[18/20] lib/generic-radix-tree.c: Don't overflow in peek()

Message ID	20230712211115.2174650-19-kent.overstreet@linux.dev (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@vger.kernel.org> From: Kent Overstreet <kent.overstreet@linux.dev> To: linux-bcachefs@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kent Overstreet <kent.overstreet@gmail.com>, Kent Overstreet <kent.overstreet@linux.dev> Subject: [PATCH 18/20] lib/generic-radix-tree.c: Don't overflow in peek() Date: Wed, 12 Jul 2023 17:11:13 -0400 Message-Id: <20230712211115.2174650-19-kent.overstreet@linux.dev> In-Reply-To: <20230712211115.2174650-1-kent.overstreet@linux.dev> References: <20230712211115.2174650-1-kent.overstreet@linux.dev> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	bcachefs prereqs patch series \| expand [00/20] bcachefs prereqs patch series [01/20] sched: Add task_struct->faults_disabled_mapping [02/20] fs: factor out d_mark_tmpfile() [03/20] iov_iter: Handle compound highmem pages in copy_page_from_iter_atomic() [04/20] block: Add some exports for bcachefs [05/20] block: Allow bio_iov_iter_get_pages() with bio->bi_bdev unset [06/20] block: Bring back zero_fill_bio_iter [07/20] block: Don't block on s_umount from __invalidate_super() [08/20] stacktrace: Export stack_trace_save_tsk [09/20] lib/string_helpers: string_get_size() now returns characters wrote [10/20] lib: Export errname [11/20] locking/osq: Export osq_(lock\|unlock) [12/20] bcache: move closures to lib/ [13/20] MAINTAINERS: Add entry for closures [14/20] closures: closure_wait_event() [15/20] closures: closure_nr_remaining() [16/20] closures: Add a missing include [17/20] MAINTAINERS: Add entry for generic-radix-tree [18/20] lib/generic-radix-tree.c: Don't overflow in peek() [19/20] lib/generic-radix-tree.c: Add a missing include [20/20] lib/generic-radix-tree.c: Add peek_prev()

Message ID

20230712211115.2174650-19-kent.overstreet@linux.dev (mailing list archive)

State

New, archived

Headers

From: Kent Overstreet <kent.overstreet@linux.dev>
To: linux-bcachefs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc: Kent Overstreet <kent.overstreet@gmail.com>,
        Kent Overstreet <kent.overstreet@linux.dev>
Subject: [PATCH 18/20] lib/generic-radix-tree.c: Don't overflow in peek()
Date: Wed, 12 Jul 2023 17:11:13 -0400
Message-Id: <20230712211115.2174650-19-kent.overstreet@linux.dev>
In-Reply-To: <20230712211115.2174650-1-kent.overstreet@linux.dev>
References: <20230712211115.2174650-1-kent.overstreet@linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

bcachefs prereqs patch series | expand

Commit Message

Kent Overstreet July 12, 2023, 9:11 p.m. UTC

From: Kent Overstreet <kent.overstreet@gmail.com>

When we started spreading new inode numbers throughout most of the 64
bit inode space, that triggered some corner case bugs, in particular
some integer overflows related to the radix tree code. Oops.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
---
 include/linux/generic-radix-tree.h |  6 ++++++
 lib/generic-radix-tree.c           | 17 ++++++++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/include/linux/generic-radix-tree.h b/include/linux/generic-radix-tree.h
index 107613f7d7..63080822dc 100644
--- a/include/linux/generic-radix-tree.h
+++ b/include/linux/generic-radix-tree.h
@@ -184,6 +184,12 @@  void *__genradix_iter_peek(struct genradix_iter *, struct __genradix *, size_t);
 static inline void __genradix_iter_advance(struct genradix_iter *iter,
 					   size_t obj_size)
 {
+	if (iter->offset + obj_size < iter->offset) {
+		iter->offset	= SIZE_MAX;
+		iter->pos	= SIZE_MAX;
+		return;
+	}
+
 	iter->offset += obj_size;
 
 	if (!is_power_of_2(obj_size) &&
diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c
index f25eb111c0..7dfa88282b 100644
--- a/lib/generic-radix-tree.c
+++ b/lib/generic-radix-tree.c
@@ -166,6 +166,10 @@  void *__genradix_iter_peek(struct genradix_iter *iter,
 	struct genradix_root *r;
 	struct genradix_node *n;
 	unsigned level, i;
+
+	if (iter->offset == SIZE_MAX)
+		return NULL;
+
 restart:
 	r = READ_ONCE(radix->root);
 	if (!r)
@@ -184,10 +188,17 @@  void *__genradix_iter_peek(struct genradix_iter *iter,
 			(GENRADIX_ARY - 1);
 
 		while (!n->children[i]) {
+			size_t objs_per_ptr = genradix_depth_size(level);
+
+			if (iter->offset + objs_per_ptr < iter->offset) {
+				iter->offset	= SIZE_MAX;
+				iter->pos	= SIZE_MAX;
+				return NULL;
+			}
+
 			i++;
-			iter->offset = round_down(iter->offset +
-					   genradix_depth_size(level),
-					   genradix_depth_size(level));
+			iter->offset = round_down(iter->offset + objs_per_ptr,
+						  objs_per_ptr);
 			iter->pos = (iter->offset >> PAGE_SHIFT) *
 				objs_per_page;
 			if (i == GENRADIX_ARY)

[18/20] lib/generic-radix-tree.c: Don't overflow in peek()

Commit Message

Patch