(fe->i_flags & cpu_to_le32(OCFS2_CHAIN_FL))) {
 		status =3D ocfs2_error(alloc_inode->i_sb,
--=20
2.43.0
From nobody Sun Jun 14 14:28:51 2026
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3CD0D364045
	for <linux-kernel@vger.kernel.org>; Fri,  3 Apr 2026 06:30:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775197838; cv=none;
 b=ggg2ovnQ+OYMxaG5/rWW0VCNPgPR7JGPQwcJLRQytJp5luVi1QAmju/1PNeZC3AZQjY31Bn8wYcdwb0jTV40E/TuedTvhBHxcxiXliu5zPH++U1NJZP43lmzqRKgdnj5Lsh2FKwQ4i0MBAu8Y/M9jlEjjeag18DIOoXsHYoorAk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775197838; c=relaxed/simple;
	bh=AyTQF/cGPP0NGCOED8q8zmLVfRLlR83ojMuRP0TmCeg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=uRZK4Dvf2N6U2vKjZ43vSVUAI6YcYzlOkzPtJQusgvS7/pNHUlshQTw4VxLoFXE7H7bEKfknbXJ82s4FLrC0SvJpJ+VTaoqXIgXI4fnagBw4SoE8zhfplxE9GRxNK0gTZ/x+KYSRNViGimlg6cq3M5m17rU7PhMS2dtAKGJWTlg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=kQhplqm7; arc=none smtp.client-ip=209.85.210.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="kQhplqm7"
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-827270d50d4so1457709b3a.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 02 Apr 2026 23:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775197835; x=1775802635;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=J+f0oKHtSJA7PrZhO35i+p8/nUL8EucM4r8b8pY9Pn8=;
        b=kQhplqm7KqRE7Au93NRHj7XndOn5YdEAJUdPaZbw+yRCzD4QV+oZ8DrOgApFcUOxYq
         R+NRA4mOAUa2NGtSFsKFN0mSkat1eZvOVmlcMIRbeCDvHj+tN7sBRwSS+cPdRrYAQluO
         Z0hjfre/TFYs6THSLPJqyNszX9xlzv5c/KM9zsG5lsedTXB1fHsvOxboxoJqOdGkxqmx
         M2XLFL9fjV8OfZqJDaS1n3zV5NZzpu+SOdUuN/XUR8F5yqWcXCB7d5i6sr2YMcBgJOnb
         0wFvr7Ggzv2TEq9k261K4VLpfyeXvaME/yfjUUXI/9mHG8FCNaKtvrsvvRFjltlqZeRV
         z6dw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775197835; x=1775802635;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=J+f0oKHtSJA7PrZhO35i+p8/nUL8EucM4r8b8pY9Pn8=;
        b=BKVN0g9qhibSIZVkUjsKFEC6X1Yr4iUbzVGLlMJGhWpD9wjo6R0AFfIEbj/grnJ1Ux
         OCpfS8jpDNokqB9C6S0t4fBfqM1LRisf22QeYySOIo4gFajJPWoQOnqqinO5g4oHa46F
         KC4QMUOGLKMo1f11AzzVN6xU2HHs6WRnYazFOUEXtQLMtldGi6sZ/6CQSwq7A+EIGZb6
         J+ojuubOwBUA5qN6f9oj5waVTv8tiAA/ntnLqPHS1ReixrBmNsAmm760fYzSefK3jx5j
         eZQA/cklLdn938Ib1nFHIrYKCIArkrFsl4BVAU8WRqIZRjH9/LyCBMY8kmh0Y7wmB0Eb
         R1mQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCU4a18Je24Vwp42+9p1GCgE2fyu+ZfDa5gH2FqSwyWVnA26u+Li0MddjrWRfwuLqKBUXSezllBqYtp/JqM=@vger.kernel.org
X-Gm-Message-State: AOJu0YwzEW6pVktJUjKWE4cvFiWK8JfQaI72v3al7b9iJhFSZ2rAnz/v
	TbKLGYVj4ykqzVU5DonyF6NlR1jkhzhe/D8b66WQoUWRnGZtPiy++Mvz
X-Gm-Gg: AeBDies/C2wAx8LsMQBk3AfaAqVO7LRhxNb9OzUPx6AGpZA+qMH5wawqRmjqcKetLYx
	t87xYi59YJvxnXba84gwhmemqiXTimhoCHQYYIGYJiIHixfekhXvrOAn39wVg0c0VsYdFl2J+Q+
	NAZS0udtPTj0ose+rzM4WgWSRi8fxaOYebOEIKcWZONCZRd9Wy/BwNkLsIrUUciKwt+iBWiOYtx
	YJK9zwB9DK3n0PRC9j6BMLVQsTI7s4cmaBR09T+AnhvIS9QIHY71JloAPVObGfAx1AQhVXfuo9b
	sLJMk/vV8fronpanbQuP2rI7eHOSy3MvjQ/wydQdporF14cdb+kTFGPx52/bqD9G23gcXT4AjJm
	EU9E0sSSXwiERVs71PK/n0aLnfLfWNHacB8d7m99i+76dN/ZOynLv0ihkVOvTYIv4NIGLKjgufl
	BHjVo8jAe+uZw/PaAt/1yAd1bbFcmwW9rTJqDOpQ8bFKy53/L8OtQjT9sYroMnqXipyGEcl4w=
X-Received: by 2002:a05:6a00:4b53:b0:827:3222:c4c with SMTP id
 d2e1a72fcca58-82d0dba3201mr1827582b3a.39.1775197835318;
        Thu, 02 Apr 2026 23:30:35 -0700 (PDT)
Received: from kernel-fuzz.. ([103.172.182.26])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9c41b8dsm4572258b3a.34.2026.04.02.23.30.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Apr 2026 23:30:34 -0700 (PDT)
From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com,
	jlbec@evilplan.org,
	joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com,
	r33s3n6@gmail.com,
	zzzccc427@gmail.com,
	ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH 2/3] ocfs2: handle invalid dinode in claim_suballoc_bits
Date: Fri,  3 Apr 2026 14:30:15 +0800
Message-ID: <20260403063016.438287-3-gality369@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260403063016.438287-1-gality369@gmail.com>
References: <20260403063016.438287-1-gality369@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[BUG]
A crafted filesystem can feed an invalid dinode into
ocfs2_claim_suballoc_bits() and trip:

  kernel BUG at fs/ocfs2/suballoc.c:1966

[CAUSE]
ocfs2_claim_suballoc_bits() trusts ac->ac_bh, but that buffer is not
limited to the reserve_suballoc_bits() path: local allocation can also
hand in osb->local_alloc_bh directly. JBD-managed buffers can bypass
inode validation, so invalid dinode data can still reach this function.

[FIX]
Report an invalid dinode as filesystem corruption and unwind through the
existing bail path instead of BUG()ing. This keeps the allocation logic
unchanged while removing the fatal failure mode.

Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() ch=
ecks.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
 fs/ocfs2/suballoc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 12ac2bb3f10b..b99870aeaf88 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1965,9 +1965,13 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_al=
loc_context *ac,
=20
 	fe =3D (struct ocfs2_dinode *) ac->ac_bh->b_data;
=20
-	/* The bh was validated by the inode read during
-	 * ocfs2_reserve_suballoc_bits().  Any corruption is a code bug. */
-	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
+	/* JBD-managed buffers can bypass inode validation. */
+	if (!OCFS2_IS_VALID_DINODE(fe)) {
+		status =3D ocfs2_error(ac->ac_inode->i_sb,
+				     "Invalid dinode #%llu\n",
+				     (unsigned long long)OCFS2_I(ac->ac_inode)->ip_blkno);
+		goto bail;
+	}
=20
 	if (le32_to_cpu(fe->id1.bitmap1.i_used) >=3D
 	    le32_to_cpu(fe->id1.bitmap1.i_total)) {
--=20
2.43.0
From nobody Sun Jun 14 14:28:51 2026
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A0B3182D0
	for <linux-kernel@vger.kernel.org>; Fri,  3 Apr 2026 06:30:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775197842; cv=none;
 b=SovfU5S0YVRbwMdFYzAiXJVc38g/IP0OgMQBeNTAEG3YrHpO2hYRfTgYxe0BtPwY3V6Fte8J4RPzQNW93kokOLaYnVVY7jSPow3gfo/NtB03jdMVRSNS11u2JTGh5UVakqWSNK8x49WEFFLm45SKoTHXpOcxo9oHwtqscEvvepw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775197842; c=relaxed/simple;
	bh=I738XkaqIqPAyrdvIYFc4W8KtajTj0G8CTgJ5jdeTeo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Z5ndrghHT93TfqkpLkwm64jdonrTTASreXMH6f5lzH4m39uPZKNcY1ClPhnf1Pgc6fmTjbLWQe6BQGES9O7vUOoD9/uPJoOM7AaIIRnWQ5QH7B6SFjVtFgWrVD4Nsz3WXUqHLJ24S1vk2OGVaK9SoBPduLnYC8JtXb52q1FYplQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Jb9UPbPD; arc=none smtp.client-ip=209.85.210.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Jb9UPbPD"
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-82c70e4654eso748548b3a.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 02 Apr 2026 23:30:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1775197839; x=1775802639;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+Lspt40Zh32RiqO+NgTw/2WuwWFH+RhU3yTTqojwbEg=;
        b=Jb9UPbPDyLrG8lBLHLL2okIaOdEyVXEvvkyWvqYZtcxa9Y8gLaoyT4xp9TWSbIaxo9
         Ybl8/VoIzMSrNAXRqF1mmCm0215lL1uzDPWLL4rIyfX1bXVrPI7gC+h4vFqEALL8jbLM
         lCPL5njPRXF35P9fBG8mXg+o0EU2RDMPiJk++LGNHfVQC1ivCBjEjq7/LHz2bUk2m/KH
         r3EQxVqrjpZJCfDDsVnCbMxzImnTFLdWsz0L2QUTLYRxfZebpXzE2oCqmCl89Ev6YGTK
         Mklj/m9maF2WgXOs8HdO5N+gTfgFVMGGM2pLuMjB8KKp14s8yuaHjax9IRqOd9pCmFyL
         YlxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775197839; x=1775802639;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=+Lspt40Zh32RiqO+NgTw/2WuwWFH+RhU3yTTqojwbEg=;
        b=VFkoXxyPO0eudOfIzJIMRmq59c4zQZxezGa1VlzDnkyPEjGvSdILSLoSm5lQs1OooW
         ZuvSuCEapDiATOrt4hImAX2dlot7Y+qN812gdEn+KssPPMWPI3yA6kQdoztMTGniURmd
         Q48rhagaLI0Hoq4VxSOOYUSS7QvzEp4R2CNljd2vPaxa4ASjmL1pSZcUnmNlZN2hFsmd
         1YAEEK5LqCMRLORnNgGPNi+qWde19+xwcmxsVL0b2M7WyrerS3AbZTAfTPVdQTOciAkv
         Sap1ADsEs5wFm4DRRelW8ovRED0q4vvP7jY/vQj98VrTNfHrZIKe9tjK2L2KQAko1nS2
         /JLg==
X-Forwarded-Encrypted: i=1;
 AJvYcCWAiFX57t1LENevgXXgl2s37VCHBCTTdOGLvnilk2DLICyiU+ZU3o2Ulw/K5OaSPGGsJC29yvqmT0z2Bzg=@vger.kernel.org
X-Gm-Message-State: AOJu0YwDd96SNHRUtZv1DqvFkSUNr0cbUxa0Qx0OLG3maB9UAXe/P6I8
	MtsuF8GOtfmqVkCnalwnXebqJqX9peHHKouVqgjkLUqhByrpS0UDZm7RjqqOirXx
X-Gm-Gg: AeBDietYWJgx3pP5vIIBxo3Q+V4dLF6+3Oneaj8Yc3K2pkeNv9XI1MInTL/TM/C5U6q
	PRtuAou128KNxhSRpa9MdgdZc6RylLQbZymEXA7UubmLWV8EL47COQLp3XiTqa41t/FQAfGqxMM
	tKl13M0HlLgAPFqMzif4e3ZviQmiou5FubXu3JAf3fgOTLLUttfWR6Kw3NTFKZfrIbmJtFzh3AZ
	K53VKaGU2s2PIxxRnLSkA4ns9QVtyEzF+uBfoJ4Ffi1V871Mwb50s0RIf8aWPrXqxkgFeB0PiFZ
	2qbkMTZJUn3Bj7llGyGn7h4IWClTjWZVdwt6TgFraI7/fPvEv9yMxdxvEyNmZha2gL86yvj5JO5
	Piwc77CigNZ4rC5OWqR/HVfj/LeegLYJsxX5uMiDf3D9jxrNvvXnABf2jfCV8Kk9VRpJTYavkuf
	xS1WcI+vUFuETUa9rKDulrE8hO2ky2bOGfXWNW5Yxhy5lbsfKk9FSqmY4mHVA33H+g2NstkAM9s
	XXWjrrMUg==
X-Received: by 2002:a05:6a00:2d10:b0:81f:4884:4fed with SMTP id
 d2e1a72fcca58-82d0da44a86mr1882118b3a.7.1775197839328;
        Thu, 02 Apr 2026 23:30:39 -0700 (PDT)
Received: from kernel-fuzz.. ([103.172.182.26])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82cf9c41b8dsm4572258b3a.34.2026.04.02.23.30.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Apr 2026 23:30:38 -0700 (PDT)
From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com,
	jlbec@evilplan.org,
	joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com,
	r33s3n6@gmail.com,
	zzzccc427@gmail.com,
	ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH 3/3] ocfs2: handle invalid dinode in _ocfs2_free_suballoc_bits
Date: Fri,  3 Apr 2026 14:30:16 +0800
Message-ID: <20260403063016.438287-4-gality369@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260403063016.438287-1-gality369@gmail.com>
References: <20260403063016.438287-1-gality369@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

[BUG]
A crafted filesystem can feed an invalid dinode into
_ocfs2_free_suballoc_bits() and trip:

  kernel BUG at fs/ocfs2/suballoc.c:2568

[CAUSE]
The free path trusts alloc_bh returned from locked allocator reads, but
JBD-managed buffers can bypass inode validation before that buffer is
handed to _ocfs2_free_suballoc_bits().

[FIX]
Handle an invalid dinode as filesystem corruption and exit through the
existing bail path before touching any allocator accounting. This keeps
all cleanup and rollback logic intact while avoiding BUG().

Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() ch=
ecks.")
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
 fs/ocfs2/suballoc.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index b99870aeaf88..34bdc18200f2 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -2868,13 +2868,14 @@ static int _ocfs2_free_suballoc_bits(handle_t *hand=
le,
 	struct ocfs2_group_desc *group;
 	struct ocfs2_chain_rec *rec;
 	__le16 old_bg_contig_free_bits =3D 0;
=20
-	/* The alloc_bh comes from ocfs2_free_dinode() or
-	 * ocfs2_free_clusters().  The callers have all locked the
-	 * allocator and gotten alloc_bh from the lock call.  This
-	 * validates the dinode buffer.  Any corruption that has happened
-	 * is a code bug. */
-	BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
+	/* JBD-managed buffers can bypass inode validation. */
+	if (!OCFS2_IS_VALID_DINODE(fe)) {
+		status =3D ocfs2_error(alloc_inode->i_sb,
+				     "Invalid dinode #%llu\n",
+				     (unsigned long long)OCFS2_I(alloc_inode)->ip_blkno);
+		goto bail;
+	}
 	BUG_ON((count + start_bit) > ocfs2_bits_per_group(cl));
=20
 	trace_ocfs2_free_suballoc_bits(
--=20
2.43.0