From nobody Tue Dec 16 18:34:42 2025 Received: from mail-ot1-f72.google.com (mail-ot1-f72.google.com [209.85.210.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70F431DE3DF for ; Thu, 11 Dec 2025 08:06:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765440413; cv=none; b=g5qCsJQvcEyNv34vS6xP+PQchZToMOmv8NoibRC3jUCvm1LMNe4X3hDEnPtzZ3XMFAY0TVpPaPRjU6E8GnLTiH9JmxB/VP8vcNDStdBBVBX+ugKLidVXNUSGuOTHkUtAXlIbt3eIHrBGZ9ZLxWq63AdN7FSY93qqPOmd9CBdQrc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765440413; c=relaxed/simple; bh=/7I3JjWS41LqG4TbE5BjgjemXkQgm33NCIPBE7YU4GI=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=UNp+mLNnSRvIHjzW21k2M+78q6C7xq0Fkug635mtW6Z/aCd8TZ+Y1AnOOQ+vt1omDuZRY7Wn9MzleAnKRjiRbQqNDms2OVeQUEEw43bMgSz4EbC0KvtRAQARPUDhxGkkUZav9eIAdJCYSsenXfp4rs6ve38QJ7yQnRxR0BFLaHk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f72.google.com with SMTP id 46e09a7af769-7c70268301aso708758a34.3 for ; Thu, 11 Dec 2025 00:06:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765440410; x=1766045210; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3eqeMRTaSi0416ZIrBpbBFbgiADNbmLOEd4831jbhTg=; b=JIbh76LS6ejApwtvdK95MlnkGCdMohsUn/OX6TO6qbWnxYYs13I141efRPiVgG44Bt FdlasflpLvyUcfjJYkktvwON3BHP1NSJyyjWb1hVO8Da7+W2Ox5vX4RDg6Pz228QBXpM GCZuipB6OW3Y0bz3poJgjjz5rGR0cDE6sxGr2uAZQXg4wdplKljAzzqoNwze4nOMBg/B NtuxgdO30So7qqV0bMg+zmn3Ct6bQctQ8CGtsolCKthgdOZVr8/axSEia0ZMW3hi0JYL /Bu3BA8xKrjGzWFDL5A4Aoi7SlfJ1XU5Ch/TCkY8ZZ8aKXC1m6eGqjA3n4q01oej78+9 fitg== X-Gm-Message-State: AOJu0YyXDcJzYDz/iN+HoBjrhtUGr6enaJ2oAssSXlavAp9zKnaY8h/l Cqhkp7k44anjZZVKlXIaHd6GFXj2Ak8BqOb87nD479Zi5bul9XYGSEAS84LnWyDb5G2Lu3QhQwA sWPwuZOaau3he4rrt5SRvHXlZ2eYuuWYWgLg675CpIk7HhfEu9hIRXi94eUE= X-Google-Smtp-Source: AGHT+IEeB/rYTkC9dPIYAhTIzf1Plg9lScbFffhvpRrP9nD10ZHU1wk6/t93Xa+xB22IcV+lLS/vf8XeKobrwwjr6qATowBak1db Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:138f:b0:659:9a49:8e5f with SMTP id 006d021491bc7-65b2acbff7cmr2799567eaf.47.1765440410430; Thu, 11 Dec 2025 00:06:50 -0800 (PST) Date: Thu, 11 Dec 2025 00:06:50 -0800 In-Reply-To: <693a631e.a70a0220.33cd7b.0028.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <693a7b9a.050a0220.4004e.02f7.GAE@google.com> Subject: Forwarded: [PATCH] ocfs2: fix use-after-free when reading a bad inode From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ocfs2: fix use-after-free when reading a bad inode Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master When ocfs2_read_locked_inode() fails with -ENOMEM or other errors, it calls make_bad_inode() to mark the inode as bad but still returns a valid inode pointer through the iget machinery. The function _ocfs2_get_system_file_inode() only checks for IS_ERR(inode) but not for bad inodes, causing the bad inode to be returned to callers. During orphan recovery, ocfs2_queue_orphans() gets this bad inode for the orphan directory and passes it to ocfs2_dir_foreach(). Since the inode was never properly initialized due to the earlier read failure, iterating the directory accesses freed or uninitialized memory, triggering a use-after-free in ocfs2_check_dir_entry(). Fix this by adding an is_bad_inode() check in _ocfs2_get_system_file_inode() after ocfs2_iget() returns. If the inode is bad, release it with iput() and return NULL. This protects all callers of ocfs2_get_system_file_inode() from receiving bad inodes. Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dc897823f699449cc3eb4 Signed-off-by: Deepanshu Kartikey --- fs/ocfs2/sysfile.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/ocfs2/sysfile.c b/fs/ocfs2/sysfile.c index d53a6cc866be..f443479f7d3e 100644 --- a/fs/ocfs2/sysfile.c +++ b/fs/ocfs2/sysfile.c @@ -145,6 +145,13 @@ static struct inode * _ocfs2_get_system_file_inode(str= uct ocfs2_super *osb, inode =3D NULL; goto bail; } + + if(is_bad_inode(inode)) { + iput(inode); + inode =3D NULL; + goto bail; + } + #ifdef CONFIG_DEBUG_LOCK_ALLOC if (type =3D=3D LOCAL_USER_QUOTA_SYSTEM_INODE || type =3D=3D LOCAL_GROUP_QUOTA_SYSTEM_INODE || --=20 2.43.0