Linux-Kernel Archive: kernel BUG in ocfs2_truncate_log

Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **kernel BUG in ocfs2_truncate_log_append**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The KASAN report is (The full report is attached):

(syz.1.314,6679,0):ocfs2_truncate_log_append:5868 ERROR: bug _expression_: tl_count > ocfs2_truncate_recs_per_inode(osb->sb) || tl_count == 0
(syz.1.314,6679,0):ocfs2_truncate_log_append:5868 ERROR: Truncate record count on #29 invalid wanted 39, actual 58716
------------[ cut here ]------------
kernel BUG at fs/ocfs2/alloc.c:5868!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6679 Comm: syz.1.314 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:ocfs2_truncate_log_append+0x8a8/0x990 fs/ocfs2/alloc.c:5868
Code: 00 00 00 4d 8b 85 88 f7 ff ff 55 41 89 d9 48 c7 c1 20 d5 4b 86 ba ec 16 00 00 48 c7 c6 20 e5 4b 86 4c 89 e7 e8 b9 32 1e 00 90 <0f> 0b e8 81 9b 0a ff e9 e5 f7 ff ff e8 77 9b 0a ff e9 04 f8 ff ff
RSP: 0018:ff110001197bf658 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000027 RCX: ffa00000032b2000
RDX: 0000000000040000 RSI: ffffffff82b7bd73 RDI: 0000000000000001
RBP: 000000000000e55c R08: 0000000000000001 R09: ffe21c0099505141
R10: 000000000000e55c R11: 0000000000000000 R12: ff110001197bf6c8
R13: ff1100016caab338 R14: 1000000000000000 R15: ff1100016cb26bc8
FS: 00007efd6bc59700(0000) GS:ff110004ca800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8e27fb2020 CR3: 000000014ad04006 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
ocfs2_remove_btree_range+0xd3d/0x1710 fs/ocfs2/alloc.c:5789
ocfs2_commit_truncate+0x6da/0x1b30 fs/ocfs2/alloc.c:7353
ocfs2_truncate_file+0x47d/0x17d0 fs/ocfs2/file.c:509
ocfs2_setattr+0x140c/0x2320 fs/ocfs2/file.c:1212
notify_change+0x6d3/0x1270 fs/attr.c:503
do_truncate+0x143/0x200 fs/open.c:65
do_ftruncate+0x5d3/0x720 fs/open.c:181
do_sys_ftruncate+0x69/0xc0 fs/open.c:199
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f