CVE-2026-53039

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate group add input before caching

[BUG] OCFS2 IOC GROUP ADD can trigger a BUG ON in ocfs2 set new buffer uptodate():

kernel BUG at fs/ocfs2/uptodate.c:509! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2 set new buffer uptodate+0x194/0x1e0 fs/ocfs2/uptodate.c:509 Code: ffffe88f 42b9fe4c 89e64889 dfe8b4df Call Trace: ocfs2 group add+0x3f1/0x1510 fs/ocfs2/resize.c:507 ocfs2 ioctl+0x309/0x6e0 fs/ocfs2/ioctl.c:887 vfs ioctl fs/ioctl.c:51 [inline] do sys ioctl fs/ioctl.c:597 [inline] se sys ioctl fs/ioctl.c:583 [inline] x64 sys ioctl+0x197/0x1e0 fs/ioctl.c:583 x64 sys call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls 64.h:17 do syscall x64 arch/x86/entry/syscall 64.c:63 [inline] do syscall 64+0x93/0xf80 arch/x86/entry/syscall 64.c:94 entry SYSCALL 64 after hwframe+0x76/0x7e RIP: 0033:0x7bbfb55a966d

[CAUSE] ocfs2 group add() calls ocfs2 set new buffer uptodate() on a user-controlled group block before ocfs2 verify group and input() validates that block number. That helper is only valid for newly allocated metadata and asserts that the block is not already present in the chosen metadata cache. The code also uses INODE CACHE(inode) even though the group descriptor belongs to main bm inode and later journal accesses use that cache context instead.

[FIX] Validate the on-disk group descriptor before caching it, then add it to the metadata cache tracked by INODE CACHE(main bm inode). Keep the validation failure path separate from the later cleanup path so we only remove the buffer from that cache after it has actually been inserted. This keeps the group buffer lifetime consistent across validation, journaling, and cleanup.