Re: [syzbot] Re: kernel BUG in ocfs2_commit_truncate()

[syzbot <syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: kernel BUG in ocfs2_commit_truncate()
Author: dmantipov@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 395e23920632..deb038e9392a 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -7219,12 +7219,19 @@ int ocfs2_commit_truncate(struct ocfs2_super *osb,
 	struct ocfs2_extent_rec *rec;
 	struct ocfs2_path *path = NULL;
 	struct ocfs2_dinode *di = (struct ocfs2_dinode *)di_bh->b_data;
+	u16 tree_depth = le16_to_cpu(di->id2.i_list.l_tree_depth);
 	struct ocfs2_extent_list *root_el = &(di->id2.i_list);
 	u64 refcount_loc = le64_to_cpu(di->i_refcount_loc);
 	struct ocfs2_extent_tree et;
 	struct ocfs2_cached_dealloc_ctxt dealloc;
 	struct ocfs2_refcount_tree *ref_tree = NULL;
 
+	if (unlikely(tree_depth >= OCFS2_MAX_PATH_DEPTH)) {
+		mlog(ML_ERROR, "Corrupted dinode %llu\n",
+		     (unsigned long long)di_bh->b_blocknr);
+		return -EINVAL;
+	}
+
 	ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh);
 	ocfs2_init_dealloc_ctxt(&dealloc);