[lvc-project] [PATCH v2] ocfs2: add extra consistency check to ocfs2_replay_truncate_records()
Heming Zhao
heming.zhao at suse.com
Tue Oct 21 14:12:50 MSK 2025
On 10/21/25 16:01, Dmitry Antipov wrote:
> On 10/21/25 4:32 AM, Heming Zhao wrote:
>
>> On 10/20/25 23:02, Dmitry Antipov wrote:
>>> In 'ocfs2_replay_truncate_records()', check whether truncate log
>>> length matches the one comes from the superblock parameters defined
>>> when making a filesystem and current record index is within the valid
>>> range, thus preventing an out-of-bounds accesses while iterating over
>>> the log records below.
>>>
>>> Reported-by: syzbot+4d55dad3a9e8e9f7d2b5 at syzkaller.appspotmail.com
>>> Closes: https://syzkaller.appspot.com/bug?extid=4d55dad3a9e8e9f7d2b5
>>> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
>>
>> LGTM.
>> Reviewed-by: Heming Zhao <heming.zhao at suse.com>
>>
>>> ---
>>> v2: adjust commit message (Heming Zhao)
>>> ---
>>> fs/ocfs2/alloc.c | 10 ++++++++++
>>> 1 file changed, 10 insertions(+)
>>>
>>> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
>>> index 162711cc5b20..143ce8ba6071 100644
>>> --- a/fs/ocfs2/alloc.c
>>> +++ b/fs/ocfs2/alloc.c
>>> @@ -5941,6 +5941,16 @@ static int ocfs2_replay_truncate_records(struct ocfs2_super *osb,
>>> di = (struct ocfs2_dinode *) tl_bh->b_data;
>>> tl = &di->id2.i_dealloc;
>>> + if (le16_to_cpu(tl->tl_count) != ocfs2_truncate_recs_per_inode(osb->sb)) {
>>> + status = -EINVAL;
>>> + mlog_errno(status);
>>> + goto bail;
>>> + }
>>> + if (le16_to_cpu(tl->tl_used) >= le16_to_cpu(tl->tl_count)) {
>
> Ugh, there should be le16_to_cpu(tl->tl_used) > le16_to_cpu(tl->tl_count) since
> array indexing always uses tl->tl_used - 1.
Good catch. the code logic is same as that of verify_truncate_log() from ocfs2-tools.
- Heming
>
> Dmitry
More information about the lvc-project
mailing list