[merged mm-nonmm-stable] ocfs2-check-el-l_next_free_rec-in-ocfs2_get_clusters_nocache.patch removed from -mm tree

Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> · Sun, 12 Jan 2025 20:24:19 -0800

The quilt patch titled
     Subject: ocfs2: check el->l_next_free_rec in ocfs2_get_clusters_nocache
has been removed from the -mm tree.  Its filename was
     ocfs2-check-el-l_next_free_rec-in-ocfs2_get_clusters_nocache.patch

This patch was dropped because it was merged into the mm-nonmm-stable branch
of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

------------------------------------------------------
From: Julian Sun <sunjunchao2870@xxxxxxxxx>
Subject: ocfs2: check el->l_next_free_rec in ocfs2_get_clusters_nocache
Date: Mon, 6 Jan 2025 10:34:31 +0800

Recently syzbot reported a use-after-free issue[1].

The root cause of the problem is that the journal inode recorded in this
file system image is corrupted.  The value of
"di->id2.i_list.l_next_free_rec" is 8193, which is greater than the value
of "di->id2.i_list.l_count" (19).

To solve this problem, an additional check should be added within
ocfs2_get_clusters_nocache().  If the check fails, an error will be
returned and the file system will be set to read-only.

[1]: https://lore.kernel.org/all/67577778.050a0220.a30f1.01bc.GAE@xxxxxxxxxx/T/

Link: https://lkml.kernel.org/r/20250106023432.1320904-1-sunjunchao2870@xxxxxxxxx
Signed-off-by: Julian Sun <sunjunchao2870@xxxxxxxxx>
Reported-by: syzbot+2313dda4dc4885c93578@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=2313dda4dc4885c93578
Tested-by: syzbot+2313dda4dc4885c93578@xxxxxxxxxxxxxxxxxxxxxxxxx
Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
Cc: Changwei Ge <gechangwei@xxxxxxx>
Cc: Joel Becker <jlbec@xxxxxxxxxxxx>
Cc: Jun Piao <piaojun@xxxxxxxxxx>
Cc: Junxiao Bi <junxiao.bi@xxxxxxxxxx>
Cc: Mark Fasheh <mark@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/ocfs2/extent_map.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/fs/ocfs2/extent_map.c~ocfs2-check-el-l_next_free_rec-in-ocfs2_get_clusters_nocache
+++ a/fs/ocfs2/extent_map.c
@@ -435,6 +435,16 @@ static int ocfs2_get_clusters_nocache(st
 		}
 	}
 
+	if (le16_to_cpu(el->l_next_free_rec) > le16_to_cpu(el->l_count)) {
+		ocfs2_error(inode->i_sb,
+			    "Inode %lu has an invalid extent (next_free_rec %u, count %u)\n",
+			    inode->i_ino,
+			    le16_to_cpu(el->l_next_free_rec),
+			    le16_to_cpu(el->l_count));
+		ret = -EROFS;
+		goto out;
+	}
+
 	i = ocfs2_search_extent_list(el, v_cluster);
 	if (i == -1) {
 		/*
_

Patches currently in -mm which might be from sunjunchao2870@xxxxxxxxx are









