Re: [PATCH 3/4] ocfs2: validate extent block list fields during block read
From: Heming Zhao
Date: Tue Apr 07 2026 - 11:02:11 EST
On Fri, Apr 03, 2026 at 05:08:02PM +0800, Joseph Qi wrote:
> Add extent list validation to ocfs2_validate_extent_block() so that
> corrupted on-disk fields are caught early at block read time rather
> than during extent tree traversal.
>
> Two checks are added:
>
> - l_count must equal the expected value from
> ocfs2_extent_recs_per_eb(), catching blocks with a corrupted record
> count before any array iteration.
>
> - l_next_free_rec must not exceed l_count, preventing out-of-bounds
> access when iterating over extent records.
>
> Signed-off-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
LGTM
Reviewed-by: Heming Zhao <heming.zhao@xxxxxxxx>
> ---
> fs/ocfs2/alloc.c | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
> index 344fd4d95fbc..8639806bcbb8 100644
> --- a/fs/ocfs2/alloc.c
> +++ b/fs/ocfs2/alloc.c
> @@ -917,11 +917,32 @@ static int ocfs2_validate_extent_block(struct super_block *sb,
> goto bail;
> }
>
> - if (le32_to_cpu(eb->h_fs_generation) != OCFS2_SB(sb)->fs_generation)
> + if (le32_to_cpu(eb->h_fs_generation) != OCFS2_SB(sb)->fs_generation) {
> rc = ocfs2_error(sb,
> "Extent block #%llu has an invalid h_fs_generation of #%u\n",
> (unsigned long long)bh->b_blocknr,
> le32_to_cpu(eb->h_fs_generation));
> + goto bail;
> + }
> +
> + if (le16_to_cpu(eb->h_list.l_count) != ocfs2_extent_recs_per_eb(sb)) {
> + rc = ocfs2_error(sb,
> + "Extent block #%llu has invalid l_count %u (expected %u)\n",
> + (unsigned long long)bh->b_blocknr,
> + le16_to_cpu(eb->h_list.l_count),
> + ocfs2_extent_recs_per_eb(sb));
> + goto bail;
> + }
> +
> + if (le16_to_cpu(eb->h_list.l_next_free_rec) > le16_to_cpu(eb->h_list.l_count)) {
> + rc = ocfs2_error(sb,
> + "Extent block #%llu has invalid l_next_free_rec %u (l_count %u)\n",
> + (unsigned long long)bh->b_blocknr,
> + le16_to_cpu(eb->h_list.l_next_free_rec),
> + le16_to_cpu(eb->h_list.l_count));
> + goto bail;
> + }
> +
> bail:
> return rc;
> }
> --
> 2.39.3
>