From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nicolai Stange <nicstange@gmail.com>,
Theodore Tso <tytso@mit.edu>
Subject: [PATCH 4.5 096/128] ext4: silence UBSAN in ext4_mb_init()
Date: Sun, 5 Jun 2016 15:24:11 -0700 [thread overview]
Message-ID: <20160605222324.251269007@linuxfoundation.org> (raw)
In-Reply-To: <20160605222321.183131188@linuxfoundation.org>
4.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolai Stange <nicstange@gmail.com>
commit 935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream.
Currently, in ext4_mb_init(), there's a loop like the following:
do {
...
offset += 1 << (sb->s_blocksize_bits - i);
i++;
} while (i <= sb->s_blocksize_bits + 1);
Note that the updated offset is used in the loop's next iteration only.
However, at the last iteration, that is at i == sb->s_blocksize_bits + 1,
the shift count becomes equal to (unsigned)-1 > 31 (c.f. C99 6.5.7(3))
and UBSAN reports
UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15
shift exponent 4294967295 is too large for 32-bit type 'int'
[...]
Call Trace:
[<ffffffff818c4d25>] dump_stack+0xbc/0x117
[<ffffffff818c4c69>] ? _atomic_dec_and_lock+0x169/0x169
[<ffffffff819411ab>] ubsan_epilogue+0xd/0x4e
[<ffffffff81941cac>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
[<ffffffff81941ab1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
[<ffffffff814b6dc1>] ? kmem_cache_alloc+0x101/0x390
[<ffffffff816fc13b>] ? ext4_mb_init+0x13b/0xfd0
[<ffffffff814293c7>] ? create_cache+0x57/0x1f0
[<ffffffff8142948a>] ? create_cache+0x11a/0x1f0
[<ffffffff821c2168>] ? mutex_lock+0x38/0x60
[<ffffffff821c23ab>] ? mutex_unlock+0x1b/0x50
[<ffffffff814c26ab>] ? put_online_mems+0x5b/0xc0
[<ffffffff81429677>] ? kmem_cache_create+0x117/0x2c0
[<ffffffff816fcc49>] ext4_mb_init+0xc49/0xfd0
[...]
Observe that the mentioned shift exponent, 4294967295, equals (unsigned)-1.
Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of offset is never used again.
Silence UBSAN by introducing another variable, offset_incr, holding the
next increment to apply to offset and adjust that one by right shifting it
by one position per loop iteration.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2578,7 +2578,7 @@ int ext4_mb_init(struct super_block *sb)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
unsigned i, j;
- unsigned offset;
+ unsigned offset, offset_incr;
unsigned max;
int ret;
@@ -2607,11 +2607,13 @@ int ext4_mb_init(struct super_block *sb)
i = 1;
offset = 0;
+ offset_incr = 1 << (sb->s_blocksize_bits - 1);
max = sb->s_blocksize << 2;
do {
sbi->s_mb_offsets[i] = offset;
sbi->s_mb_maxs[i] = max;
- offset += 1 << (sb->s_blocksize_bits - i);
+ offset += offset_incr;
+ offset_incr = offset_incr >> 1;
max = max >> 1;
i++;
} while (i <= sb->s_blocksize_bits + 1);
next prev parent reply other threads:[~2016-06-06 14:34 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-05 22:22 [PATCH 4.5 000/128] 4.5.7-stable review Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 001/128] MIPS64: R6: R2 emulation bugfix Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 002/128] MIPS: math-emu: Fix jalr emulation when rd == $0 Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 003/128] MIPS: MSA: Fix a link error on `_init_msa_upper with older GCC Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 004/128] MIPS: Dont unwind to user mode with EVA Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 005/128] MIPS: Avoid using unwind_stack() with usermode Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 006/128] MIPS: Fix siginfo.h to use strict posix types Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 007/128] MIPS: Fix uapi include in exported asm/siginfo.h Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 008/128] MIPS: Fix watchpoint restoration Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 009/128] MIPS: Handle highmem pages in __update_cache Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 010/128] MIPS: Sync icache & dcache in set_pte_at Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 011/128] MIPS: Loongson-3: Fix build error after ld-version.sh modification Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 012/128] MIPS: ath79: make bootconsole wait for both THRE and TEMT Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 013/128] MIPS: Reserve nosave data for hibernation Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 014/128] MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 015/128] MIPS: Use copy_s.fmt rather than copy_u.fmt Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 016/128] MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 017/128] MIPS: Prevent "restoration" of MSA context in non-MSA kernels Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 018/128] MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...) Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 019/128] MIPS: ptrace: Fix FP context restoration FCSR regression Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 020/128] MIPS: ptrace: Prevent writes to read-only FCSR bits Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 021/128] MIPS: Fix sigreturn via VDSO on microMIPS kernel Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 022/128] MIPS: Build microMIPS VDSO for microMIPS kernels Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 023/128] MIPS: lib: Mark intrinsics notrace Greg Kroah-Hartman
2016-06-05 22:22 ` [PATCH 4.5 024/128] MIPS: VDSO: Build with `-fno-strict-aliasing Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 025/128] affs: fix remount failure when there are no options changed Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 026/128] ASoC: ak4642: Enable cache usage to fix crashes on resume Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 027/128] Input: uinput - handle compat ioctl for UI_SET_PHYS Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 028/128] Input: xpad - move pending clear to the correct location Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 029/128] Input: xpad - prevent spurious input from wired Xbox 360 controllers Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 030/128] ARM: sun4i: dt: Enable dram gate 5 (tve0 clock) for simplefb TV output Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 031/128] ARM: sun7i: " Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 032/128] ARM: mvebu: fix GPIO config on the Linksys boards Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 033/128] ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 034/128] ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 035/128] ARM: dts: imx35: restore existing used clock enumeration Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 036/128] ath9k: Add a module parameter to invert LED polarity Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 037/128] ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 038/128] ath10k: fix debugfs pktlog_filter write Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 039/128] ath10k: fix firmware assert in monitor mode Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 040/128] ath10k: fix rx_channel during hw reconfigure Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 041/128] ath10k: fix kernel panic, move arvifs list head init before htt init Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 042/128] ath5k: Change led pin configuration for compaq c700 laptop Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 043/128] hwrng: exynos - Fix unbalanced PM runtime put on timeout error path Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 044/128] rtlwifi: rtl8723be: Add antenna select module parameter Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 045/128] rtlwifi: btcoexist: Implement antenna selection Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 046/128] rtlwifi: Fix logic error in enter/exit power-save mode Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 047/128] rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 048/128] Revert "lpfc: Delete unnecessary checks before the function call mempool_destroy" Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 049/128] aacraid: Relinquish CPU during timeout wait Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 050/128] aacraid: Fix for aac_command_thread hang Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 051/128] aacraid: Fix for KDUMP driver hang Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 052/128] regulator: Try to resolve regulators supplies on registration Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 053/128] hwmon: (ads7828) Enable internal reference Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 054/128] mfd: intel-lpss: Save register context on suspend Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 056/128] PM / Runtime: Fix error path in pm_runtime_force_resume() Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 057/128] cpuidle: Indicate when a device has been unregistered Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 058/128] cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter() Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 059/128] clk: bcm2835: Fix PLL poweron Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 060/128] clk: at91: fix check of clk_register() returned value Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 061/128] clk: bcm2835: pll_off should only update CM_PLL_ANARST Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 062/128] clk: bcm2835: divider value has to be 1 or more Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 063/128] clk: bcm2835: correctly enable fractional clock support Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 064/128] pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 065/128] PCI: Disable all BAR sizing for devices with non-compliant BARs Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 066/128] [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32 Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 067/128] mm: use phys_addr_t for reserve_bootmem_region() arguments Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 068/128] wait/ptrace: assume __WALL if the child is traced Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 069/128] QE-UART: add "fsl,t1040-ucc-uart" to of_device_id Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 070/128] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 071/128] powerpc/eeh: Dont report error in eeh_pe_reset_and_recover() Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 072/128] Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell" Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 073/128] powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover() Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 074/128] xen/events: Dont move disabled irqs Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 075/128] xen: use same main loop for counting and remapping pages Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 077/128] drm/gma500: Fix possible out of bounds read Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 078/128] drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 079/128] drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 080/128] drm/vmwgfx: Fix order of operation Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 081/128] drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 082/128] drm/amdgpu: Fix hdmi deep color support Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 083/128] drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config() Greg Kroah-Hartman
2016-06-05 22:23 ` [PATCH 4.5 084/128] drm/fb_helper: Fix references to dev->mode_config.num_connector Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 085/128] drm/atomic: Verify connector->funcs != NULL when clearing states Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 086/128] Bluetooth: 6lowpan: Fix memory corruption of ipv6 destination address Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 091/128] ext4: fix hang when processing corrupted orphaned inode list Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 092/128] ext4: clean up error handling when orphan list is corrupted Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 093/128] ext4: fix check of dqget() return value in ext4_ioctl_setproject() Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 094/128] ext4: fix oops on corrupted filesystem Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 095/128] ext4: address UBSAN warning in mb_find_order_for_block() Greg Kroah-Hartman
2016-06-05 22:24 ` Greg Kroah-Hartman [this message]
2016-06-05 22:24 ` [PATCH 4.5 097/128] nfs: avoid race that crashes nfs_init_commit Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 098/128] PM / sleep: Handle failures in device_suspend_late() consistently Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 100/128] scripts/package/Makefile: rpmbuild add support of RPMOPTS Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 101/128] mm: thp: avoid false positive VM_BUG_ON_PAGE in page_move_anon_rmap() Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 102/128] gcov: disable tree-loop-im to reduce stack usage Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 103/128] xfs: disallow rw remount on fs with unknown ro-compat features Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 104/128] xfs: Dont wrap growfs AGFL indexes Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 105/128] xfs: xfs_iflush_cluster fails to abort on error Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 106/128] xfs: fix inode validity check in xfs_iflush_cluster Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 107/128] xfs: skip stale inodes " Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 108/128] btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in btrfs_ioctl Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 109/128] Btrfs: do not create empty block group if we have allocated data Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 110/128] btrfs: allow balancing to dup with multi-device Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 111/128] btrfs: fix mixed block count of available space Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 112/128] btrfs: avoid overflowing f_bfree Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 113/128] btrfs: fix lock dep warning, move scratch dev out of device_list_mutex and uuid_mutex Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 114/128] btrfs: add read-only check to sysfs handler of features Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 115/128] btrfs: add check to sysfs handler of label Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 116/128] Btrfs: fix divide error upon chunks stripe_len Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 117/128] Btrfs: remove BUG_ON()s in btrfs_map_block Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 118/128] btrfs: fix lock dep warning move scratch super outside of chunk_mutex Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 119/128] btrfs: add write protection to SET_FEATURES ioctl Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 120/128] btrfs: fix int32 overflow in shrink_delalloc() Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 122/128] btrfs: fix memory leak during RAID 5/6 device replacement Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 123/128] btrfs: pass the right error code to the btrfs_std_error Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 125/128] Btrfs: fix empty symlink after creating symlink and fsync parent dir Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 126/128] Btrfs: fix unexpected return value of fiemap Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 127/128] btrfs: scrub: Set bbio to NULL before calling btrfs_map_block Greg Kroah-Hartman
2016-06-05 22:24 ` [PATCH 4.5 128/128] btrfs: make state preallocation more speculative in __set_extent_bit Greg Kroah-Hartman
2016-06-06 17:28 ` [PATCH 4.5 000/128] 4.5.7-stable review Shuah Khan
2016-06-07 13:38 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160605222324.251269007@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nicstange@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).