ocfs2: correctly check the return value of ocfs2_search_extent_list

ocfs2_search_extent_list may return -1, so we should check the return value in ocfs2_split_and_insert, otherwise it may cause array index out of bound. And ocfs2_search_extent_list can only return value less than el->l_next_free_rec, so check if it is equal or larger than le16_to_cpu(el->l_next_free_rec) is meaningless. Signed-off-by: Yingtai Xie <xieyingtai@huawei.com> Signed-off-by: Joseph Qi <joseph.qi@huawei.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Mark Fasheh <mfasheh@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Yingtai Xie <xieyingtai@huawei.com> 2014-08-06 19:03:54 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2014-08-06 21:01:13 -0400
commit: 981035b47d7da8ba7c153ed431bf515f593853d8 (patch)
tree: 675aab83a7118389728f0dbcc733a3d3cf18ae8d /fs/ocfs2/alloc.c
parent: c811f5f41e37d16b2839988426ffde78d2273d48 (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 9d8fcf2f3b94..a93bf9892256 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -4961,6 +4961,15 @@ leftright:
                el = path_leaf_el(path);
                split_index = ocfs2_search_extent_list(el, cpos);
+                if (split_index == -1) {
+                        ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),
+                                        "Owner %llu has an extent at cpos %u "
+                                        "which can no longer be found.\n",
+                                        (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),
+                                        cpos);
+                        ret = -EROFS;
+                        goto out;
+                }
                goto leftright;
        }
 out:
@@ -5135,7 +5144,7 @@ int ocfs2_change_extent_flag(handle_t *handle,
        el = path_leaf_el(left_path);
        index = ocfs2_search_extent_list(el, cpos);
-        if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+        if (index == -1) {
                ocfs2_error(sb,
                            "Owner %llu has an extent at cpos %u which can no "
                            "longer be found.\n",
@@ -5491,7 +5500,7 @@ int ocfs2_remove_extent(handle_t *handle,
        el = path_leaf_el(path);
        index = ocfs2_search_extent_list(el, cpos);
-        if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+        if (index == -1) {
                ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),
                            "Owner %llu has an extent at cpos %u which can no "
                            "longer be found.\n",
@@ -5557,7 +5566,7 @@ int ocfs2_remove_extent(handle_t *handle,
                el = path_leaf_el(path);
                index = ocfs2_search_extent_list(el, cpos);
-                if (index == -1 || index >= le16_to_cpu(el->l_next_free_rec)) {
+                if (index == -1) {
                        ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),
                                    "Owner %llu: split at cpos %u lost record.",
                                    (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),
author	Yingtai Xie <xieyingtai@huawei.com>	2014-08-06 19:03:54 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2014-08-06 21:01:13 -0400
commit	981035b47d7da8ba7c153ed431bf515f593853d8 (patch)
tree	675aab83a7118389728f0dbcc733a3d3cf18ae8d /fs/ocfs2/alloc.c
parent	c811f5f41e37d16b2839988426ffde78d2273d48 (diff)