[Devel] [PATCH RHEL8 COMMIT] fs/fuse kio: int overflow while calculation of pos in map_truncate_tail()

Thu Oct 15 10:37:38 MSK 2020

The commit is pushed to "branch-rh8-4.18.0-193.6.3.vz8.4.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-193.6.3.vz8.4.13
------>
commit 5c300d6f18a9b4c6c81d1a05e6ce307f42eda468
Author: Ildar Ismagilov <Ildar.Ismagilov at acronis.com>
Date:   Thu Oct 15 10:37:38 2020 +0300

    fs/fuse kio: int overflow while calculation of pos in map_truncate_tail()
    
    The pos is calculated as follows:
    unsigned long pos = DIV_ROUND_UP(offset /*u64*/, 1 << mapping->chunk_size_bits);
    
    And if chunk_size_bits is greater than or equal to 31, the pos is calculated
    incorrectly due to int (1 << mapping->chunk_size_bits) overflow.
    As example 1 << 31 == -2147483648.
    
    This leads to IO using dead map.
    
    https://pmc.acronis.com/browse/VSTOR-36154
    Signed-off-by: Ildar Ismagilov <Ildar.Ismagilov at acronis.com>
    Reviewed-by: Vasily Averin <vvs at virtuozzo.com>
---
 fs/fuse/kio/pcs/pcs_map.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/kio/pcs/pcs_map.c b/fs/fuse/kio/pcs/pcs_map.c
index 0ce6cdf05a0d..1a9f1e9dbc41 100644
--- a/fs/fuse/kio/pcs/pcs_map.c
+++ b/fs/fuse/kio/pcs/pcs_map.c
@@ -242,7 +242,7 @@ void pcs_mapping_dump(struct pcs_mapping * mapping)
 
 void map_truncate_tail(struct pcs_mapping * mapping, u64 offset)
 {
-	unsigned long pos = DIV_ROUND_UP(offset, 1 << mapping->chunk_size_bits);
+	unsigned long pos = DIV_ROUND_UP(offset, 1ULL << mapping->chunk_size_bits);
 	struct pcs_map_entry *maps[MAP_BATCH];
 	int nr_maps;
 	LIST_HEAD(dispose);
