[RHEL7,COMMIT] fs/fuse kio: int overflow while calculation of pos in map_truncate_tail()

Submitted by Vasily Averin on Aug. 25, 2020, 8:26 a.m.

Details

Message ID 202008250826.07P8QZPS026090@vz7build.vvs.sw.ru
State New
Series "fs/fuse kio: int overflow while calculation of pos in map_truncate_tail()"
Headers show

Commit Message

Vasily Averin Aug. 25, 2020, 8:26 a.m.
The commit is pushed to "branch-rh7-3.10.0-1127.8.2.vz7.158.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.8.2.vz7.158.7
------>
commit b1e6ba1b2e4cadaee08d140e4153462f14a6597b
Author: Ildar Ismagilov <Ildar.Ismagilov@acronis.com>
Date:   Tue Aug 25 11:26:35 2020 +0300

    fs/fuse kio: int overflow while calculation of pos in map_truncate_tail()
    
    The pos is calculated as follows:
    unsigned long pos = DIV_ROUND_UP(offset /*u64*/, 1 << mapping->chunk_size_bits);
    
    And if chunk_size_bits is greater than or equal to 31, the pos is calculated
    incorrectly due to int (1 << mapping->chunk_size_bits) overflow.
    As example 1 << 31 == -2147483648.
    
    This leads to IO using dead map.
    
    https://pmc.acronis.com/browse/VSTOR-36154
    Signed-off-by: Ildar Ismagilov <Ildar.Ismagilov@acronis.com>
    Reviewed-by: Ildar Ismagilov <Ildar.Ismagilov@acronis.com>
---
 fs/fuse/kio/pcs/pcs_map.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/kio/pcs/pcs_map.c b/fs/fuse/kio/pcs/pcs_map.c
index 502e1b1..8f2ca5c 100644
--- a/fs/fuse/kio/pcs/pcs_map.c
+++ b/fs/fuse/kio/pcs/pcs_map.c
@@ -242,7 +242,7 @@  void pcs_mapping_dump(struct pcs_mapping * mapping)
 
 void map_truncate_tail(struct pcs_mapping * mapping, u64 offset)
 {
-	unsigned long pos = DIV_ROUND_UP(offset, 1 << mapping->chunk_size_bits);
+	unsigned long pos = DIV_ROUND_UP(offset, 1ULL << mapping->chunk_size_bits);
 	struct pcs_map_entry *maps[MAP_BATCH];
 	int nr_maps;
 	LIST_HEAD(dispose);