[lvc-project] [PATCH 0/3] ext2: harden balloc.c against corrupted block bitmap metadata

[Denis Zubov]

This series hardens fs/ext2/balloc.c against corrupted on-disk block
bitmap metadata, reachable from userspace via mkdir on a crafted (or
ext3-mounted-as-ext2) image.

Patches 1 and 2 each close a concrete reproducer:

  1) WARN in ext2_get_group_desc() reached from ext2_free_blocks() via
     the truncate path on inode eviction, when a corrupt on-disk block
     pointer yields block_group >= sbi->s_groups_count.

  2) KASAN use-after-free in ext2_try_to_allocate() when
     read_block_bitmap() calls sb_getblk() on an out-of-range
     bg_block_bitmap and the resulting buffer's bdev-cache page is
     later reclaimed back to the buddy allocator.

Patch 3 is a small defensive follow-up: read_block_bitmap() must not
return a buffer that bh_read() left non-uptodate.

All three changes are in fs/ext2/balloc.c. No on-disk format change.
Tested on 6.12 with the original mkdir reproducer: both crashes
(patches 1 and 2) reliably disappear; patch 3 has no observable
effect on this reproducer and is included as hardening.

Denis Zubov (3):
  ext2: reject out-of-range block_group in ext2_free_blocks()
  ext2: validate bg_block_bitmap before sb_getblk() in
    read_block_bitmap()
  ext2: refuse to return a non-uptodate bh from read_block_bitmap()

 fs/ext2/balloc.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

-- 
2.53.0