From: Coly Li <colyli@suse.de>
To: axboe@kernel.dk
Cc: linux-block@vger.kernel.org, linux-bcache@vger.kernel.org,
Coly Li <colyli@suse.de>, Ken Raeburn <raeburn@redhat.com>,
stable@vger.kernel.org
Subject: [PATCH 08/25] bcache: fix overflow in offset_to_stripe()
Date: Sat, 25 Jul 2020 20:00:22 +0800 [thread overview]
Message-ID: <20200725120039.91071-9-colyli@suse.de> (raw)
In-Reply-To: <20200725120039.91071-1-colyli@suse.de>
offset_to_stripe() returns the stripe number (in type unsigned int) from
an offset (in type uint64_t) by the following calculation,
do_div(offset, d->stripe_size);
For large capacity backing device (e.g. 18TB) with small stripe size
(e.g. 4KB), the result is 4831838208 and exceeds UINT_MAX. The actual
returned value which caller receives is 536870912, due to the overflow.
Indeed in bcache_device_init(), bcache_device->nr_stripes is limited in
range [1, INT_MAX]. Therefore all valid stripe numbers in bcache are
in range [0, bcache_dev->nr_stripes - 1].
This patch adds a upper limition check in offset_to_stripe(): the max
valid stripe number should be less than bcache_device->nr_stripes. If
the calculated stripe number from do_div() is equal to or larger than
bcache_device->nr_stripe, -EINVAL will be returned. (Normally nr_stripes
is less than INT_MAX, exceeding upper limitation doesn't mean overflow,
therefore -EOVERFLOW is not used as error code.)
This patch also changes nr_stripes' type of struct bcache_device from
'unsigned int' to 'int', and return value type of offset_to_stripe()
from 'unsigned int' to 'int', to match their exact data ranges.
All locations where bcache_device->nr_stripes and offset_to_stripe() are
referenced also get updated for the above type change.
Reported-and-tested-by: Ken Raeburn <raeburn@redhat.com>
Signed-off-by: Coly Li <colyli@suse.de>
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1783075
Cc: stable@vger.kernel.org
---
drivers/md/bcache/bcache.h | 2 +-
drivers/md/bcache/writeback.c | 14 +++++++++-----
drivers/md/bcache/writeback.h | 19 +++++++++++++++++--
3 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
index 221e0191b687..80e3c4813fb0 100644
--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -264,7 +264,7 @@ struct bcache_device {
#define BCACHE_DEV_UNLINK_DONE 2
#define BCACHE_DEV_WB_RUNNING 3
#define BCACHE_DEV_RATE_DW_RUNNING 4
- unsigned int nr_stripes;
+ int nr_stripes;
unsigned int stripe_size;
atomic_t *stripe_sectors_dirty;
unsigned long *full_dirty_stripes;
diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
index 5397a2c5d6cc..4f4ad6b3d43a 100644
--- a/drivers/md/bcache/writeback.c
+++ b/drivers/md/bcache/writeback.c
@@ -521,15 +521,19 @@ void bcache_dev_sectors_dirty_add(struct cache_set *c, unsigned int inode,
uint64_t offset, int nr_sectors)
{
struct bcache_device *d = c->devices[inode];
- unsigned int stripe_offset, stripe, sectors_dirty;
+ unsigned int stripe_offset, sectors_dirty;
+ int stripe;
if (!d)
return;
+ stripe = offset_to_stripe(d, offset);
+ if (stripe < 0)
+ return;
+
if (UUID_FLASH_ONLY(&c->uuids[inode]))
atomic_long_add(nr_sectors, &c->flash_dev_dirty_sectors);
- stripe = offset_to_stripe(d, offset);
stripe_offset = offset & (d->stripe_size - 1);
while (nr_sectors) {
@@ -569,12 +573,12 @@ static bool dirty_pred(struct keybuf *buf, struct bkey *k)
static void refill_full_stripes(struct cached_dev *dc)
{
struct keybuf *buf = &dc->writeback_keys;
- unsigned int start_stripe, stripe, next_stripe;
+ unsigned int start_stripe, next_stripe;
+ int stripe;
bool wrapped = false;
stripe = offset_to_stripe(&dc->disk, KEY_OFFSET(&buf->last_scanned));
-
- if (stripe >= dc->disk.nr_stripes)
+ if (stripe < 0)
stripe = 0;
start_stripe = stripe;
diff --git a/drivers/md/bcache/writeback.h b/drivers/md/bcache/writeback.h
index b029843ce5b6..3f1230e22de0 100644
--- a/drivers/md/bcache/writeback.h
+++ b/drivers/md/bcache/writeback.h
@@ -52,10 +52,22 @@ static inline uint64_t bcache_dev_sectors_dirty(struct bcache_device *d)
return ret;
}
-static inline unsigned int offset_to_stripe(struct bcache_device *d,
+static inline int offset_to_stripe(struct bcache_device *d,
uint64_t offset)
{
do_div(offset, d->stripe_size);
+
+ /* d->nr_stripes is in range [1, INT_MAX] */
+ if (unlikely(offset >= d->nr_stripes)) {
+ pr_err("Invalid stripe %llu (>= nr_stripes %d).\n",
+ offset, d->nr_stripes);
+ return -EINVAL;
+ }
+
+ /*
+ * Here offset is definitly smaller than INT_MAX,
+ * return it as int will never overflow.
+ */
return offset;
}
@@ -63,7 +75,10 @@ static inline bool bcache_dev_stripe_dirty(struct cached_dev *dc,
uint64_t offset,
unsigned int nr_sectors)
{
- unsigned int stripe = offset_to_stripe(&dc->disk, offset);
+ int stripe = offset_to_stripe(&dc->disk, offset);
+
+ if (stripe < 0)
+ return false;
while (1) {
if (atomic_read(dc->disk.stripe_sectors_dirty + stripe))
--
2.26.2
next prev parent reply other threads:[~2020-07-25 12:03 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-25 12:00 [PATCH 00/25] bcache patches for Linux v5.9 Coly Li
2020-07-25 12:00 ` [PATCH 01/25] bcache: Fix typo in Kconfig name Coly Li
2020-07-25 12:00 ` [PATCH 02/25] bcache: allocate meta data pages as compound pages Coly Li
2020-07-25 12:00 ` [PATCH 03/25] bcache: journel: use for_each_clear_bit() to simplify the code Coly Li
2020-07-25 12:00 ` [PATCH 04/25] bcache: writeback: Remove unneeded variable i Coly Li
2020-07-25 12:00 ` [PATCH 05/25] bcache: movinggc: Use struct_size() helper in kzalloc() Coly Li
2020-07-25 12:00 ` [PATCH 06/25] bcache: Use struct_size() " Coly Li
2020-07-25 12:00 ` [PATCH 07/25] bcache: avoid nr_stripes overflow in bcache_device_init() Coly Li
2020-07-27 21:24 ` Sasha Levin
2020-07-25 12:00 ` Coly Li [this message]
2020-07-27 21:24 ` [PATCH 08/25] bcache: fix overflow in offset_to_stripe() Sasha Levin
2020-07-25 12:00 ` [PATCH 09/25] bcache: add read_super_common() to read major part of super block Coly Li
2020-07-25 12:00 ` [PATCH 10/25] bcache: add more accurate error information in read_super_common() Coly Li
2020-07-25 12:00 ` [PATCH 11/25] bcache: disassemble the big if() checks in bch_cache_set_alloc() Coly Li
2020-07-25 12:00 ` [PATCH 12/25] bcache: fix super block seq numbers comparision in register_cache_set() Coly Li
2020-07-25 12:00 ` [PATCH 13/25] bcache: increase super block version for cache device and backing device Coly Li
2020-07-25 12:00 ` [PATCH 14/25] bcache: move bucket related code into read_super_common() Coly Li
2020-07-25 12:00 ` [PATCH 15/25] bcache: struct cache_sb is only for in-memory super block now Coly Li
2020-07-25 12:00 ` [PATCH 16/25] bcache: introduce meta_bucket_pages() related helper routines Coly Li
2020-07-25 12:00 ` [PATCH 17/25] bcache: handle c->uuids properly for bucket size > 8MB Coly Li
2020-07-25 12:00 ` [PATCH 18/25] bcache: handle cache prio_buckets and disk_buckets " Coly Li
2020-07-25 12:00 ` [PATCH 19/25] bcache: handle cache set verify_ondisk " Coly Li
2020-07-25 12:00 ` [PATCH 20/25] bcache: handle btree node memory allocation " Coly Li
2020-07-25 12:00 ` [PATCH 21/25] bcache: add bucket_size_hi into struct cache_sb_disk for large bucket Coly Li
2020-07-25 12:00 ` [PATCH 22/25] bcache: add sysfs file to display feature sets information of cache set Coly Li
2020-07-25 12:00 ` [PATCH 23/25] bcache: avoid extra memory allocation from mempool c->fill_iter Coly Li
2020-07-25 12:00 ` [PATCH 24/25] bcache: avoid extra memory consumption in struct bbio for large bucket size Coly Li
2020-07-25 12:00 ` [PATCH 25/25] bcache: fix bio_{start,end}_io_acct with proper device Coly Li
2020-07-26 15:07 ` Christoph Hellwig
2020-07-25 13:39 ` [PATCH 00/25] bcache patches for Linux v5.9 Jens Axboe
2020-07-28 12:14 ` Christoph Hellwig
2020-07-28 12:40 ` Coly Li
2020-07-28 12:41 ` Christoph Hellwig
2020-07-28 15:13 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200725120039.91071-9-colyli@suse.de \
--to=colyli@suse.de \
--cc=axboe@kernel.dk \
--cc=linux-bcache@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=raeburn@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.