Re: [PATCH] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

Next message: Dmitry Baryshkov: "Re: [PATCH v2 5/7] arm64: dts: qcom: milos: Add WCN6755 WiFi node"
Previous message: Andrew Morton: "Re: [PATCH v2 2/2] selftests/mm: verify droppable mappings cannot be locked"
In reply to: Joseph Qi: "Re: [PATCH] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Fri Apr 03 2026 - 15:32:01 EST

On Fri, 3 Apr 2026 14:38:30 +0800 Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:

> KASAN reports a use-after-free write of 4086 bytes in
> ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
> copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted
> on a loop device. The actual bug is an out-of-bounds write past the
> inode block buffer, not a true use-after-free. The write overflows into
> an adjacent freed page, which KASAN reports as UAF.
>
> The root cause is that ocfs2_try_to_write_inline_data trusts the
> on-disk id_count field to determine whether a write fits in inline
> data. On a corrupted filesystem, id_count can exceed the physical
> maximum inline data capacity, causing writes to overflow the inode
> block buffer.
>
> Call trace (crash path):
>
> vfs_copy_file_range (fs/read_write.c:1634)
> do_splice_direct
> splice_direct_to_actor
> iter_file_splice_write
> ocfs2_file_write_iter
> generic_perform_write
> ocfs2_write_end
> ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
> ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
> memcpy_from_folio <-- KASAN: write OOB
>
> So add id_count upper bound check in ocfs2_validate_inode_block() to
> alongside the existing i_size check to fix it.

AI review had a question:
https://sashiko.dev/#/patchset/20260403063830.3662739-1-joseph.qi@xxxxxxxxxxxxxxxxx