From nobody Sun Feb  8 10:29:51 2026
Received: from mail-oa1-f43.google.com (mail-oa1-f43.google.com
 [209.85.160.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 640CB27CB04
	for <linux-kernel@vger.kernel.org>; Thu, 15 Jan 2026 04:00:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768449614; cv=none;
 b=Vrg9KVFissoHYwpaz0leX+bPzdzXoopmHqSe4kOAh0buEkxWyG4I++8H5FZgQ38bkYZdF4H77Q36QuMAba79dsECdPNaBGr7VBMR7I9WwuKBeaCryz9NsBrfIOAbtfBgsbOivMHqyPH1r7GrxmXDKzOBcyKETx7DodgJgzoVtq4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768449614; c=relaxed/simple;
	bh=hvz2ebM7EOpFqS3N/v/MChB5H1STjXn1fFz+OmMe34A=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=e3QPE2vUT6cPRAGsC+NAN6V7X1175vKKvsqHtT7DjRAXcBspVPuJZcDHZh+ClZ7dpEkpSkCT59xaY2JvNdhrwoXKLSEORaNjGr83gk3n1kjJMCct7lt60ayg4o4HNj7NdlgD7IFfbeszAZU/qChKAO1DWkbxNmP1+ExGYvQH918=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=QgKrLLjO; arc=none smtp.client-ip=209.85.160.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="QgKrLLjO"
Received: by mail-oa1-f43.google.com with SMTP id
 586e51a60fabf-40421de595fso324402fac.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 14 Jan 2026 20:00:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768449612; x=1769054412;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=8Ge1Z0GFCCZOzRKO0uD2f8C3Om46pRhHWG4akWE0ONk=;
        b=QgKrLLjOFSrOfHRwGr7wXpPc3jw7UPP8HXEwQYBNfWzqdGMErFTJ6I27+0qewt5A6K
         oHOZNYTkk0L3iOJSqtyfBALacxSH7fKeoIN1tkt0KnfC9WvaTg3VahmjIzVW0gXf7Qdb
         /Lk/eELX8YLumWb/P0/p9r2inTkIyrBlTeVNpAl0IkEX9HbDvYH8RCDoXsDU+6BAJiYP
         poVPoVMLBUwneuWW4A9OnL2hBw5xhTHDq4ScuLLYKnP6pinojat4hjbi0zb9ZxAPCikL
         FmUf1891FzfPnZVV18In1pJLOR5iPF3a/e9HW5wBz0Vx2Ox2uUbjpDRAYPSK2B48Coua
         LePw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768449612; x=1769054412;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8Ge1Z0GFCCZOzRKO0uD2f8C3Om46pRhHWG4akWE0ONk=;
        b=EFzQEcAv2Agbeuf4bLRZ0JKqUvGAIEQzGHnSAH/LLq3iVchBQP798TJmnTLs7wfjeY
         F23qqq6kMLyZJFqR8+0axn6UoZ0lp3N2sSy4JFUMlN9NIrG/r+Bg+D5vnWQtG9WUg/CO
         tzxifHyWBdhlMU4312jBKe8oD4r4+7vKfFDPxC6B588LySBQhyxxanSYIPGnkZgl1hft
         2Bz4QY9Mh1JSxY3oXelCCx9SN+HgunJn+9ZWfTC3ysKdIl3T6QqKPgBSQ02CsO1Bk5yg
         aXPeeZF30Tj/KK/7ZYlAJvjz8P5u/cysrb576b+/AcDO8sDdqb94Mu88Nc1PB9/macsd
         pLpg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXNeNCTXJYUEXUgd9wDYdaOBE5S7zrMgFQScmLpGlgsYqyLri9Ik1XjbXeeYXRfbWyI7HSw27LH1ihlOZI=@vger.kernel.org
X-Gm-Message-State: AOJu0YyUKLdDdAPXWtJZpNf//QU0Iry4dfS7ajJQOet3JBjMBOfVMUbN
	mA057YDaRF/MYs4/XzNLsivKIc4oYwnbdhlSK0akzO9KzYPUsIz50qWCFzID3w==
X-Gm-Gg: AY/fxX4+R48mZ3UgDd1AyVXjmM9MGhW/uwX8amFsaDJfwZJwh3JgAjNnfL34pVKCsqF
	LdRPFD2vOKRIdbRJq4YaIwzjq38km/IAhotZnn5lTfJljE4XeRSZt7wHZ4kag1vocWIeCJZa57n
	+s/XYHANqft00oDK0NXznMq1M/U3PuogMKanb8SZPaK0PEYCSx2rkSzw2azgOmaKJuJEQCjnvKM
	tds3d8ELVTx29u8PBYs1FRpuEmxaKy2ya+8GbQbcqwJtBhBGST3UcTKU1JaaTPQdR/qFhDEwjFr
	adBZmnvtoGNQ+hkp7nWpzyojXgh5VGTRsv1hUoH312B63xE30sei4RAhPItdJzvL33sfOP1/kHz
	ri1VLqzDIyqkHhs0clHQOvFt4iCgDzFC3iHtZ1O96SVUvqEO7/4dORKDtJqeKMBwN4Xaynyt4gG
	OYc1DkFg0uNWB6aP9fN/FpzS0NEQxtWT8IxploFp5V/t0=
X-Received: by 2002:a05:6871:6608:b0:3e8:8e57:a7a2 with SMTP id
 586e51a60fabf-404071d0a36mr3538579fac.53.1768449612014;
        Wed, 14 Jan 2026 20:00:12 -0800 (PST)
Received: from newman.cs.purdue.edu ([128.10.127.250])
        by smtp.gmail.com with ESMTPSA id
 586e51a60fabf-3ffa4a9099csm18185550fac.0.2026.01.14.20.00.10
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 14 Jan 2026 20:00:11 -0800 (PST)
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
To: Mark Fasheh <mark@fasheh.com>,
	Joel Becker <jlbec@evilplan.org>,
	Joseph Qi <joseph.qi@linux.alibaba.com>,
	linux-kernel@vger.kernel.org
Cc: ocfs2-devel@lists.linux.dev,
	Jiasheng Jiang <jiashengjiangcool@gmail.com>
Subject: [PATCH] ocfs2: validate max leaf clusters in
 ocfs2_figure_merge_contig_type
Date: Thu, 15 Jan 2026 04:00:08 +0000
Message-Id: <20260115040008.13549-1-jiashengjiangcool@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In 'ocfs2_figure_merge_contig_type', the variable 'split_rec' is used to
determine if a split extent can be merged with its neighbors. However,
the function fails to validate if the resulting merged extent would
exceed the 'et_max_leaf_clusters' limit.

In contrast, its peer function 'ocfs2_figure_contig_type' (used for
inserting new extents) explicitly performs this validation checks
against 'et_max_leaf_clusters' to prevent creating oversized extents.

This inconsistency is particularly problematic for xattr trees, where
'et_max_leaf_clusters' is set to a non-zero value (derived from
OCFS2_MAX_XATTR_TREE_LEAF_SIZE). If a merge occurs that exceeds this
limit, it creates an extent that violates the filesystem's structural
invariants, potentially leading to corruption or failure when accessing
extended attributes.

This patch adds the missing verification logic to
'ocfs2_figure_merge_contig_type'. It ensures that before indicating
CONTIG_LEFT or CONTIG_RIGHT, the combined length of the existing record
and the split record is checked against 'et_max_leaf_clusters' if the
limit is set.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
---
 fs/ocfs2/alloc.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 58bf58b68955..7d9400736791 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -4424,6 +4424,12 @@ static int ocfs2_figure_merge_contig_type(struct ocf=
s2_extent_tree *et,
 				ret =3D CONTIG_RIGHT;
 		} else {
 			ret =3D ocfs2_et_extent_contig(et, rec, split_rec);
+			if (ret !=3D CONTIG_NONE && et->et_max_leaf_clusters) {
+				if (le16_to_cpu(rec->e_leaf_clusters) +
+				    le16_to_cpu(split_rec->e_leaf_clusters) >
+				    et->et_max_leaf_clusters)
+					ret =3D CONTIG_NONE;
+			}
 		}
 	}
=20
@@ -4470,6 +4476,12 @@ static int ocfs2_figure_merge_contig_type(struct ocf=
s2_extent_tree *et,
 		enum ocfs2_contig_type contig_type;
=20
 		contig_type =3D ocfs2_et_extent_contig(et, rec, split_rec);
+		if (contig_type !=3D CONTIG_NONE && et->et_max_leaf_clusters) {
+			if (le16_to_cpu(rec->e_leaf_clusters) +
+			    le16_to_cpu(split_rec->e_leaf_clusters) >
+			    et->et_max_leaf_clusters)
+				contig_type =3D CONTIG_NONE;
+		}
=20
 		if (contig_type =3D=3D CONTIG_LEFT && ret =3D=3D CONTIG_RIGHT)
 			ret =3D CONTIG_LEFTRIGHT;
--=20
2.25.1