From nobody Thu Apr  2 12:41:27 2026
Received: from out162-62-58-216.mail.qq.com (out162-62-58-216.mail.qq.com
 [162.62.58.216])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED3142494F0;
	Sun, 29 Mar 2026 06:09:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=162.62.58.216
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774764552; cv=none;
 b=AARnxjAVu/lToW0O79GoSqE2v2xO1WgIZtOxwZuFz6DFXcEPr9UIYdVxfvJ0Q/hc+Zf+vFMnODKkYxUidt7rHYznivnbUMa7Ba0XBYvZA04QliD9sI4LLUZfeG60aSl01vIJEAhY9v13vrtc43nXEnMmVRk16PAJZRBVz3HhiCw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774764552; c=relaxed/simple;
	bh=akt1j5RLgcI6S5n71SnrJlqgPQMbm3JiASV7nH6wEB0=;
	h=Message-ID:From:To:CC:Subject:Date:Content-Type:MIME-Version;
 b=eOS3vmvIvEglZWewmwDFTa1IBAAvpwi3edIRhg++2Cw6swTQeWwV6HSFaJ+UkyLyZ95EPLhYoF2+EVl6N7/FjkZ41mOyE2k/Nq7AQm6w9ONI/Zq4YdCh9L4Dsfm3FdnxCWpvS+iGGnb1YWAZg+CWkazDkdNMqqVen3SV7o32JoI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=PGiUGnN6;
 arc=none smtp.client-ip=162.62.58.216
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="PGiUGnN6"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1774764545; bh=akt1j5RLgcI6S5n71SnrJlqgPQMbm3JiASV7nH6wEB0=;
	h=From:To:CC:Subject:Date;
	b=PGiUGnN6u3WWcDVzSvV8us0xoC3RPEMeuh7KUgy7nS4lrC1e7Z8ImAczWf+fHp5Zt
	 e4+KWVtwlaqLQjcrS+Rv/qN9IZkWcPO6/eEdhjbfIQHF1MiZpN2VTsLLf2uorC3dzC
	 Z4yNx858yQRjBS22G1ciU7Bp06ijYvW/lh1QEmEc=
Received: from SG2PR02MB5841.apcprd02.prod.outlook.com
 ([2603:1046:c01:910::5])
	by newxmesmtplogicsvrsza53-0.qq.com (NewEsmtp) with SMTP
	id 2431A2BC; Sun, 29 Mar 2026 14:09:03 +0800
X-QQ-mid: xmsmtpt1774764543tx780ugc4
Message-ID: <tencent_20BE792225EC3654239D0B90001A911DE909@qq.com>
X-QQ-XMAILINFO: MfXlhb1xJpsO4OzEkdm/SKx2GC0hKL9YVhRh8Ud32LhMeGXvxwZYmLWboXwuFU
	 RFug0CAy7/kjG4nJjdbi2/GfkPS2ptmX+EYNOXU4krooZuv5wn9BIG7ErAj4P5kpYb355dLNnefr
	 023TP1dz4LiCMdqlfjLLMIQS0rqgtgsChqCMvrSoO3nNAWvRwfH5QJZ4pvPmWxxsdqkN050M0/V/
	 cwNQQTqVJI4opUN55eYClHprgw3ESqxHa8T+KNrjSNgqid+LCv/MXojs4KdxMa0yvly5H+ktymIL
	 CO7O6qVHBmSvp2f7X0YG1qw984iO44dqKqe2ErmlHy8RomwPjx8S/ypP0f18k2pMIpFcqs3Dt7yR
	 A4Jps3Luw76TshC7dUvqAx+NI5mxh9VOuRWazt5hojgdAZzgGnndMfBupZvzKRySMdsivbs9D1Cq
	 FnZiUxWw3l7Y7K/6/CNkCXNEvCnZ0A61/vJgA7qWzuc7Gb3APpzykD9vra56vYFOXt4e+cxW7++P
	 0fbLz6UMpIIqXteD3zmQmS/Z1imL+iLD1ZJmEFMoh4Xh7wAWxADfm/97CT04b4dl36kmbvlb7JBk
	 UHBrJQJybSAc4UcmKW1w4XKuXSg74QVIDFkzGe0mnPjAeC094eyEe4bN3HpeUSWn7UuoeF9jIhz3
	 tllWPqjwai2/YthqSENucvB5YkbNtUDOj+ZqC8Xd1mi/cF93xu+hmSoUjnq6iMWTbWU4ng76ksNS
	 bqUGYN+0Z3F60abAewvxvodYr8yNq2/o6gYyCUTvKUyDxk4m5DtAffBk42tRJjnZUN62k1Yqi0gD
	 O6m5IpDtVjLyXsle19WwPVdfpNZjYmWTArdKh9t1vuyAg4OzCFKng+dkmVIVZUiTb9eJhsl6rV3S
	 orw6l8SW3OeT5Bzg4hwYifvMxrehPxciWxKz8K4KtGv+GB33hNJtai0f59fU+eEUFb4+0Ej09UJG
	 e1iFw0JzXiDNxzMnIM4HfUDROnQHBtgSNmsAigUNMuhSWIFnvr1cO6ANem0P7UAQ80R8kzLEElsR
	 H+473D5n+x82ixq09IL04Zj9sIE5LEvo6i7eQo6yY/XXDubSKV+rNxoh6AxD8yC37VT9ylz/p8iq
	 CVW+i1
X-QQ-XMRINFO: NyFYKkN4Ny6FuXrnB5Ye7Aabb3ujjtK+gg==
From: "driz2t@qq.com" <driz2t@qq.com>
To: stable <stable@vger.kernel.org>
CC: "syzbot+1dd53396e7124586dca9@syzkaller.appspotmail.com"
	<syzbot+1dd53396e7124586dca9@syzkaller.appspotmail.com>, joseph.qi
	<joseph.qi@linux.alibaba.com>, mark <mark@fasheh.com>, jlbec
	<jlbec@evilplan.org>, linux-kernel <linux-kernel@vger.kernel.org>
Subject: [PATCH 6.6.y] kernel BUG in ocfs2_remove_extent
Thread-Topic: [PATCH 6.6.y] kernel BUG in ocfs2_remove_extent
Thread-Index: AQHcv0E22BYwVZUP7U+He/0ovMIvoA==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Sun, 29 Mar 2026 06:09:02 +0000
X-OQ-MSGID: 
	<SG2PR02MB5841E2BB56938506FFBF0D33F255A@SG2PR02MB5841.apcprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: 
X-MS-Exchange-Organization-RecordReviewCfmType: 0
msip_labels: 
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

This is a backport for 6.6.y.

[ Upstream commit e1c70505ee8158c1108340d9cd67182ade93af4a ]

ocfs2: add extra consistency checks for chain allocator dinodes

When validating chain allocator dinode in 'ocfs2_validate_inode_block()',
add an extra checks whether a) the maximum amount of chain records in
'struct ocfs2_chain_list' matches the value calculated based on the
filesystem block size, and b) the next free slot index is within the valid
range.

Link: https://lkml.kernel.org/r/20251030153003.1934585-1-dmantipov@yandex.ru
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D77026564530dbc29b854
Reported-by: syzbot+5054473a31f78f735416@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D5054473a31f78f735416
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Tested-by: syzbot+1dd53396e7124586dca9@syzkaller.appspotmail.com
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
=C2=A0fs/ocfs2/inode.c | 17 +++++++++++++++++
=C2=A01 file changed, 17 insertions(+)

diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index c561a8a6493e..7c99f436037b 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1419,6 +1419,23 @@ int ocfs2_validate_inode_block(struct super_block *s=
b,
=C2=A0=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=
=82=E2=80=82=E2=80=82=E2=80=82goto bail;
=C2=A0=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82}
=C2=A0
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82if (le32_to_cpu(di->i_flags) =
& OCFS2_CHAIN_FL) {
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82struct ocfs2_chain_list *cl =3D &di->id2.i_chain;
+
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82if (le16_to_cpu(cl->cl_count) !=3D ocfs2_chain_r=
ecs_per_inode(sb)) {
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82rc =3D ocfs2_error(sb, "Invalid dinode %llu: chain list count %u\n",
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=
=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82 (unsigned long long)bh->b_blocknr,
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=
=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82 le16_to_cpu(cl->cl_count));
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82goto bail;
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82}
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_=
cpu(cl->cl_count)) {
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82rc =3D ocfs2_error(sb, "Invalid dinode %llu: chain list index %u\n",
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=
=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82 (unsigned long long)bh->b_blocknr,
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=
=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82 le16_to_cpu(cl->cl_next_free_rec));
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=
=80=82goto bail;
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82=
=E2=80=82=E2=80=82=E2=80=82}
+=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82}
+
=C2=A0=E2=80=82=E2=80=82=E2=80=82=E2=80=82=E2=80=82rc =3D 0;
=C2=A0
=C2=A0bail:
--
2.43.0