[syzbot] [ocfs2?] UBSAN: array-index-out-of-bounds in ocfs2_block_group_fill
6 views
Skip to first unread message
syzbot
Oct 14, 2025, 10:12:29 PM (13 hours ago) Oct 14
to ak...@linux-foundation.org, dman...@yandex.ru, jl...@evilplan.org, jose...@linux.alibaba.com, linux-...@vger.kernel.org, ma...@fasheh.com, ocfs2...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 52ba76324a9d Add linux-next specific files for 20251013
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=157d3b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=99cb6b007a8889ef
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15039dcd980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ad9542580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1729256319ee/disk-52ba7632.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3152cfcba7c/vmlinux-52ba7632.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4065a3b3d959/bzImage-52ba7632.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d98ffa49f949/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1510f304580000)
The issue was bisected to:
commit aa545adbe491402cf1e664f6be0a799ed69d9946
Author: Dmitry Antipov <dman...@yandex.ru>
Date: Tue Oct 7 12:35:26 2025 +0000
ocfs2: annotate flexible array members with __counted_by_le()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11575542580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13575542580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15575542580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[] __counted_by(cl_count)' (aka 'struct ocfs2_chain_rec[]')
CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
ocfs2_block_group_fill+0x938/0xb30 fs/ocfs2/suballoc.c:380
ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:454 [inline]
ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
ocfs2_reserve_suballoc_bits+0x117d/0x4680 fs/ocfs2/suballoc.c:834
ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
ocfs2_expand_inline_dir fs/ocfs2/dir.c:2853 [inline]
ocfs2_extend_dir+0xc76/0x4870 fs/ocfs2/dir.c:3215
ocfs2_prepare_dir_for_insert+0x2fdf/0x54b0 fs/ocfs2/dir.c:4320
ocfs2_mknod+0x819/0x2050 fs/ocfs2/namei.c:297
ocfs2_mkdir+0x191/0x440 fs/ocfs2/namei.c:659
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdirat fs/namei.c:4503 [inline]
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0917d8d617
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff863b0218 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fff863b02a0 RCX: 00007f0917d8d617
RDX: 00000000000001ff RSI: 0000200000000680 RDI: 00000000ffffff9c
RBP: 0000200000000080 R08: 0000200000000140 R09: 0000000000000000
R10: 0000200000000080 R11: 0000000000000246 R12: 0000200000000680
R13: 00007fff863b0260 R14: 0000000000000000 R15: 0000000000000000
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 52ba76324a9d Add linux-next specific files for 20251013
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=157d3b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=99cb6b007a8889ef
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15039dcd980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ad9542580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1729256319ee/disk-52ba7632.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3152cfcba7c/vmlinux-52ba7632.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4065a3b3d959/bzImage-52ba7632.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/d98ffa49f949/mount_0.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1510f304580000)
The issue was bisected to:
commit aa545adbe491402cf1e664f6be0a799ed69d9946
Author: Dmitry Antipov <dman...@yandex.ru>
Date: Tue Oct 7 12:35:26 2025 +0000
ocfs2: annotate flexible array members with __counted_by_le()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=11575542580000
final oops: https://syzkaller.appspot.com/x/report.txt?x=13575542580000
console output: https://syzkaller.appspot.com/x/log.txt?x=15575542580000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
option from the mount to silence this warning.
=======================================================
JBD2: Ignoring recovery information on journal
ocfs2: Mounting device (7,0) on (node local, slot 0) with ordered data mode.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[] __counted_by(cl_count)' (aka 'struct ocfs2_chain_rec[]')
CPU: 0 UID: 0 PID: 6052 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
ocfs2_block_group_fill+0x938/0xb30 fs/ocfs2/suballoc.c:380
ocfs2_block_group_alloc_contig fs/ocfs2/suballoc.c:454 [inline]
ocfs2_block_group_alloc fs/ocfs2/suballoc.c:699 [inline]
ocfs2_reserve_suballoc_bits+0x117d/0x4680 fs/ocfs2/suballoc.c:834
ocfs2_reserve_new_metadata_blocks+0x403/0x940 fs/ocfs2/suballoc.c:984
ocfs2_expand_inline_dir fs/ocfs2/dir.c:2853 [inline]
ocfs2_extend_dir+0xc76/0x4870 fs/ocfs2/dir.c:3215
ocfs2_prepare_dir_for_insert+0x2fdf/0x54b0 fs/ocfs2/dir.c:4320
ocfs2_mknod+0x819/0x2050 fs/ocfs2/namei.c:297
ocfs2_mkdir+0x191/0x440 fs/ocfs2/namei.c:659
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdirat fs/namei.c:4503 [inline]
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0917d8d617
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff863b0218 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007fff863b02a0 RCX: 00007f0917d8d617
RDX: 00000000000001ff RSI: 0000200000000680 RDI: 00000000ffffff9c
RBP: 0000200000000080 R08: 0000200000000140 R09: 0000000000000000
R10: 0000200000000080 R11: 0000000000000246 R12: 0000200000000680
R13: 00007fff863b0260 R14: 0000000000000000 R15: 0000000000000000
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
12:46 AM (11 hours ago) 12:46 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: add validation for chain index in ocfs2_block_group_fill
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to ensure my_chain index is within bounds before
accessing cl->cl_recs[] array. Without this check, a corrupted
filesystem with cl_count set to 0 can trigger an out-of-bounds
array access, detected by UBSAN.
The issue was exposed by commit aa545adbe491 ("ocfs2: annotate
flexible array members with __counted_by_le()"), which added
the __counted_by_le() annotation to cl_recs[], allowing UBSAN
to detect the out-of-bounds access.
UBSAN report:
The fix adds an explicit bounds check at the start of
ocfs2_block_group_fill() to validate my_chain is less than
cl->cl_count before accessing the array, preventing the
out-of-bounds access and properly handling corrupted
filesystems.
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..dd58cc0f9838 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -353,6 +353,14 @@ static int ocfs2_block_group_fill(handle_t *handle,
struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
struct super_block * sb = alloc_inode->i_sb;
+
+ /* Validate chain index before accessing cl_recs array */
+ if (my_chain >= le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "chain index %u out of range (count=%u)\n",
+ my_chain, le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
if (((unsigned long long) bg_bh->b_blocknr) != group_blkno) {
status = ocfs2_error(alloc_inode->i_sb,
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: add validation for chain index in ocfs2_block_group_fill
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to ensure my_chain index is within bounds before
accessing cl->cl_recs[] array. Without this check, a corrupted
filesystem with cl_count set to 0 can trigger an out-of-bounds
array access, detected by UBSAN.
The issue was exposed by commit aa545adbe491 ("ocfs2: annotate
flexible array members with __counted_by_le()"), which added
the __counted_by_le() annotation to cl_recs[], allowing UBSAN
to detect the out-of-bounds access.
UBSAN report:
UBSAN: array-index-out-of-bounds in fs/ocfs2/suballoc.c:380:22
index 0 is out of range for type 'struct ocfs2_chain_rec[]'
The fix adds an explicit bounds check at the start of
ocfs2_block_group_fill() to validate my_chain is less than
cl->cl_count before accessing the array, preventing the
out-of-bounds access and properly handling corrupted
filesystems.
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..dd58cc0f9838 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -353,6 +353,14 @@ static int ocfs2_block_group_fill(handle_t *handle,
struct ocfs2_super *osb = OCFS2_SB(alloc_inode->i_sb);
struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
struct super_block * sb = alloc_inode->i_sb;
+
+ /* Validate chain index before accessing cl_recs array */
+ if (my_chain >= le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "chain index %u out of range (count=%u)\n",
+ my_chain, le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
if (((unsigned long long) bg_bh->b_blocknr) != group_blkno) {
status = ocfs2_error(alloc_inode->i_sb,
--
2.43.0
syzbot
1:15 AM (10 hours ago) 1:15 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11fc7b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11fc7b34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=167985e2580000
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
syzbot
1:28 AM (10 hours ago) 1:28 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 13863a59e410cab46d26751941980dc8f088b9b3
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: dman...@yandex.ru
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 13863a59e410cab46d26751941980dc8f088b9b3
syzbot
2:21 AM (9 hours ago) 2:21 AM
to dman...@yandex.ru, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
console output: https://syzkaller.appspot.com/x/log.txt?x=151d85e2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1304d542580000
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syzbot
2:45 AM (9 hours ago) 2:45 AM
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] ocfs2: validate chain list count before use in ocfs2_reserve_suballoc_bits
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
Add validation to check if the chain list count (cl_count) is zero
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
before using the chain list in ocfs2_reserve_suballoc_bits(). When
cl_count is zero, the cl_recs array is empty, but the code attempts
to access cl_recs[0] in subsequent operations, leading to an
out-of-bounds array access.
The issue was discovered by syzbot using a corrupted filesystem image
where cl_count was set to 0. This triggers a UBSAN array-index-out-of-
bounds error when ocfs2_block_group_fill() attempts to access the
first chain record.
By adding this validation early in ocfs2_reserve_suballoc_bits(), we
catch the corruption before any allocation operations begin. The
filesystem will fail to mount with a clear error message directing
users to run fsck.ocfs2.
This follows the existing pattern in the function where similar
validation checks (like OCFS2_CHAIN_FL) are performed on the
allocator inode before use.
Link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Reported-by:syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
---
---
fs/ocfs2/suballoc.c | 8 ++++++++
1 file changed, 8 insertions(+)
fs/ocfs2/suballoc.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..57ec07f9751a 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -778,6 +778,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_dinode *fe;
u32 free_bits;
+ struct ocfs2_chain_list *cl;
alloc_inode = ocfs2_get_system_file_inode(osb, type, slot);
if (!alloc_inode) {
@@ -800,7 +801,14 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
ac->ac_alloc_slot = slot;
fe = (struct ocfs2_dinode *) bh->b_data;
-
+ cl = &fe->id2.i_chain;
+ /* Validate chain list before use */
+ if (le16_to_cpu(cl->cl_count) == 0) {
+ status = ocfs2_error(alloc_inode->i_sb,
+ "Chain allocator %llu has invalid chain list (cl_count=0)\n",
+ (unsigned long long)le64_to_cpu(fe->i_blkno));
+ goto bail;
+ }
/* The bh was validated by the inode read inside
* ocfs2_inode_lock(). Any corruption is a code bug. */
BUG_ON(!OCFS2_IS_VALID_DINODE(fe));
--
2.43.0
syzbot
3:12 AM (8 hours ago) 3:12 AM
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
git tree: linux-next
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+770265...@syzkaller.appspotmail.com
Tested-by: syzbot+770265...@syzkaller.appspotmail.com
Tested on:
commit: 13863a59 Add linux-next specific files for 20251014
console output: https://syzkaller.appspot.com/x/log.txt?x=1590ac58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=76790fe131481879
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=179a7b34580000
dashboard link: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Reply all
Reply to author
Forward
0 new messages