From nobody Sat Feb 7 22:01:40 2026 Received: from mail-oo1-f71.google.com (mail-oo1-f71.google.com [209.85.161.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBACE273D9A for ; Sun, 4 Jan 2026 11:49:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767527358; cv=none; b=kfgKD4EVZRQIuFZ13vDkPuMcvwTeyfu4lMROdkqxEe7AA4nvF/PScXwGEAsU6u8mOwQ3+n6U4xQoMM1i0T+JGCl9WC/JGJQVizYG0QSUNH7oTIxVs9N5iIU2SeFNx7JawKMVUVooieeltPRJRtl2t6lG7q0RZi5718c5KB6VE7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767527358; c=relaxed/simple; bh=6VK7g0jQFHJiBd1sqymehToYg6+lUygXDvGfjZ7eub8=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=osf7LphthYTdwpVeAEHZ9H+TP++pCxYleuHki+s7azbs17pEO7ZMtYwb5qtkrbRicwIcN4UHmWbCkLc6uZ3LczyqrbkCJRqIaxTTTweFJIrLQF+uGPdPpojXxcj+z/1dHwMlaRR/ZrZ1id6zAzZffwsHyAnxZJbbLTdTunNcKuM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f71.google.com with SMTP id 006d021491bc7-65746235dd4so12483409eaf.3 for ; Sun, 04 Jan 2026 03:49:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767527355; x=1768132155; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=a0E6w1hh/zbaFOrRneZ0rH6PZSPKrJ0Wh4MfWasWlCk=; b=cUh3mF3LSQt0c2i1RZ2rSBVNbRJWILsCnYn04c33vJcjFpdG+tgYOkI6+j/J8HiCNy gorkLI269PqY17WAxSYiQsIUK6CoRI9lFijsXAZMr6Lzpb/nH+PX3PMgpt+5vHacF422 jmTMt04WYoGGi/iD3saYO5RbrB3E+gswwhsuKkDjV/6Z/WngxTrsZRt1ALPo431u8Y5m Ri2cSLqOj7k67ZeWQ0N8ahqVgJfmqQSx1BpAR6Uavo7Lmgd7/+4Dn56vqPAnH8VfDlsg IHYrUI2L4s8uX/gWWQd8ZKBrNNWWRvgykG837SQOB1e1yw0AMDnmXlsiPJeQqb7GSwoV PYMA== X-Gm-Message-State: AOJu0YzZQtKHl4BBoJC4UfMPWwpGLV3vqfv8LG6k2Bg/rnmk4daGEcGo a1EQUMD7phorTlctDch3BFiA0dmrtMRhNg97zRvJLgTfYbjL/4y/Ls9YgcYJrE+Fsc7UIoK5C3w H86fUylQpxH2vzQChS9E/64hM+CFm7Oz7AuVvKMUb+LikhJM78xt6XybrIG8= X-Google-Smtp-Source: AGHT+IHhP+n8qEiBw7ymDXY8+uLti1AbOedO5AdG5qlm7Xvj2RMa4HqBWD0yHASYsdOtI8YGT5lVJdflZA0+V4/Vi/CajnZHvgAt Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a4a:b28b:0:b0:65d:6ed:e05c with SMTP id 006d021491bc7-65d0eaf0753mr14632456eaf.64.1767527355724; Sun, 04 Jan 2026 03:49:15 -0800 (PST) Date: Sun, 04 Jan 2026 03:49:15 -0800 In-Reply-To: <69441a92.a70a0220.207337.00e4.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <695a53bb.050a0220.a1b6.038a.GAE@google.com> Subject: Forwarded: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_move_extent() From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] ocfs2: add check for free bits before allocation in ocfs2_= move_extent() Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master Add a check to verify the group descriptor has enough free bits before attempting allocation in ocfs2_move_extent(). This prevents a kernel BUG_ON crash in ocfs2_block_group_set_bits() when the move_extents ioctl is called on a crafted or corrupted filesystem. The existing validation in ocfs2_validate_gd_self() only checks static metadata consistency (bg_free_bits_count <=3D bg_bits) when the descriptor is first read from disk. However, during move_extents operations, multiple allocations can exhaust the free bits count below the requested allocation size, triggering BUG_ON(le16_to_cpu(bg->bg_free_bits_count) num_bits). The debug trace shows the issue clearly: - Block group 32 validated with bg_free_bits_count=3D427 - Repeated allocations decreased count: 427 -> 171 -> 43 -> ... -> 1 - Final request for 2 bits with only 1 available triggers BUG_ON By adding an early check in ocfs2_move_extent() right after ocfs2_find_victim_alloc_group(), we return -ENOSPC gracefully instead of crashing the kernel. This also avoids unnecessary work in ocfs2_probe_alloc_group() and __ocfs2_move_extent() when the allocation will fail. Reported-by: syzbot+7960178e777909060224@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D7960178e777909060224 Signed-off-by: Deepanshu Kartikey --- v2: - Fixed missing '<' in commit message (Joseph) - Moved check right after ocfs2_find_victim_alloc_group() to fail early and avoid unnecessary work (Joseph) --- fs/ocfs2/move_extents.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c index 99637e34d9da..524e6ea1fa0a 100644 --- a/fs/ocfs2/move_extents.c +++ b/fs/ocfs2/move_extents.c @@ -662,6 +662,12 @@ static int ocfs2_move_extent(struct ocfs2_move_extents= _context *context, goto out_commit; } =20 + gd =3D (struct ocfs2_group_desc *)gd_bh->b_data; + if (le16_to_cpu(gd->bg_free_bits_count) < len) { + ret =3D -ENOSPC; + goto out_commit; + } + /* * probe the victim cluster group to find a proper * region to fit wanted movement, it even will perform --=20 2.43.0