ocfs2: correctly check the return value of ocfs2_search_extent_list

ocfs2_search_extent_list may return -1, so we should check the return
value in ocfs2_split_and_insert, otherwise it may cause array index out of
bound.

And ocfs2_search_extent_list can only return value less than
el->l_next_free_rec, so check if it is equal or larger than
le16_to_cpu(el->l_next_free_rec) is meaningless.

Signed-off-by: Yingtai Xie <xieyingtai@huawei.com>
Signed-off-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Mark Fasheh <mfasheh@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 9d8fcf2f3b947f0fe2a5feda7c0a849f154f349c..a93bf98922565ab120d85f995f0cb565deb1e144 100644 (file)
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -4961,6 +4961,15 @@ leftright:
 
                el = path_leaf_el(path);
                split_index = ocfs2_search_extent_list(el, cpos);
+               if (split_index == -1) {
+                       ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),
+                                       "Owner %llu has an extent at cpos %u "
+                                       "which can no longer be found.\n",
+                                       (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),
+                                       cpos);
+                       ret = -EROFS;
+                       goto out;
+               }
                goto leftright;
        }
 out:
@@ -5135,7 +5144,7 @@ int ocfs2_change_extent_flag(handle_t *handle,
        el = path_leaf_el(left_path);
 
        index = ocfs2_search_extent_list(el, cpos);
-       if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+       if (index == -1) {
                ocfs2_error(sb,
                            "Owner %llu has an extent at cpos %u which can no "
                            "longer be found.\n",
@@ -5491,7 +5500,7 @@ int ocfs2_remove_extent(handle_t *handle,
 
        el = path_leaf_el(path);
        index = ocfs2_search_extent_list(el, cpos);
-       if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+       if (index == -1) {
                ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),
                            "Owner %llu has an extent at cpos %u which can no "
                            "longer be found.\n",
@@ -5557,7 +5566,7 @@ int ocfs2_remove_extent(handle_t *handle,
 
                el = path_leaf_el(path);
                index = ocfs2_search_extent_list(el, cpos);
-               if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+               if (index == -1) {
                        ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),
                                    "Owner %llu: split at cpos %u lost record.",
                                    (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),

diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 599eb4c4c8beedaec8c18649b47cc2c1fe487680..6219aaadeb08dadeb44ebdacb2b2559edfc52d7c 100644 (file)
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,7 @@ static int __ocfs2_move_extent(handle_t *handle,
        el = path_leaf_el(path);
 
        index = ocfs2_search_extent_list(el, cpos);
-       if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+       if (index == -1) {
                ocfs2_error(inode->i_sb,
                            "Inode %llu has an extent at cpos %u which can no "
                            "longer be found.\n",

diff --git a/fs/ocfs2/refcounttree.c b/fs/ocfs2/refcounttree.c
index 636aab69ead559f718a9ebef4e6ca5e8dfad933e..d81f6e2a97f5d4c70d6324cf0a7483a874cd7b9a 100644 (file)
--- a/fs/ocfs2/refcounttree.c
+++ b/fs/ocfs2/refcounttree.c
@@ -3109,7 +3109,7 @@ static int ocfs2_clear_ext_refcount(handle_t *handle,
        el = path_leaf_el(path);
 
        index = ocfs2_search_extent_list(el, cpos);
-       if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+       if (index == -1) {
                ocfs2_error(sb,
                            "Inode %llu has an extent at cpos %u which can no "
                            "longer be found.\n",