[lvc-project] [PATCH v2] ocfs2: add extra consistency check to ocfs2_dx_dir_lookup_rec()
Heming Zhao
heming.zhao at suse.com
Fri Oct 10 09:43:07 MSK 2025
On 10/10/25 14:36, Joseph Qi wrote:
>
>
> On 2025/10/10 13:53, Heming Zhao wrote:
>> Hi Joseph,
>>
>> Do you have time to check my following comment?
>>
>> On 10/7/25 17:46, Dmitry Antipov wrote:
>>> In 'ocfs2_dx_dir_lookup_rec()', check whether an extent list length
>>> of the directory indexing block matches the one configured via the
>>> superblock parameters established at mount, thus preventing an
>>> out-of-bounds accesses while iterating over the extent records below.
>>>
>>> Reported-by: syzbot+30b53487d00b4f7f0922 at syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=30b53487d00b4f7f0922
>>> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
>>> ---
>>> v2: move sanity check to ocfs2_dx_dir_lookup_rec() (Heming Zhao)
>>> and rely on the convenient ocfs2_error() to handle error
>>> ---
>>> fs/ocfs2/dir.c | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>>
>>> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
>>> index 8c9c4825f984..ece0462a5d26 100644
>>> --- a/fs/ocfs2/dir.c
>>> +++ b/fs/ocfs2/dir.c
>>> @@ -778,6 +778,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
>>> struct ocfs2_extent_block *eb;
>>> struct ocfs2_extent_rec *rec = NULL;
>>> + if (le16_to_cpu(el->l_count) !=
>>> + ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
>>
>> el->l_count represents the length of the array l_recs[], the max value is
>> ocfs2_extent_recs_per_dx_root(sb). Therefore, we should use "<=" instead of "!=".
>>
>
> In ocfs2_dx_dir_attach_index():
> dx_root->dr_list.l_count = cpu_to_le16(ocfs2_extent_recs_per_dx_root(osb->sb))
>
> And the above path is non-inline case, so it seems '!=' is correct.
>
> Thanks,
> Joseph
>
>
Totally understand, thanks for the explanation.
And this patch looks good to me.
- Heming
More information about the lvc-project
mailing list