Commit aa5b6a72 authored Oct 13, 2025 by Dmitry Antipov Committed by Andrew Morton Nov 12, 2025

ocfs2: add directory size check to ocfs2_find_dir_space_id()

Fix a null-pointer-deref which was detected by UBSAN:

KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 UID: 0 PID: 5317 Comm: syz-executor310 Not tainted 6.15.0-syzkaller-12141-gec7714e49479 #0 PREEMPT(full) 

In 'ocfs2_find_dir_space_id()', add extra check whether the directory data
block is large enough to hold at least one directory entry, and raise
'ocfs2_error()' if the former is unexpectedly small.

Link: https://lkml.kernel.org/r/20251013103709.146001-1-dmantipov@yandex.ru


Reported-by:  <syzbot+ded9116588a7b73c34bc@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=ded9116588a7b73c34bc


Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Cc: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

parent 37ade54f

fs/ocfs2/dir.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -3431,6 +3431,14 @@ static int ocfs2_find_dir_space_id(struct inode dir, struct buffer_head di_bh,
		offset += le16_to_cpu(de->rec_len);
		}

		if (!last_de) {
		ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
		"is unexpectedly short",
		(unsigned long long)OCFS2_I(dir)->ip_blkno,
		i_size_read(dir));
		goto out;
		}

		/*
		* We're going to require expansion of the directory - figure
		* out how many blocks we'll need so that a place for the