Re: [syzbot] Re: KASAN: use-after-free Read in ocfs2_search_extent_list()

From: syzbot
Date: Tue Dec 10 2024 - 06:27:55 EST

Next message: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_search_extent_list"
Previous message: Max Filippov: "Re: [PATCH] xtensa/simdisk: Use str_write_read() helper in simdisk_transfer()"
In reply to: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_search_extent_list"
Next in thread: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_search_extent_list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: Re: KASAN: use-after-free Read in ocfs2_search_extent_list()
Author: dmantipov@xxxxxxxxx

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 7cb1b466315004af98f6ba6c2546bb713ca3c237

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 395e23920632..841135341898 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -770,6 +770,10 @@ int ocfs2_search_extent_list(struct ocfs2_extent_list *el, u32 v_cluster)
struct ocfs2_extent_rec *rec;
u32 rec_end, rec_start, clusters;

+ /* Do not search over an invalid extent list. */
+ if (le16_to_cpu(el->l_next_free_rec) >= le16_to_cpu(el->l_count))
+ return ret;
+
for(i = 0; i < le16_to_cpu(el->l_next_free_rec); i++) {
rec = &el->l_recs[i];

Next message: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_search_extent_list"
Previous message: Max Filippov: "Re: [PATCH] xtensa/simdisk: Use str_write_read() helper in simdisk_transfer()"
In reply to: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_search_extent_list"
Next in thread: syzbot: "Re: [syzbot] [ocfs2?] KASAN: use-after-free Read in ocfs2_search_extent_list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]