CVE-2026-53040

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate bg bits during freefrag scan

[BUG] A crafted filesystem can trigger an out-of-bounds bitmap walk when OCFS2 IOC INFO is issued with OCFS2 INFO FL NON COHERENT.

BUG: KASAN: use-after-free in instrument atomic read include/linux/instrumented.h:68 [inline] BUG: KASAN: use-after-free in test bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: use-after-free in test bit le include/asm-generic/bitops/le.h:21 [inline] BUG: KASAN: use-after-free in ocfs2 info freefrag scan chain fs/ocfs2/ioctl.c:495 [inline] BUG: KASAN: use-after-free in ocfs2 info freefrag scan bitmap fs/ocfs2/ioctl.c:588 [inline] BUG: KASAN: use-after-free in ocfs2 info handle freefrag fs/ocfs2/ioctl.c:662 [inline] BUG: KASAN: use-after-free in ocfs2 info handle request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 Read of size 8 at addr ffff888031bce000 by task syz.0.636/1435 Call Trace: dump stack lib/dump stack.c:94 [inline] dump stack lvl+0xbe/0x130 lib/dump stack.c:120 print address description mm/kasan/report.c:378 [inline] print report+0xd1/0x650 mm/kasan/report.c:482 kasan report+0xfb/0x140 mm/kasan/report.c:595 check region inline mm/kasan/generic.c:186 [inline] kasan check range+0x11c/0x200 mm/kasan/generic.c:200 kasan check read+0x11/0x20 mm/kasan/shadow.c:31 instrument atomic read include/linux/instrumented.h:68 [inline] test bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] test bit le include/asm-generic/bitops/le.h:21 [inline] ocfs2 info freefrag scan chain fs/ocfs2/ioctl.c:495 [inline] ocfs2 info freefrag scan bitmap fs/ocfs2/ioctl.c:588 [inline] ocfs2 info handle freefrag fs/ocfs2/ioctl.c:662 [inline] ocfs2 info handle request+0x1c66/0x3370 fs/ocfs2/ioctl.c:754 ocfs2 info handle+0x18d/0x2a0 fs/ocfs2/ioctl.c:828 ocfs2 ioctl+0x632/0x6e0 fs/ocfs2/ioctl.c:913 vfs ioctl fs/ioctl.c:51 [inline] do sys ioctl fs/ioctl.c:597 [inline] se sys ioctl fs/ioctl.c:583 [inline] x64 sys ioctl+0x197/0x1e0 fs/ioctl.c:583 ...

[CAUSE] ocfs2 info freefrag scan chain() uses on-disk bg bits directly as the bitmap scan limit. The coherent path reads group descriptors through ocfs2 read group descriptor(), which validates the descriptor before use. The non-coherent path uses ocfs2 read blocks sync() instead and skips that validation, so an impossible bg bits value can drive the bitmap walk past the end of the block.

[FIX] Compute the bitmap capacity from the filesystem format with ocfs2 group bitmap size(), report descriptors whose bg bits exceeds that limit, and clamp the scan to the computed capacity. This keeps the freefrag report going while avoiding reads beyond the buffer.