CVE-2026-31596

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: handle invalid dinode in ocfs2_group_extend<br /> <br /> [BUG]<br /> kernel BUG at fs/ocfs2/resize.c:308!<br /> Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI<br /> RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308<br /> Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe<br /> Call Trace:<br /> ...<br /> ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:597 [inline]<br /> __se_sys_ioctl fs/ioctl.c:583 [inline]<br /> __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583<br /> x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ...<br /> <br /> [CAUSE]<br /> ocfs2_group_extend() assumes that the global bitmap inode block<br /> returned from ocfs2_inode_lock() has already been validated and<br /> BUG_ONs when the signature is not a dinode. That assumption is too<br /> strong for crafted filesystems because the JBD2-managed buffer path<br /> can bypass structural validation and return an invalid dinode to the<br /> resize ioctl.<br /> <br /> [FIX]<br /> Validate the dinode explicitly in ocfs2_group_extend(). If the global<br /> bitmap buffer does not contain a valid dinode, report filesystem<br /> corruption with ocfs2_error() and fail the resize operation instead of<br /> crashing the kernel.