[lvc-project] [PATCH] ocfs2: add extra consistency check to ocfs2_replay_truncate_records()
Heming Zhao
heming.zhao at suse.com
Mon Oct 20 17:06:39 MSK 2025
Hi Dmitry,
the code logic is correct but the commit log needs revising.
On 10/20/25 18:24, Dmitry Antipov wrote:
> In 'ocfs2_replay_truncate_records()', check whether truncate long
'truncate log' not 'truncate long'
> length matches the one configured via the superblock parameters
> established at mount and current record index is within the valid
the length is established at mkfs time, not at mount time.
Thanks
Heming
> range, thus preventing an out-of-bounds accesses while iterating
> over the log records below.
>
> Reported-by: syzbot+4d55dad3a9e8e9f7d2b5 at syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
> ---
> fs/ocfs2/alloc.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 162711cc5b20..143ce8ba6071 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -5941,6 +5941,16 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
>
> di = (struct ocfs2_dinode *) tl_bh->b_data;
> tl = &di->id2.i_dealloc;
> + if (le16_to_cpu(tl->tl_count) != ocfs2_truncate_recs_per_inode(osb->sb)) {
> + status = -EINVAL;
> + mlog_errno(status);
> + goto bail;
> + }
> + if (le16_to_cpu(tl->tl_used) >= le16_to_cpu(tl->tl_count)) {
> + status = -EINVAL;
> + mlog_errno(status);
> + goto bail;
> + }
> i = le16_to_cpu(tl->tl_used) - 1;
> while (i >= 0) {
> handle = ocfs2_start_trans(osb, OCFS2_TRUNCATE_LOG_FLUSH_ONE_REC);
More information about the lvc-project
mailing list