Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp6096010rwr; Tue, 9 May 2023 10:07:49 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4s56fQZmOFnBidVgKOyfyMJMTeJ07HdM3FKTTd6ufkOBTY+Zi8B/vCgeana/p1k1vgf0XM X-Received: by 2002:a05:6a00:1486:b0:63d:4358:9140 with SMTP id v6-20020a056a00148600b0063d43589140mr21130652pfu.34.1683652068772; Tue, 09 May 2023 10:07:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683652068; cv=none; d=google.com; s=arc-20160816; b=LUWKaP6AE8uhkx4rrOihd8cPwxqhIfL+kmkXGOrcuWSI90qNmI7d8IY2UGPgXSZzNS 2ZLEeyJXXuqh73S4nhVYIt1vrHjxoN7x+fw2bm4hh+ACUb/G4JRKcBRiE3xQOyhinjRa gcjME/zoyB611c0pE6NQaxriElZLIap+xmjq3Tl3kYU2u9oSOjRVFIAoQobhQxrW932l FEH/RESbCjC4oqXjsrU54cHRsYo47wfTL8MK3AnAkiQ4Uh/iJfjU3n0HAfIBtMCpXcu8 P73bEio0a6qEVTUqcB3t50INaJqpZrKJ34VXdZF2N5kI5jxVCoEoSLbXUZ4+FERs05IY Oyaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Xn5bEL0Ei0eSLZ8JURgH14o2MvwdOSnzFDfE6+pvE7w=; b=gzxJtUQ04QIJZbw0HrCNhYdOTT0/IDy8Cc5ojz/UEujOPzjZyMLCdNMSEm5kflU2J2 JjyhI93FlXEFu+K2t0MXC7psmvSHGEj393Wq6O/gMXSEFZI/57YlePN+VCsWjLbUyoFm KDat3Qo8YXf5uux9YNpS4qtX8eih239NCDtCZTMK1hPpGV2xCeTZc/yG4ZSzs0qgmb0B mShRgGsIC/nmyL2QhNXMKNO9c79483fjPMGJGhb1g4rPVAIu6ZI3K+qGQSx53o402u2e T+CvD2s6trUloae5BspTHIozVhWSTyWDhYdG/YFseBdreU+mSAtHY8H1P1K8Hvcltcbe wo8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="V93/4Ixd"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i7-20020a626d07000000b006414f24c5c7si2777247pfc.311.2023.05.09.10.07.36; Tue, 09 May 2023 10:07:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b="V93/4Ixd"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235030AbjEIRAT (ORCPT + 99 others); Tue, 9 May 2023 13:00:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235128AbjEIQ6v (ORCPT ); Tue, 9 May 2023 12:58:51 -0400 Received: from out-56.mta1.migadu.com (out-56.mta1.migadu.com [IPv6:2001:41d0:203:375::38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 435C04C10 for ; Tue, 9 May 2023 09:57:38 -0700 (PDT) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1683651455; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Xn5bEL0Ei0eSLZ8JURgH14o2MvwdOSnzFDfE6+pvE7w=; b=V93/4IxdB6R1oDyNyXn+vk/3B37TkkxMELqTGRTHIdvE7v0ldmbzKSzJngOfYgV6W6nktq 6gemnOZwcnJwZ+kRszXRAdPyc6IAAKQfnfywGr1CjONwF7cgLuph94sKOvHMVxnGQn4zEB 2zXtaZe0mueWaZ7xrmXdVfPRpV15W24= From: Kent Overstreet To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-bcachefs@vger.kernel.org Cc: Kent Overstreet , Kent Overstreet Subject: [PATCH 25/32] lib/generic-radix-tree.c: Don't overflow in peek() Date: Tue, 9 May 2023 12:56:50 -0400 Message-Id: <20230509165657.1735798-26-kent.overstreet@linux.dev> In-Reply-To: <20230509165657.1735798-1-kent.overstreet@linux.dev> References: <20230509165657.1735798-1-kent.overstreet@linux.dev> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kent Overstreet When we started spreading new inode numbers throughout most of the 64 bit inode space, that triggered some corner case bugs, in particular some integer overflows related to the radix tree code. Oops. Signed-off-by: Kent Overstreet Signed-off-by: Kent Overstreet --- include/linux/generic-radix-tree.h | 6 ++++++ lib/generic-radix-tree.c | 17 ++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/include/linux/generic-radix-tree.h b/include/linux/generic-radix-tree.h index 107613f7d7..63080822dc 100644 --- a/include/linux/generic-radix-tree.h +++ b/include/linux/generic-radix-tree.h @@ -184,6 +184,12 @@ void *__genradix_iter_peek(struct genradix_iter *, struct __genradix *, size_t); static inline void __genradix_iter_advance(struct genradix_iter *iter, size_t obj_size) { + if (iter->offset + obj_size < iter->offset) { + iter->offset = SIZE_MAX; + iter->pos = SIZE_MAX; + return; + } + iter->offset += obj_size; if (!is_power_of_2(obj_size) && diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c index f25eb111c0..7dfa88282b 100644 --- a/lib/generic-radix-tree.c +++ b/lib/generic-radix-tree.c @@ -166,6 +166,10 @@ void *__genradix_iter_peek(struct genradix_iter *iter, struct genradix_root *r; struct genradix_node *n; unsigned level, i; + + if (iter->offset == SIZE_MAX) + return NULL; + restart: r = READ_ONCE(radix->root); if (!r) @@ -184,10 +188,17 @@ void *__genradix_iter_peek(struct genradix_iter *iter, (GENRADIX_ARY - 1); while (!n->children[i]) { + size_t objs_per_ptr = genradix_depth_size(level); + + if (iter->offset + objs_per_ptr < iter->offset) { + iter->offset = SIZE_MAX; + iter->pos = SIZE_MAX; + return NULL; + } + i++; - iter->offset = round_down(iter->offset + - genradix_depth_size(level), - genradix_depth_size(level)); + iter->offset = round_down(iter->offset + objs_per_ptr, + objs_per_ptr); iter->pos = (iter->offset >> PAGE_SHIFT) * objs_per_page; if (i == GENRADIX_ARY) -- 2.40.1