From nobody Mon Jun  8 22:57:00 2026
Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com
 [209.85.128.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B519D282F01
	for <linux-kernel@vger.kernel.org>; Tue, 26 May 2026 01:11:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=pass smtp.client-ip=209.85.128.171
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779757864; cv=pass;
 b=nJXXuDFMgo16Nml/hgLv14bx77lEvJfOanFHFr8TNY7l1sKChqk3YLAoYaVsGFHC7IzOxomRrkdU/mr7m3ROcFftBio5qDHak+hGSC7GhsTQCCX8RmWp9Ug5nnf+49ZFy79Y7wf7OiEkG6Q/5/5M2SAtV37Z/wsvOHTbsfZZSZo=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779757864; c=relaxed/simple;
	bh=moM7tkvdtkFiUDGGIZko6YFG//TFTsqvy/oYPVroAsY=;
	h=From:MIME-Version:Date:Message-ID:Subject:To:Cc:Content-Type;
 b=Rgqw0BYlBBh6ND7wPyaIvVYwtw8lHqeQoCQptMM7ABJhmlfPe42yg1aJToaQve+9fzzqZ+Y5Rwa+/036mXWqgx95ctT6CBcDShsB+R6ucKCJQOuFWnL9Q6mGYYoVbD3d3rNPI9+HPTGW1V2+v+ISAg4KSarTd1DDcru0KF7w//4=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu;
 spf=pass smtp.mailfrom=berkeley.edu;
 dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b=r8GnVFB1; arc=pass smtp.client-ip=209.85.128.171
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=berkeley.edu
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=berkeley.edu header.i=@berkeley.edu
 header.b="r8GnVFB1"
Received: by mail-yw1-f171.google.com with SMTP id
 00721157ae682-7bf0b1a47b1so102785777b3.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 25 May 2026 18:11:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779757862; cv=none;
        d=google.com; s=arc-20240605;
        b=I8Z2YILW33yiexxWNVJ16WAbYyC2c/ZotqghLh5F5Z7nHJIFVD8Lva03jdKp3s5vUg
         RjGKkiadnEe0/tLEDkD2ECtb828/1g9DGHa4uoVl3VVZWTUz96PKdvk6i1IxPaC01VRs
         im8xWUZ3R18UcDVgb2J2uZSre1HdrhzpBqDa1BPq5oNDHRxWOTYh+W3H3rGJyxj+5f5w
         jlB1+Xb7PmtUMtaT9eH/qg35NdVauwRCYjCIghN9MSoE9YftVw49JRUSSf/GznLKJ9Vn
         hIJ/RJ/uplcIqrBlsbfXiXYijQ+Q8dJ8T0aEefCURmNMRPCU88qrJ3SwNIg2uIUYU5rg
         LaHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:mime-version:from:dkim-signature;
        bh=QT7ILEfkCQVObEMwvjZ92/uMCeSmBi2dZYo/0iH4JcQ=;
        fh=WkXWWoVK/a7GxbWbaM5CblJnrZ4BH0cmws9J+cGoZ6w=;
        b=P5/MsaP6WVqOGW3xyHByi7OqGrSlwQqQTTrNt0C7/0Fw0bG0gFSZtObisM84xzdGfk
         TuvvGIpYv/HdMLCU9qGG5AiGovmKfZ0YzEnRWjUaK47/km4jLFUFLHjGAetkaGd8nR77
         JouSphy9eIHbWrNlnu32NKhWNO6ko7fsntC2PnRhD03aaavVWK2q93yIomjAxo3oFIhp
         qAaCAL19bc4MJXbRYcBqauLq3Lcee+1sAMiXVikDqP/+cYB/1FgBGfrp4KLq/P9sFcXZ
         P3tgjfxrA98Av6uzNwpQSjJBd/Qy+tf2rqjOAcLZikTO+nW+4dfdHA7lqgIU0PTF/cgw
         mvVw==;
        darn=vger.kernel.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=berkeley.edu; s=google; t=1779757862; x=1780362662;
 darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:mime-version:from:from:to:cc:subject
         :date:message-id:reply-to;
        bh=QT7ILEfkCQVObEMwvjZ92/uMCeSmBi2dZYo/0iH4JcQ=;
        b=r8GnVFB1kLzzUIBhvwCqWtW413ZXYgY5KYyvSz9UmwWAmKLxtsz2pUr3ivqP4/6hFg
         43VGOry1MfsvlD9yoauMqUEntYKxqKQUIs8YmVXh4ngrO8QYM+CKAhPEfHHdx1b6Aw1l
         0g1G9OLNznvRAWPprnn6mFiHwAXL0+CNCWMWFW6PWH4SPU2/8udJ0y/KoiEWLw4eedzC
         ua58DUwDjD2+1OUSYyGA9tQW9mf2+g45hpbQ8HVIXtWKpkVFwAvizqAncbB/sWFnYxbx
         6/l/IxFZ1BKKIs5puJEb0qw2SEIGX0aBSIGG3ehUDP0qfWB0zzUwCLH2NIafk0bM15SS
         8UbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779757862; x=1780362662;
        h=cc:to:subject:message-id:date:mime-version:from:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=QT7ILEfkCQVObEMwvjZ92/uMCeSmBi2dZYo/0iH4JcQ=;
        b=V+YRtXUyp6bKE08AyKReWtLFVb47TzjRWWCpxSmdwWxFg3uCLYIl8fcSHDm0UU5JGs
         kqciE32EIzPT1Vkiox3iIopA1tstVqwXvzcsd9t5/UxYEFxzUxS5yTOZe3ofSV/oE8IV
         yFMYTxWBWlD5w4WwgeYZ+eVkDczUb/P4oaMrYUTvXam8Y+vX9piJdaATeGNDdqmAOS71
         bzgUkveDxvCWkNY41KdmYYKLCFWhVAHbZiPImgoJJkc4LF/ruRDlVngjVKwz0VUSD/9F
         hZirpSvlqB+Ap7cdFO+JleCdWEseEer05FvWJbhtYGZspyCjG6VMUuuta2fikxwlpoCM
         ZRNQ==
X-Gm-Message-State: AOJu0YzQPNApikf8Z6irdfIR6pbRG2zyJCqOQ85rDac9VTNq/O4xF92l
	07WU8Gt6LVIuImE6LYkzhZEbafkoOciFZuE98SkiY0jZ5xRujQaIE4iUFtz+6Sy2L4T3BHkrbbh
	dg6bX6bBWvMINhnNkC6bD10QHH4hFtvv7vR19ElXONxZqHWF0s9A=
X-Gm-Gg: Acq92OGYjTkWRRWX8snqSsM3ZJKKDZKMclsIaugBhBBgSqt0X+6QsgJnikwa1xu3aF9
	JS7e0vq13jTh4P0Uczwsg/fBiyCA9oE6lhIKssNSE7k+jGfqY6H0dS+lsZHdz3g8qWMqa9NX0vN
	rbs0tpFLlgRmCggbMFg3TFjJgQOQAi4WqK9iqBcPwLHthXzokNhP/1tiILYkOz8BXFVowFp4QVU
	ScWIqP8yLQ3JN2kRq5cWVwCS+AFzbwvIW4fTl0ElKE2U4VyUs4Fj/ufOLocTvVgadQVoB4Tn09t
	42c12srIQAWZjoXgS5B5
X-Received: by 2002:a05:690c:6b0d:b0:7d0:4824:6413 with SMTP id
 00721157ae682-7d3367b183amr192792737b3.39.1779757860562; Mon, 25 May 2026
 18:11:00 -0700 (PDT)
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 25 May 2026 18:10:59 -0700
Received: from 474444807712 named unknown by gmailapi.google.com with
 HTTPREST; Mon, 25 May 2026 18:10:59 -0700
From: Farhad Alemi <farhad.alemi@berkeley.edu>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Date: Mon, 25 May 2026 18:10:59 -0700
X-Gm-Features: AVHnY4IEEdd03bLzoUTV_DdKIjfNon10YBfa29oWlcAD4V4WE9mkCOVa7AOuT9Q
Message-ID: 
 <CA+0ovCji0_+S3pJBd+-00oXHe5FXd7ATr8BWANN+MoUQYSs8=w@mail.gmail.com>
Subject: [PATCH] freevxfs: don't BUG() on duplicate OLT entries
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

vxfs_read_olt() walks the object location table (OLT) and dispatches
each entry to vxfs_get_fshead() or vxfs_get_ilist() based on its type.
Both helpers BUG_ON() if the per-superblock field they write
(vsi_fshino / vsi_iext) is already non-zero, on the unstated assumption
that the OLT contains at most one entry of each type. The on-disk
format does not enforce that assumption, so a crafted image with two or
more FSHEAD or ILIST entries trips the BUG at mount time:

  kernel BUG at fs/freevxfs/vxfs_olt.c:28!
  RIP: vxfs_get_ilist fs/freevxfs/vxfs_olt.c:28 [inline]
       vxfs_read_olt+0x665/0x680 fs/freevxfs/vxfs_olt.c:92
  Call Trace:
   vxfs_fill_super+0x4cd/0x830 fs/freevxfs/vxfs_super.c:251
   get_tree_bdev_flags+0x436/0x500 fs/super.c:1698
   vfs_get_tree+0x97/0x2b0 fs/super.c:1758
   do_new_mount+0x32e/0xa50 fs/namespace.c:3728
   __se_sys_mount+0x322/0x420 fs/namespace.c:4216

Rather than treat a malformed on-disk OLT as an internal kernel
invariant violation, treat it as bad input and reject the image. Make
vxfs_get_fshead() and vxfs_get_ilist() return int (0 on success,
-EINVAL on the duplicate condition that previously BUG'd) and check
the return in vxfs_read_olt() so its existing fail label runs:
brelse(bp) and return -EINVAL. The malformed image is rejected at
mount(2) rather than crashing the kernel or being silently accepted
with attacker-chosen vsi_fshino / vsi_iext values.

The existing post-loop sanity check

	return (infp->vsi_fshino && infp->vsi_iext) ? 0 : -EINVAL;

continues to require both fields to be non-zero, so images that supply
no FSHEAD or no ILIST are still rejected as before. Behavior for
well-formed images is unchanged.

The third BUG_ON() in this file (vxfs_oblock's check that bsize divides
sbp->s_blocksize) is a different bug class with a different reach path
and is left for a separate change.

Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Signed-off-by: Farhad Alemi <farhad.alemi@berkeley.edu>
---
 fs/freevxfs/vxfs_olt.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/fs/freevxfs/vxfs_olt.c b/fs/freevxfs/vxfs_olt.c
index 23f35187c289..21c66af16c1a 100644
--- a/fs/freevxfs/vxfs_olt.c
+++ b/fs/freevxfs/vxfs_olt.c
@@ -15,18 +15,22 @@
 #include "vxfs_extern.h"


-static inline void
+static inline int
 vxfs_get_fshead(struct vxfs_oltfshead *fshp, struct vxfs_sb_info *infp)
 {
-	BUG_ON(infp->vsi_fshino);
+	if (infp->vsi_fshino)
+		return -EINVAL;
 	infp->vsi_fshino =3D fs32_to_cpu(infp, fshp->olt_fsino[0]);
+	return 0;
 }

-static inline void
+static inline int
 vxfs_get_ilist(struct vxfs_oltilist *ilistp, struct vxfs_sb_info *infp)
 {
-	BUG_ON(infp->vsi_iext);
+	if (infp->vsi_iext)
+		return -EINVAL;
 	infp->vsi_iext =3D fs32_to_cpu(infp, ilistp->olt_iext[0]);
+	return 0;
 }

 static inline u_long
@@ -86,10 +90,12 @@ vxfs_read_olt(struct super_block *sbp, u_long bsize)
 	=09
 		switch (fs32_to_cpu(infp, ocp->olt_type)) {
 		case VXFS_OLT_FSHEAD:
-			vxfs_get_fshead((struct vxfs_oltfshead *)oaddr, infp);
+			if (vxfs_get_fshead((struct vxfs_oltfshead *)oaddr, infp))
+				goto fail;
 			break;
 		case VXFS_OLT_ILIST:
-			vxfs_get_ilist((struct vxfs_oltilist *)oaddr, infp);
+			if (vxfs_get_ilist((struct vxfs_oltilist *)oaddr, infp))
+				goto fail;
 			break;
 		}

--=20
2.43.0