ocfs2: add extra consistency checks for chain allocator dinodes

When validating chain allocator dinode in 'ocfs2_validate_inode_block()',
add an extra checks whether a) the maximum amount of chain records in
'struct ocfs2_chain_list' matches the value calculated based on the
filesystem block size, and b) the next free slot index is within the valid
range.

Link: https://lkml.kernel.org/r/20251030153003.1934585-1-dmantipov@yandex.ru
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+77026564530dbc29b854@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=77026564530dbc29b854
Reported-by: syzbot+5054473a31f78f735416@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5054473a31f78f735416
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Mark Fasheh <mark@fasheh.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index dbc38a212c8f23d1d6fd8be7f3b6bc54d7b6f0fb..0f39ce0a2d4638af57e8b053b8b2ee8ff4d3ef40 100644 (file)
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1513,6 +1513,23 @@ int ocfs2_validate_inode_block(struct super_block *sb,
                goto bail;
        }
 
+       if (le32_to_cpu(di->i_flags) & OCFS2_CHAIN_FL) {
+               struct ocfs2_chain_list *cl = &di->id2.i_chain;
+
+               if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb)) {
+                       rc = ocfs2_error(sb, "Invalid dinode %llu: chain list count %u\n",
+                                        (unsigned long long)bh->b_blocknr,
+                                        le16_to_cpu(cl->cl_count));
+                       goto bail;
+               }
+               if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
+                       rc = ocfs2_error(sb, "Invalid dinode %llu: chain list index %u\n",
+                                        (unsigned long long)bh->b_blocknr,
+                                        le16_to_cpu(cl->cl_next_free_rec));
+                       goto bail;
+               }
+       }
+
        rc = 0;
 
 bail: