kernel BUG in __ocfs2_flush_truncate_log
From: yes PANG
Date: Fri Aug 08 2025 - 00:03:14 EST
Dear Linux maintainers and reviewers:
We are reporting a Linux kernel bug titled **kernel BUG in __ocfs2_flush_truncate_log**, discovered using a modified version of Syzkaller.
Following my previous bug report, here is a structured analysis from our fault localization tool "CoHIKER". These may be helpful for your fixing and patches.
**root cause analysis**
Core Fault:
Invalid truncate log state handling during OCFS2 filesystem sync operations, specifically in the truncate log flush path (fs/ocfs2/alloc.c).
Trigger Conditions:
Mounting OCFS2 with specific vulnerable configuration:
Mount flags = 0x0
Quota command = 0x80000800
Memory protection = 0x1
Subsequent file operations
Truncate log flush during sync/unmount
Failure Mechanism:
The combination of these configurations creates inconsistent truncate log states that aren't properly handled during flush operations,
leading to a kernel BUG when the system attempts to synchronize filesystem metadata.
Evidence from Mutations:
Successful mutations all modified operational parameters:
Changing quota command (0x80000800→0x80000801)
Adjusting memory protection (0x1→0x4)
Modifying mount flags (0x0→0x1)
Failed mutation (mount flags 0x0→0x3) confirmed the bug is configuration-sensitive
Impact Scope:
Subsystem: OCFS2 filesystem implementation
Component: Truncate log management subsystem
Phase: Sync operations (particularly metadata flush)
Root Cause Conclusion:
The bug manifests due to insufficient validation of truncate log state transitions when OCFS2 is configured with specific non-default parameters,
combined with particular sequences of filesystem operations. The invalid state isn't detected until sync phase, causing a fatal kernel error during metadata flushing.
**result of file and method level fault localization"
Top-10 of the buggy file:
1. fs/ocfs2/alloc.c
2. fs/ocfs2/journal.c
3. fs/ocfs2/dlmglue.c
4. fs/ocfs2/super.c
5. fs/ocfs2/alloc.h
6. fs/ocfs2/ocfs2_fs.h
7. fs/ocfs2/file.c
8. fs/ocfs2/inode.c
9. fs/ocfs2/aops.c
10. fs/ocfs2/dlm/dlmcommon.h
Top-10 of the buggy method:
1.__ocfs2_flush_truncate_log
2. ocfs2_flush_truncate_log
3. ocfs2_free_cached_clusters
4. ocfs2_run_deallocs
5. ocfs2_cache_cluster_dealloc
6. ocfs2_cache_block_dealloc
7. ocfs2_commit_truncate
8. ocfs2_free_cached_blocks
9. ocfs2_truncate_log_append
10. ocfs2_remove_extent
Attached:
complete output of fault localizaiton
File-level output:
{
"thought_process": {
"step1": {
"bug_location": "fs/ocfs2/alloc.c line 6019 in __ocfs2_flush_truncate_log()",
"bug_type": "Kernel BUG (invalid opcode) suggesting filesystem metadata corruption during truncate log operations",
"module": "OCFS2 filesystem",
"trigger_operation": "Truncate log flushing during filesystem sync/unmount"
},
"step2": {
"test_program_analysis": {
"syscalls": [
"quotactl$Q_SETQUOTA: Sets disk quota parameters",
"pkey_mprotect: Modifies memory protections",
"syz_mount_image$ocfs2: Mounts OCFS2 filesystem",
"openat+write: Performs file operations"
],
"test_focus": "OCFS2 filesystem behavior during quota setup and file operations"
}
},
"step3": {
"successful_mutations": [
{
"mutation": "quotactl cmd changed from 0x80000800 to 0x80000801",
"effect": "Alters quota management behavior, preventing corrupt state"
},
{
"mutation": "pkey_mprotect prot changed from 0x1 to 0x4",
"effect": "Changes memory protection flags affecting filesystem operations"
},
{
"mutation": "syz_mount_image flags changed from 0x0 to 0x1",
"effect": "Modifies filesystem mount options preventing the bug"
}
]
},
"step4": {
"failed_mutation": {
"mutation": "syz_mount_image flags changed from 0x0 to 0x3",
"analysis": "Certain mount flag combinations still trigger the bug"
}
},
"step5": {
"defect_characteristics": [
"OCFS2-specific truncate log handling issue",
"Triggered during filesystem sync/unmount path",
"Sensitive to mount options and quota settings",
"Related to metadata management"
]
},
"step6": {
"file_classification": {
"core_ocfs2": [
"fs/ocfs2/alloc.c",
"fs/ocfs2/super.c",
"fs/ocfs2/journal.c"
],
"metadata_handling": [
"fs/ocfs2/alloc.h",
"fs/ocfs2/ocfs2_fs.h",
"fs/ocfs2/dlmglue.c"
],
"filesystem_ops": [
"fs/ocfs2/file.c",
"fs/ocfs2/inode.c",
"fs/ocfs2/aops.c"
],
"cluster_management": [
"fs/ocfs2/dlm/dlmcommon.h",
"fs/ocfs2/cluster/nodemanager.h"
]
}
},
"step7": {
"fault_file_characteristics": [
"Handles truncate log operations",
"Manages filesystem metadata",
"Interacts with mount options",
"Contains OCFS2-specific allocation logic"
]
}
},
"standard_output": [
"fs/ocfs2/alloc.c",
"fs/ocfs2/journal.c",
"fs/ocfs2/dlmglue.c",
"fs/ocfs2/super.c",
"fs/ocfs2/alloc.h",
"fs/ocfs2/ocfs2_fs.h",
"fs/ocfs2/file.c",
"fs/ocfs2/inode.c",
"fs/ocfs2/aops.c",
"fs/ocfs2/dlm/dlmcommon.h"
]
}
Method-level output:
{
"thought_process": {
"step_1": {
"description": "Bug Understanding",
"details": "The bug occurs in __ocfs2_flush_truncate_log at fs/ocfs2/alloc.c:6019, indicating a kernel BUG during truncate log flushing. The crash happens during filesystem sync operations (ocfs2_sync_fs → ocfs2_flush_truncate_log → __ocfs2_flush_truncate_log). This is clearly in the OCFS2 filesystem subsystem, specifically in space management during cleanup operations."
},
"step_2": {
"description": "Program Intention",
"details": "The test program performs: 1) quota setup, 2) memory protection, 3) OCFS2 mount, 4) file creation/write. The crash occurs during sync operations after writing, suggesting the bug relates to post-write cleanup and space management."
},
"step_3": {
"description": "Successful Mutation Analysis",
"details": "No successful mutations provided, but the crash context suggests the bug manifests during truncate log flushing after file operations."
},
"step_4": {
"description": "Failed Mutation Analysis",
"details": "No specific failed mutations provided, but the consistent crash point indicates the issue is reliably triggered during truncate log operations."
},
"step_5": {
"description": "Defect Pattern and Lifecycle Inference",
"details": "The bug occurs during cleanup phase (truncate log flushing), suggesting either: 1) incorrect state during log creation/accumulation, 2) improper handling during log flush, or 3) race between log operations and other filesystem activities."
},
"step_6": {
"description": "Function Classification and Mapping",
"details": "Focusing on functions related to truncate log management and extent operations in alloc.c, particularly those involved in cleanup phases. The crash function (__ocfs2_flush_truncate_log) and its caller (ocfs2_flush_truncate_log) are primary suspects, but upstream functions managing the log state may also be involved."
},
"step_7": {
"description": "Suspicion Inference",
"details": "Top suspects are functions directly involved in truncate log management and extent cleanup. Functions that modify the truncate log state before flushing are also highly relevant, even if not in the crash trace. Journaling functions are less likely suspects as the crash occurs during space management rather than transaction handling."
},
"step_8": {
"description": "Final Output",
"details": "Ranked list prioritizes: 1) Functions directly involved in the crash, 2) Their immediate callers, 3) Functions that manage truncate log state, 4) Functions handling extent cleanup that might affect the log contents."
}
},
"standard_output": [
"__ocfs2_flush_truncate_log",
"ocfs2_flush_truncate_log",
"ocfs2_free_cached_clusters",
"ocfs2_run_deallocs",
"ocfs2_cache_cluster_dealloc",
"ocfs2_cache_block_dealloc",
"ocfs2_commit_truncate",
"ocfs2_free_cached_blocks",
"ocfs2_truncate_log_append",
"ocfs2_remove_extent"
]
}