[Devel] [PATCH RHEL8 COMMIT] cbt: endless loop on rollback in blk_cbt_snap_create()

[Konstantin Khorenko]

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.34
------>
commit f1c7d264f91f248bb7d1f286ba1ccd71c963c813
Author: Vasily Averin <vvs at virtuozzo.com>
Date:   Wed Jun 2 19:47:59 2021 +0300

    cbt: endless loop on rollback in blk_cbt_snap_create()
    
    taken from vz7 commit faed6a011b
    ("cbt: endless loop on rollback in blk_cbt_map_copy_once")
    
    found by smatch:
        block/blk-cbt.c:359 blk_cbt_map_copy_once() warn:
        always true condition '(--i >= 0) => (0-u64max >= 0)'
    
    It leads to endless loop on rollback.
    https://jira.sw.ru/browse/PSBM-104530
    
    VvS: in vz8 the same problem was found in blk_cbt_snap_create()
    
    Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
    Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 block/blk-cbt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/block/blk-cbt.c b/block/blk-cbt.c
index 43bb0cd017cd..97f692fbbefe 100644
--- a/block/blk-cbt.c
+++ b/block/blk-cbt.c
@@ -376,7 +376,8 @@ static int copy_cbt_to_user(struct page **map, unsigned long size,
 static int blk_cbt_snap_create(struct request_queue *q, __u8 *uuid,
 			       struct blk_user_cbt_snap_create __user *arg)
 {
-	unsigned long npages, i, size;
+	unsigned long size;
+	long npages, i;
 	__u64 to_addr, to_size;
 	struct cbt_info *cbt;
 	struct page **map;