[lvc-project] [PATCH v2] ocfs2: add extra consistency check to ocfs2_dx_dir_lookup_rec()
Joseph Qi
joseph.qi at linux.alibaba.com
Fri Oct 10 09:36:26 MSK 2025
On 2025/10/10 13:53, Heming Zhao wrote:
> Hi Joseph,
>
> Do you have time to check my following comment?
>
> On 10/7/25 17:46, Dmitry Antipov wrote:
>> In 'ocfs2_dx_dir_lookup_rec()', check whether an extent list length
>> of the directory indexing block matches the one configured via the
>> superblock parameters established at mount, thus preventing an
>> out-of-bounds accesses while iterating over the extent records below.
>>
>> Reported-by: syzbot+30b53487d00b4f7f0922 at syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=30b53487d00b4f7f0922
>> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
>> ---
>> v2: move sanity check to ocfs2_dx_dir_lookup_rec() (Heming Zhao)
>> and rely on the convenient ocfs2_error() to handle error
>> ---
>> fs/ocfs2/dir.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
>> index 8c9c4825f984..ece0462a5d26 100644
>> --- a/fs/ocfs2/dir.c
>> +++ b/fs/ocfs2/dir.c
>> @@ -778,6 +778,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
>> struct ocfs2_extent_block *eb;
>> struct ocfs2_extent_rec *rec = NULL;
>> + if (le16_to_cpu(el->l_count) !=
>> + ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
>
> el->l_count represents the length of the array l_recs[], the max value is
> ocfs2_extent_recs_per_dx_root(sb). Therefore, we should use "<=" instead of "!=".
>
In ocfs2_dx_dir_attach_index():
dx_root->dr_list.l_count = cpu_to_le16(ocfs2_extent_recs_per_dx_root(osb->sb))
And the above path is non-inline case, so it seems '!=' is correct.
Thanks,
Joseph
More information about the lvc-project
mailing list