Re: [syzbot] [ocfs2?] kernel BUG in ocfs2_write_cluster_by_desc
From: heming.zhao@xxxxxxxx
Date: Mon Sep 23 2024 - 04:16:11 EST
Regarding the mail thread: [PATCH 2/2] osfs2: Fix kernel BUG in ocfs2_write_cluster
Both ocfs2_search_chain and ocfs2_search_one_group call ocfs2_cluster_group_search to search for an extent cluster block. It seems that the ocfs2_cluster_group_search() sets wrong res->sr_bit_offset.
Just from the code logic, in ocfs2_block_group_find_clear_bits(), the ocfs2_find_next_zero_bit() returns ZERO which can trigger this bug. But in the real world, this function never return 0, because the 0-bit is always set to 1 for the cluster-group itself.
let's verify my thoughts.
#syz test
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index f7b483f0de2a..d4e563281c9e 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1346,13 +1346,17 @@ static int ocfs2_block_group_find_clear_bits(struct ocfs2_super *osb,
/* best_size will be allocated, we save prev_best_size */
res->sr_max_contig_bits = prev_best_size;
- if (best_size) {
- res->sr_bit_offset = best_offset;
- res->sr_bits = best_size;
- } else {
+ if (!best_size) {
status = -ENOSPC;
- /* No error log here -- see the comment above
- * ocfs2_test_bg_bit_allocatable */
+ } else {
+ if (best_size) {
+ res->sr_bit_offset = best_offset;
+ res->sr_bits = best_size;
+ } else {
+ status = -ENOSPC;
+ /* No error log here -- see the comment above
+ * ocfs2_test_bg_bit_allocatable */
+ }
}
return status;