Re: [PATCH v3] ocfs2: validate i_refcount_loc when refcount flag is set

[Joseph Qi]

On 2025/12/12 13:58, Deepanshu Kartikey wrote:
> Add validation in ocfs2_validate_inode_block() to check that if an
> inode has OCFS2_HAS_REFCOUNT_FL set, it must also have a valid
> i_refcount_loc. A corrupted filesystem image can have this inconsistent
> state, which later triggers a BUG_ON in ocfs2_remove_refcount_tree()
> when the inode is being wiped during unlink.
> 
> Catch this corruption early during inode validation to fail gracefully
> instead of crashing the kernel.
> 
> Reported-by: syzbot+6d832e79d3efe1c46743@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=6d832e79d3efe1c46743
> Tested-by: syzbot+6d832e79d3efe1c46743@xxxxxxxxxxxxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/all/20251208084407.3021466-1-kartikey406@xxxxxxxxx/T/ [v1]
> Link: https://lore.kernel.org/all/20251212045646.9988-1-kartikey406@xxxxxxxxx/T/ [v2]
> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>

Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
> ---
> v3: Use le16_to_cpu() for consistency with other checks (Joseph Qi)
> v2: Shortened error message to fix line length (Heming Zhao)
> ---
>  fs/ocfs2/inode.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
> index 78f81950c9ee..1019ca80760c 100644
> --- a/fs/ocfs2/inode.c
> +++ b/fs/ocfs2/inode.c
> @@ -1484,6 +1484,13 @@ int ocfs2_validate_inode_block(struct super_block *sb,
>  		goto bail;
>  	}
>  
> +	if ((le16_to_cpu(di->i_dyn_features) & OCFS2_HAS_REFCOUNT_FL) &&
> +	    !di->i_refcount_loc) {
> +		rc = ocfs2_error(sb, "Inode #%llu has refcount flag but no i_refcount_loc\n",
> +				(unsigned long long)bh->b_blocknr);
> +		goto bail;
> +	}
> +
>  	rc = 0;
>  
>  bail: