[lvc-project] [PATCH v2] ocfs2: add extra consistency check to ocfs2_replay_truncate_records()
Dmitry Antipov
dmantipov at yandex.ru
Tue Oct 21 11:01:44 MSK 2025
On 10/21/25 4:32 AM, Heming Zhao wrote:
> On 10/20/25 23:02, Dmitry Antipov wrote:
>> In 'ocfs2_replay_truncate_records()', check whether truncate log
>> length matches the one comes from the superblock parameters defined
>> when making a filesystem and current record index is within the valid
>> range, thus preventing an out-of-bounds accesses while iterating over
>> the log records below.
>>
>> Reported-by: syzbot+4d55dad3a9e8e9f7d2b5 at syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
>> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
>
> LGTM.
> Reviewed-by: Heming Zhao <heming.zhao at suse.com>
>
>> ---
>> v2: adjust commit message (Heming Zhao)
>> ---
>> fs/ocfs2/alloc.c | 10 ++++++++++
>> 1 file changed, 10 insertions(+)
>>
>> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
>> index 162711cc5b20..143ce8ba6071 100644
>> --- a/fs/ocfs2/alloc.c
>> +++ b/fs/ocfs2/alloc.c
>> @@ -5941,6 +5941,16 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
>> di = (struct ocfs2_dinode *) tl_bh->b_data;
>> tl = &di->id2.i_dealloc;
>> + if (le16_to_cpu(tl->tl_count) != ocfs2_truncate_recs_per_inode(osb->sb)) {
>> + status = -EINVAL;
>> + mlog_errno(status);
>> + goto bail;
>> + }
>> + if (le16_to_cpu(tl->tl_used) >= le16_to_cpu(tl->tl_count)) {
Ugh, there should be le16_to_cpu(tl->tl_used) > le16_to_cpu(tl->tl_count) since
array indexing always uses tl->tl_used - 1.
Dmitry
More information about the lvc-project
mailing list