From nobody Mon Dec 15 18:54:59 2025
Received: from mail-il1-f200.google.com (mail-il1-f200.google.com
 [209.85.166.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBF3B3054D8
	for <linux-kernel@vger.kernel.org>; Wed, 29 Oct 2025 06:25:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.166.200
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1761719151; cv=none;
 b=i15YN7f19mWme4wc/olecH+TInOv2PdxOznYDL5BncScKDw4K1Ieadfs8KnSb/6VKMesQVhbYN3UdjrKQXpLqEWldDNJ5cNqqA7jZwN+h1jQdcTEhFD/cpAC7kgY2VONaZmyp+xxbxGQDnAIh3aV1+RqOvUj5BhMglf7bR1yTUA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1761719151; c=relaxed/simple;
	bh=0/cXk4L8l+PKQK3eP9r+eSHA25lHvBxV0Dgp5J8pIbw=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=hWZ/h0QizUAra9GMuOxqRk3nxdTKzR4dOTu4nG0k5IIvz6rkqxo3uzdNQxU14oVNQgoiUvawbCLMDLZVrcpcJX9M1IJgV7vJTDRkDe+/rwNU1UEMa3bsvTVu/CTUBPm9R/p9n0E9+KaUVYh/J+DenhJU45JplGnFY/17PbwPvIA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.166.200
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-il1-f200.google.com with SMTP id
 e9e14a558f8ab-430ce62d138so85535945ab.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 28 Oct 2025 23:25:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1761719149; x=1762323949;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Hmh5hlKO2coyotqBK5FXPA+mevXm+xNh+/bb4ZVq+As=;
        b=s+KFkR/lLi+kKZO/3THKS0ezWySsEx79rp1nKB4/bJKIAsTsnecGWyBq7HGFvMXiUZ
         XazAaTVtJ0o0b0ulmmsR4QgUKMCoafwOTKrIIkeI7TKE3/7k5XmFWDY1Bx7plpb4kr/o
         tlxZDrQm6xM/REZTtMHoqDqJ4laEJh7jd7EmKDgc/jQg7U8D1T20ioodsj7h845QPHMX
         Yq9b3mYMbPf9Cl0UwxxYGHSvoVOwK3TjmLGRzA9JIXkbVIISS4j1jcdRNGuyn+fPtfKd
         /t3Sx/IRtog28QgCn7GvTFvyC8n7xqUoSGQxxMzZwnDWgeB9ldIME/jSnQx89IE5QHiE
         8aCw==
X-Gm-Message-State: AOJu0YzCaa5+7g0K4QKvKionDxjsQiKXdBe41oBYMZ4JuEP/7p1Bz8Kn
	ZA2rK5QH93f3jUVuzEr7EmloR8xh+fXCSKGVis0s6yxOLIh42+1mL+dczDvc8rHVRh/wzeyuNsy
	5uFUxVs+xxwDAzX2mexItmFdGPERC/u8yCRw57D2yPrffqkRw7tzladEaem0=
X-Google-Smtp-Source: 
 AGHT+IEIWOX5hWd2LzD8bveGB8dHvoANJd2DuLVYk1B/esEp4My/RB5DuIdZwVORyNzv16yX5ZfDNmjIoVkAN95ix7PpMQRBkuTp
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6e02:2607:b0:42f:95ab:2364 with SMTP id
 e9e14a558f8ab-432f9044b14mr21477255ab.26.1761719148943; Tue, 28 Oct 2025
 23:25:48 -0700 (PDT)
Date: Tue, 28 Oct 2025 23:25:48 -0700
In-Reply-To: <68e48f33.a00a0220.298cc0.046e.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <6901b36c.050a0220.32483.01f3.GAE@google.com>
Subject: Forwarded: #syz test
 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
 linux-6.1.y
From: syzbot <syzbot+727d161855d11d81e411@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/stable/l=
inux.git linux-6.1.y
Author: dmantipov@yandex.ru

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 7f11ffacc915..e606826045b5 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6155,6 +6155,9 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_s=
uper *osb,
 	int status;
 	struct inode *inode =3D NULL;
 	struct buffer_head *bh =3D NULL;
+	struct ocfs2_dinode *di;
+	struct ocfs2_truncate_log *tl;
+	unsigned int tl_count, tl_used;
=20
 	inode =3D ocfs2_get_system_file_inode(osb,
 					   TRUNCATE_LOG_SYSTEM_INODE,
@@ -6172,6 +6175,19 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_=
super *osb,
 		goto bail;
 	}
=20
+	di =3D (struct ocfs2_dinode *)bh->b_data;
+	tl =3D &di->id2.i_dealloc;
+	tl_used =3D le16_to_cpu(tl->tl_used);
+	tl_count =3D le16_to_cpu(tl->tl_count);
+	if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
+		     tl_count =3D=3D 0 || tl_used > tl_count)) {
+		status =3D -EFSCORRUPTED;
+		iput(inode);
+		brelse(bh);
+		mlog_errno(status);
+		goto bail;
+	}
+
 	*tl_inode =3D inode;
 	*tl_bh    =3D bh;
 bail:
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index de6fd4a09ffd..10d0618a0ddf 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -302,8 +302,21 @@ static int ocfs2_check_dir_entry(struct inode *dir,
 				 unsigned long offset)
 {
 	const char *error_msg =3D NULL;
-	const int rlen =3D le16_to_cpu(de->rec_len);
-	const unsigned long next_offset =3D ((char *) de - buf) + rlen;
+	unsigned long next_offset;
+	int rlen;
+
+	if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+		/* Dirent is (maybe partially) beyond the buffer
+		 * boundaries so touching 'de' members is unsafe.
+		 */
+		mlog(ML_ERROR, "directory entry (#%llu: offset=3D%lu) "
+		     "too close to end or out-of-bounds",
+		     (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+		return 0;
+	}
+
+	rlen =3D le16_to_cpu(de->rec_len);
+	next_offset =3D ((char *) de - buf) + rlen;
=20
 	if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
 		error_msg =3D "rec_len is smaller than minimal";
@@ -778,6 +791,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
 	struct ocfs2_extent_block *eb;
 	struct ocfs2_extent_rec *rec =3D NULL;
=20
+	if (le16_to_cpu(el->l_count) !=3D
+	    ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+		ret =3D ocfs2_error(inode->i_sb,
+				  "Inode %lu has invalid extent list length %u\n",
+				  inode->i_ino, le16_to_cpu(el->l_count));
+		goto out;
+	}
+
 	if (el->l_tree_depth) {
 		ret =3D ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
 				      &eb_bh);
@@ -3416,6 +3437,14 @@ static int ocfs2_find_dir_space_id(struct inode *dir=
, struct buffer_head *di_bh,
 		offset +=3D le16_to_cpu(de->rec_len);
 	}
=20
+	if (!last_de) {
+		ret =3D ocfs2_error(sb, "Directory entry (#%llu: size=3D%lld) "
+				  "is unexpectedly short",
+				  (unsigned long long)OCFS2_I(dir)->ip_blkno,
+				  i_size_read(dir));
+		goto out;
+	}
+
 	/*
 	 * We're going to require expansion of the directory - figure
 	 * out how many blocks we'll need so that a place for the
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index a1f3b25ce612..eed39aae08ba 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1419,6 +1419,39 @@ int ocfs2_validate_inode_block(struct super_block *s=
b,
 		goto bail;
 	}
=20
+	if (le32_to_cpu(di->i_flags) & OCFS2_CHAIN_FL) {
+		struct ocfs2_chain_list *cl =3D &di->id2.i_chain;
+		u16 bpc =3D 1 << (OCFS2_SB(sb)->s_clustersize_bits -
+				sb->s_blocksize_bits);
+
+		if (le16_to_cpu(cl->cl_count) !=3D ocfs2_chain_recs_per_inode(sb)) {
+			rc =3D ocfs2_error(sb, "Invalid dinode %llu: chain list count %u\n",
+					 (unsigned long long)bh->b_blocknr,
+					 le16_to_cpu(cl->cl_count));
+			goto bail;
+		}
+		if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
+			rc =3D ocfs2_error(sb, "Invalid dinode %llu: chain list index %u\n",
+					 (unsigned long long)bh->b_blocknr,
+					 le16_to_cpu(cl->cl_next_free_rec));
+			goto bail;
+		}
+		if (le16_to_cpu(cl->cl_bpc) !=3D bpc) {
+			rc =3D ocfs2_error(sb, "Invalid dinode %llu: bits per cluster %u\n",
+					 (unsigned long long)bh->b_blocknr,
+					 le16_to_cpu(cl->cl_bpc));
+			goto bail;
+		}
+	}
+
+	if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+	    le32_to_cpu(di->i_clusters)) {
+		rc =3D ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+				 (unsigned long long)bh->b_blocknr,
+				 le32_to_cpu(di->i_clusters));
+		goto bail;
+	}
+
 	rc =3D 0;
=20
 bail:
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index b1e32ec4a9d4..6acf13adfb55 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,13 @@ static int __ocfs2_move_extent(handle_t *handle,
=20
 	rec =3D &el->l_recs[index];
=20
-	BUG_ON(ext_flags !=3D rec->e_flags);
+	if (ext_flags !=3D rec->e_flags) {
+		ret =3D ocfs2_error(inode->i_sb,
+				  "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+				  (unsigned long long)ino, index, rec->e_flags, cpos);
+		goto out;
+	}
+
 	/*
 	 * after moving/defraging to new location, the extent is not going
 	 * to be refcounted anymore.
@@ -1032,6 +1038,12 @@ int ocfs2_ioctl_move_extents(struct file *filp, void=
 __user *argp)
 	if (range.me_threshold > i_size_read(inode))
 		range.me_threshold =3D i_size_read(inode);
=20
+	if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+			       OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+		status =3D -EINVAL;
+		goto out_free;
+	}
+
 	if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
 		context->auto_defrag =3D 1;