From: Eric Sandeen Subject: Re: [PATCH v2] ext4: avoid eh_entries overflow before insert extent_idx Date: Thu, 23 Jun 2011 09:57:23 -0500 Message-ID: <4E035453.8080808@redhat.com> References: <1308818837-5243-1-git-send-email-sanbai@taobao.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: linux-ext4@vger.kernel.org, Robin Dong To: Robin Dong Return-path: Received: from mx1.redhat.com ([209.132.183.28]:9720 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758998Ab1FWO5c (ORCPT ); Thu, 23 Jun 2011 10:57:32 -0400 In-Reply-To: <1308818837-5243-1-git-send-email-sanbai@taobao.com> Sender: linux-ext4-owner@vger.kernel.org List-ID: On 6/23/11 3:47 AM, Robin Dong wrote: > If eh_entries is equal to (or greater than) eh_max, the operation of > inserting new extent_idx will make number of entries overflow. > So check eh_entries before inserting the new extent_idx. Do you have any testcase you can share which shows this bug? Thanks, -Eric > Signed-off-by: Robin Dong > --- > fs/ext4/extents.c | 18 ++++++++++-------- > 1 files changed, 10 insertions(+), 8 deletions(-) > > diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c > index eb63c7b..792e77e 100644 > --- a/fs/ext4/extents.c > +++ b/fs/ext4/extents.c > @@ -776,6 +776,16 @@ static int ext4_ext_insert_index(handle_t *handle, struct inode *inode, > logical, le32_to_cpu(curp->p_idx->ei_block)); > return -EIO; > } > + > + if (unlikely(le16_to_cpu(curp->p_hdr->eh_entries) > + >= le16_to_cpu(curp->p_hdr->eh_max))) { > + EXT4_ERROR_INODE(inode, > + "eh_entries %d >= eh_max %d!", > + le16_to_cpu(curp->p_hdr->eh_entries), > + le16_to_cpu(curp->p_hdr->eh_max)); > + return -EIO; > + } > + > len = EXT_MAX_INDEX(curp->p_hdr) - curp->p_idx; > if (logical > le32_to_cpu(curp->p_idx->ei_block)) { > /* insert after */ > @@ -805,14 +815,6 @@ static int ext4_ext_insert_index(handle_t *handle, struct inode *inode, > ext4_idx_store_pblock(ix, ptr); > le16_add_cpu(&curp->p_hdr->eh_entries, 1); > > - if (unlikely(le16_to_cpu(curp->p_hdr->eh_entries) > - > le16_to_cpu(curp->p_hdr->eh_max))) { > - EXT4_ERROR_INODE(inode, > - "eh_entries %d > eh_max %d!", > - le16_to_cpu(curp->p_hdr->eh_entries), > - le16_to_cpu(curp->p_hdr->eh_max)); > - return -EIO; > - } > if (unlikely(ix > EXT_LAST_INDEX(curp->p_hdr))) { > EXT4_ERROR_INODE(inode, "ix > EXT_LAST_INDEX!"); > return -EIO;