From: Matthew Bobrowski <mbobrowski@mbobrowski.org>
To: coverity-bot <keescook@chromium.org>
Cc: Jan Kara <jack@suse.cz>, Theodore Ts'o <tytso@mit.edu>,
Ritesh Harjani <riteshh@linux.ibm.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
linux-next@vger.kernel.org
Subject: Re: Coverity: ext4_iomap_alloc(): Integer handling issues
Date: Tue, 12 Nov 2019 18:22:41 +1100 [thread overview]
Message-ID: <20191112072239.GB15488@bobrowski> (raw)
In-Reply-To: <201911111735.1F45BB0B4@keescook>
On Mon, Nov 11, 2019 at 05:35:44PM -0800, coverity-bot wrote:
> This is an experimental automated report about issues detected by Coverity
> from a scan of next-20191108 as part of the linux-next weekly scan project:
> https://scan.coverity.com/projects/linux-next-weekly-scan
>
> You're getting this email because you were associated with the identified
> lines of code (noted below) that were touched by recent commits:
>
> 378f32bab371 ("ext4: introduce direct I/O write using iomap infrastructure")
>
> Coverity reported the following:
>
> *** CID 1487841: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /fs/ext4/inode.c: 3388 in ext4_iomap_alloc()
> 3382 /*
> 3383 * We use i_size instead of i_disksize here because delalloc writeback
> 3384 * can complete at any point during the I/O and subsequently push the
> 3385 * i_disksize out to i_size. This could be beyond where direct I/O is
> 3386 * happening and thus expose allocated blocks to direct I/O reads.
> 3387 */
> vvv CID 1487841: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> vvv Potentially overflowing expression "1 << blkbits" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "loff_t" (64 bits, signed).
> 3388 else if ((map->m_lblk * (1 << blkbits)) >= i_size_read(inode))
> 3389 m_flags = EXT4_GET_BLOCKS_CREATE;
> 3390 else if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
> 3391 m_flags = EXT4_GET_BLOCKS_IO_CREATE_EXT;
In the event of an overflow in this specific context, I don't think it
would matter too much to be perfectly honest. If 'blkbits' were to
actually ever push out the signed integer to a value that couldn't be
represented by this data type, I would expect the resulting wrapping
behaviour to _only_ affect how filesystem blocks are allocated. In
that case, I/O workloads would behave alot differently, and at that
point I would hope that our filesystem related testing infrastructure
would pick this up before allowing anything to leak out into the
wild...
Unless my trail of thought is wrong? Happy to be corrected here and
educated on this.
/M
next prev parent reply other threads:[~2019-11-12 7:22 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-12 1:35 Coverity: ext4_iomap_alloc(): Integer handling issues coverity-bot
2019-11-12 7:22 ` Matthew Bobrowski [this message]
2019-11-12 11:00 ` Jan Kara
2019-11-12 20:56 ` Kees Cook
2019-11-12 21:28 ` Matthew Bobrowski
2019-11-12 22:17 ` Kees Cook
2019-11-13 4:38 ` Matthew Bobrowski
2019-11-13 9:37 ` Jan Kara
2019-11-13 18:38 ` Kees Cook
2019-11-14 8:58 ` Jan Kara
2019-11-14 18:43 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191112072239.GB15488@bobrowski \
--to=mbobrowski@mbobrowski.org \
--cc=gustavo@embeddedor.com \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-next@vger.kernel.org \
--cc=riteshh@linux.ibm.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox