From nobody Mon Jun 8 09:51:03 2026 Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A30333262F for ; Sat, 30 May 2026 03:35:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=209.85.128.173 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780112148; cv=pass; b=qwsZs4bjyXsXfG6DLF8luLYPkQHyEVzJmU+CcLYEPh7LD4Wd68DJgrzwOwQm+aJ2CD+TWhQidZeOZV56EYNfsAKIzCWY66YVNGpxYz5Gi4ZHAoY5wLUNgjVIOccr+ENsLTzG5Bx38rF6hyiwVA3EBEHCfAQREKVUGTZgUq8UV8M= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780112148; c=relaxed/simple; bh=iRdCUeGxOyKvuqFQel78fFlLsSEgFdUAGaUZ1DCxPAk=; h=From:MIME-Version:Date:Message-ID:Subject:To:Cc:Content-Type; b=WCCjPxKa9kaNh3H3ZEH21eBOyojxVPNsAdZ8bAQTDbE2jzUeY80joeSgMwnI8wwA8fP/m9wNZwHDXit9+LZbKnlCQ86SLnmA+SQzYgvDxbkbVLqC/EX7tWQEx6N5M3S4ZqvtixvlzArAlCSYv7Y84t5BDMuMqoGkeqLCu4ABk0c= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=berkeley.edu; spf=pass smtp.mailfrom=berkeley.edu; dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu header.b=KJ1HLCHD; arc=pass smtp.client-ip=209.85.128.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=berkeley.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=berkeley.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu header.b="KJ1HLCHD" Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-7cb345cb5bfso126572737b3.0 for ; Fri, 29 May 2026 20:35:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780112146; cv=none; d=google.com; s=arc-20240605; b=FUK5Hx2wDqU8sTZWhYjmsPeP2g0Xfp3lj/LjSF6eMpRUyaIrrUKIHYXZ181Y322FXh UWKYl1YQq1Mt0LjyDJqh0CxzHQaA6ZQzPgQ4gIJhPEUBd8kDPRqPnNOJVW/nINa0mx5D BZ7Cn1NhcQXiyasGphQHMj6LAgBz126u0WKI2XFHMc8SQBuRmYSqHBoTze5HI4cRCN1L 2wrje90JaHmdeaZltjRfdERkHeR86TsK8Xmx5MQiKtdtsMK1aHflfIT1zJH2gL8dCdLW vmPjUkNkuDzRD8nuMfdgoS5p0UuizCldiHesmjAJSLi/VmWJSH51N1nSthGDbuw/roSC sdTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:mime-version:from:dkim-signature; bh=dWxGlwpVEufPFInkdfRgYZsB90wAXs1IFynkR6C6S5Q=; fh=RGi+hQF2ZjUjR+BvanAZaaY514LH8QKNrrPaqkHUwV0=; b=L5Z3o+377/uYF2LbWNy3ZOwYRxOS5Q1NQpsIhFZnYxssR1/iXXy9iH/f+C4o6ujWsb Zw5IBx3wcXlnUytdKuwqNT4SnXadnGaeBQIGmiiKs0AKDtRS5KHbVQ3cwqrsmoKichxU TVEqRsiRptBcHLr17s9FWAjF8jAywaRqWnG6hpCCk08OiVNSWKbnIC8/3uNf+huUhoxm T49HU3ivOAtGaQMuV9mF/w2l8UK6Mt4n2/a2sNr4rpB+TSlosGle3RWMBPK58E+K8RiC oOAKk3ZiEOZt7zqB8HsWPIy1NRnChGOOOeL4xph2Ak7/l92whKHloeOutWD+dFgAHNzt gHqw==; darn=vger.kernel.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berkeley.edu; s=google; t=1780112146; x=1780716946; darn=vger.kernel.org; h=cc:to:subject:message-id:date:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=dWxGlwpVEufPFInkdfRgYZsB90wAXs1IFynkR6C6S5Q=; b=KJ1HLCHDItDbDveQpQpFX55H8kYJ+3Ze8KltKHUXVmn8LedermHGH+oBtyArm9TZrQ nB8gqZBQDTN0/Ig1imz2vzR5GE8RYvROJ3I7/kaYyadgqM+7Nlm6mmiRRkBjfMfwLEDv MmPv8a3MJOKhs+2u+PT1FeGM8Y0A1My5Yp+vMhYHVPSCAnupzjsu8m6uYU+pB4AgM/0T HpfzW33D98xlhVQ5aVcSzXG1IQ/3e2JRNsiODpCUgi/sU+f02D2q2kCM+XsgFvrPDBfY dyADTdQWqVcA6C11lrlXhF78N/tMqbaAF1wl1w+4xvwziMl027Iix6zQgcbYdOlJyj97 rYcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780112146; x=1780716946; h=cc:to:subject:message-id:date:mime-version:from:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dWxGlwpVEufPFInkdfRgYZsB90wAXs1IFynkR6C6S5Q=; b=YRB5eTfhmwG6KClN4ctZTvyvUGhaPe8nDdPDU7YCjIAlKaKvCTe4jY0DDlLMbTbW5L Uff30SHDRLjP2RfIEMOqmJcyNGHErPeOAwNcsCf/q9MckTqLUIzXBiwAR/NIBDE+meKo mvvF18YqW2cJoq216ygbZcGWoA3Pq2r5gifZrnBBOliT6BKLEUKdlef9Se75ktcxgcUP B3LxNcYm5sQfBOKf7cWj/Fy9nc8VPqSmPIobk/q2Fd0l4jJAxUg4wqSDN36bcJLbgPZB shL+cdmZEMzVuF/Dh+MX6laZeOtblinnROkF4epST00XdpIIrPgl4QoVZxWGGqldwbe1 eNAQ== X-Forwarded-Encrypted: i=1; AFNElJ+rrX2pOB6qdtPftYC5Abx8tWzvh7P7DJqXA00Zb2PtnsI15vuy7NYyH9Nuom87kirmVClMsoN2VKFcP44=@vger.kernel.org X-Gm-Message-State: AOJu0YxU/5yk5NU3hKb7NXOKyybt/fpk7u5Tr1/WwsZuLv87So5rrzH1 OCO7FjuN7kIU1q0KeoyJ1XqUd3gu4YUpkk82lhmJ2kePRihEI6cKahd8khhqKn1opAbBcA6AS4v bnbEtak4hJXNT+Daxw5rxmYtr/A0jQHHHcT6tOtjA X-Gm-Gg: Acq92OE9mMR7M5n5NzMETjM0AYgX6y0dnQBCIlDUmyK5EIxeGzLwmCVw/Gj7REDnOVJ o2p9Sf/InklNfkEBjdZlfZVR5gsZK/b+rnVxHeSQPuVt0tEouIqGwTxFNgCD1uHxhhmoPvSqyYx MqBzgy6i/vdZo3jCuGC1mDELR3cm6PYyr2kMlJQBewber5Yk8cpTn10dHhAYX8um++hfePPKJz0 yoaFJDxOHVW9/c9r1Y4x5LkyNzasa1wEwW+jDHi3h/EBIWKC72xvHxoGA3v+InckrnaBiETHroD 5CioUacYiMDDesOhyJjimlLEGDJfWXI= X-Received: by 2002:a05:690c:12:b0:7dc:1609:a945 with SMTP id 00721157ae682-7e05e65e9fdmr20579667b3.38.1780112145119; Fri, 29 May 2026 20:35:45 -0700 (PDT) Received: from 474444807712 named unknown by gmailapi.google.com with HTTPREST; Fri, 29 May 2026 23:35:44 -0400 Received: from 474444807712 named unknown by gmailapi.google.com with HTTPREST; Fri, 29 May 2026 23:35:44 -0400 From: Farhad Alemi X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 29 May 2026 23:35:44 -0400 X-Gm-Features: AVHnY4L2gZJcgGNjyu8dvLjtsfTYLsVOAQAR292GDoidu99Eu0TKScTaGCpVK4s Message-ID: Subject: [PATCH] freevxfs: don't BUG() on unknown typed-extent type To: Christoph Hellwig Cc: Christian Brauner , linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vxfs_bmap_typed() dispatches on the on-disk typed-extent type, (u32)(hdr >> VXFS_TYPED_TYPESHIFT), where hdr comes from the attacker-controlled vt_hdr of each typed extent. Only four type values are handled; any other value falls through the switch to the default case, which is BUG(). After mounting a crafted VxFS image, an ioctl(FIBMAP) on a regular file reaches this path and crashes the kernel: kernel BUG at fs/freevxfs/vxfs_bmap.c:230! RIP: vxfs_bmap_typed fs/freevxfs/vxfs_bmap.c:230 [inline] vxfs_bmap1+0x128a/0x12d0 fs/freevxfs/vxfs_bmap.c:257 Call Trace: vxfs_getblk fs/freevxfs/vxfs_subr.c:104 generic_block_bmap fs/buffer.c:2764 bmap fs/inode.c:1948 ioctl_fibmap fs/ioctl.c:77 [inline] file_ioctl+0x4b1/0x870 fs/ioctl.c:327 An unrecognized extent type is malformed on-disk input rather than a kernel invariant violation. Replacing the BUG() with WARN_ON_ONCE() would log the unexpected type once, and return 0 -- the failure value vxfs_bmap_typed() already documents ("the physical block number on success, else Zero") and the value its neighbouring DEV4 case returns. vxfs_getblk() maps a 0 result to -EIO, so the FIBMAP ioctl fails cleanly instead of crashing. Reported-by: Farhad Alemi Signed-off-by: Farhad Alemi --- fs/freevxfs/vxfs_bmap.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/freevxfs/vxfs_bmap.c b/fs/freevxfs/vxfs_bmap.c index e85222892038..1b8216eb1d90 100644 --- a/fs/freevxfs/vxfs_bmap.c +++ b/fs/freevxfs/vxfs_bmap.c @@ -227,6 +227,7 @@ vxfs_bmap_typed(struct inode *ip, long iblock) return 0; } default: - BUG(); + WARN_ON_ONCE(1); + return 0; } } --=20 2.43.0