diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index ca5499e9412b..ef3870afb8fb 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -930,7 +930,11 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, while (i) { ext_debug(inode, "depth %d: num %d, max %d\n", ppos, le16_to_cpu(eh->eh_entries), le16_to_cpu(eh->eh_max)); - + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header before binsearch_idx"); + ret = -EFSCORRUPTED; + goto err; + } ext4_ext_binsearch_idx(inode, path + ppos, block); path[ppos].p_block = ext4_idx_pblock(path[ppos].p_idx); path[ppos].p_depth = i; @@ -952,12 +956,17 @@ ext4_find_extent(struct inode *inode, ext4_lblk_t block, path[ppos].p_ext = NULL; path[ppos].p_idx = NULL; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header before binsearch"); + ret = -EFSCORRUPTED; + goto err; + } /* find extent */ ext4_ext_binsearch(inode, path + ppos, block); /* if not an empty leaf */ if (path[ppos].p_ext) path[ppos].p_block = ext4_ext_pblock(path[ppos].p_ext); - + ext4_ext_show_path(inode, path); return path; @@ -1708,7 +1717,8 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, struct ext4_extent *ex; __le32 border; int k, err = 0; - + if (!path || depth < 0 || depth > EXT4_MAX_EXTENT_DEPTH) + return -EFSCORRUPTED; eh = path[depth].p_hdr; ex = path[depth].p_ext; @@ -4200,6 +4210,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, unsigned int allocated_clusters = 0; struct ext4_allocation_request ar; ext4_lblk_t cluster_offset; + struct ext4_extent_header *eh; ext_debug(inode, "blocks %u/%u requested\n", map->m_lblk, map->m_len); trace_ext4_ext_map_blocks_enter(inode, map->m_lblk, map->m_len, flags); @@ -4212,7 +4223,12 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, } depth = ext_depth(inode); - + eh = path[depth].p_hdr; + if (!eh || le16_to_cpu(eh->eh_magic) != EXT4_EXT_MAGIC) { + EXT4_ERROR_INODE(inode, "invalid extent header at depth %d", depth); + err = -EFSCORRUPTED; + goto out; + } /* * consistent leaf must not be empty; * this situation is possible, though, _during_ tree modification;