| Message ID | 20240410193642.1303741-1-leitao@debian.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | blk-iocost: Fix shift-out-of-bounds in iocg_kick_delay() | expand |
Hello, Breno. On Wed, Apr 10, 2024 at 12:36:41PM -0700, Breno Leitao wrote: > When running iocg_kick_delay(), iocg->delay_at could be way behind "now", > which causes a huge tdelta difference. > > The tdelta value is used to shift some bits around, raising the > following UBSAN splat: > > UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 > > Debugging this, these are some values I got in my machine with 6.9-rc3. > > now = 3626064295 > iocg->delay_at = 3275794093 > > Fix this by validating that the shift if valid, otherwise bail out, > similarly to commit 2a427b49d029 ("blk-iocost: Fix an UBSAN > shift-out-of-bounds warning") Rik alreaady sent a fix: http://lkml.kernel.org/r/20240404123253.0f58010f@imladris.surriel.com which got commited as beaa51b36012fad5a4d3c18b88a617aea7a9b96d. Thanks.
On Wed, Apr 10, 2024 at 09:53:52AM -1000, Tejun Heo wrote: > Hello, Breno. > > On Wed, Apr 10, 2024 at 12:36:41PM -0700, Breno Leitao wrote: > > When running iocg_kick_delay(), iocg->delay_at could be way behind "now", > > which causes a huge tdelta difference. > > > > The tdelta value is used to shift some bits around, raising the > > following UBSAN splat: > > > > UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 > > > > Debugging this, these are some values I got in my machine with 6.9-rc3. > > > > now = 3626064295 > > iocg->delay_at = 3275794093 > > > > Fix this by validating that the shift if valid, otherwise bail out, > > similarly to commit 2a427b49d029 ("blk-iocost: Fix an UBSAN > > shift-out-of-bounds warning") > > Rik alreaady sent a fix: > > http://lkml.kernel.org/r/20240404123253.0f58010f@imladris.surriel.com > > which got commited as beaa51b36012fad5a4d3c18b88a617aea7a9b96d. Even easier then. Thanks!
diff --git a/block/blk-iocost.c b/block/blk-iocost.c index 9a85bfbbc45a..398fe19db4ca 100644 --- a/block/blk-iocost.c +++ b/block/blk-iocost.c @@ -1347,7 +1347,7 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) { struct ioc *ioc = iocg->ioc; struct blkcg_gq *blkg = iocg_to_blkg(iocg); - u64 tdelta, delay, new_delay; + u64 tdelta, delay, new_delay, shift; s64 vover, vover_pct; u32 hwa; @@ -1362,8 +1362,13 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now) /* calculate the current delay in effect - 1/2 every second */ tdelta = now->now - iocg->delay_at; + + shift = div64_u64(tdelta, USEC_PER_SEC); + if (shift >= BITS_PER_LONG) + return false; + if (iocg->delay) - delay = iocg->delay >> div64_u64(tdelta, USEC_PER_SEC); + delay = iocg->delay >> shift; else delay = 0;
When running iocg_kick_delay(), iocg->delay_at could be way behind "now", which causes a huge tdelta difference. The tdelta value is used to shift some bits around, raising the following UBSAN splat: UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 Debugging this, these are some values I got in my machine with 6.9-rc3. now = 3626064295 iocg->delay_at = 3275794093 Fix this by validating that the shift if valid, otherwise bail out, similarly to commit 2a427b49d029 ("blk-iocost: Fix an UBSAN shift-out-of-bounds warning") Signed-off-by: Breno Leitao <leitao@debian.org> --- block/blk-iocost.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)