[PATCH 0/2] xfs: fix potential integer overflow in sort comparators

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/2] xfs: fix potential integer overflow in sort comparators
@ 2026-03-28 17:34 Yuto Ohnuki
  2026-03-28 17:34 ` [PATCH 1/2] xfs: fix integer overflow in deferred intent " Yuto Ohnuki
  2026-03-28 17:34 ` [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator Yuto Ohnuki
  0 siblings, 2 replies; 5+ messages in thread
From: Yuto Ohnuki @ 2026-03-28 17:34 UTC (permalink / raw)
  To: Carlos Maiolino
  Cc: Dave Chinner, Darrick J . Wong, linux-xfs, linux-kernel,
	Yuto Ohnuki

Several sort comparators in XFS subtract two uint32_t values and
return the result as int, which can overflow when the difference
exceeds INT_MAX.

Use cmp_int() instead, as was done in commit 362c49098086
("xfs: fix integer overflow in bmap intent sort comparator").

Patch 1 fixes the deferred intent comparators (rmap, extfree, refcount).
Patch 2 fixes the busy extent comparator.

Yuto Ohnuki (2):
  xfs: fix integer overflow in deferred intent sort comparators
  xfs: fix integer overflow in busy extent sort comparator

 fs/xfs/xfs_extent_busy.c   | 4 ++--
 fs/xfs/xfs_extfree_item.c  | 2 +-
 fs/xfs/xfs_refcount_item.c | 2 +-
 fs/xfs/xfs_rmap_item.c     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

-- 
2.50.1




Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] xfs: fix integer overflow in deferred intent sort comparators
  2026-03-28 17:34 [PATCH 0/2] xfs: fix potential integer overflow in sort comparators Yuto Ohnuki
@ 2026-03-28 17:34 ` Yuto Ohnuki
  2026-03-31 15:05   ` Christoph Hellwig
  2026-03-28 17:34 ` [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator Yuto Ohnuki
  1 sibling, 1 reply; 5+ messages in thread
From: Yuto Ohnuki @ 2026-03-28 17:34 UTC (permalink / raw)
  To: Carlos Maiolino
  Cc: Dave Chinner, Darrick J . Wong, linux-xfs, linux-kernel,
	Yuto Ohnuki

xfs_extent_free_diff_items(), xfs_refcount_update_diff_items(), and
xfs_rmap_update_diff_items() subtract two uint32_t group numbers
and return the result as int, which can overflow when the difference
exceeds INT_MAX.

Use cmp_int() instead, as was done in commit 362c49098086 ("xfs:
fix integer overflow in bmap intent sort comparator").

Fixes: c13418e8eb37 ("xfs: give xfs_rmap_intent its own perag reference")
Fixes: f6b384631e1e ("xfs: give xfs_extfree_intent its own perag reference")
Fixes: 00e7b3bac1dc ("xfs: give xfs_refcount_intent its own perag reference")
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
---
 fs/xfs/xfs_extfree_item.c  | 2 +-
 fs/xfs/xfs_refcount_item.c | 2 +-
 fs/xfs/xfs_rmap_item.c     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c
index 749a4eb9793c..2266d56e37dc 100644
--- a/fs/xfs/xfs_extfree_item.c
+++ b/fs/xfs/xfs_extfree_item.c
@@ -387,7 +387,7 @@ xfs_extent_free_diff_items(
 	struct xfs_extent_free_item	*ra = xefi_entry(a);
 	struct xfs_extent_free_item	*rb = xefi_entry(b);
 
-	return ra->xefi_group->xg_gno - rb->xefi_group->xg_gno;
+	return cmp_int(ra->xefi_group->xg_gno, rb->xefi_group->xg_gno);
 }
 
 /* Log a free extent to the intent item. */
diff --git a/fs/xfs/xfs_refcount_item.c b/fs/xfs/xfs_refcount_item.c
index 881c3f3a6a24..8bccf89a7766 100644
--- a/fs/xfs/xfs_refcount_item.c
+++ b/fs/xfs/xfs_refcount_item.c
@@ -266,7 +266,7 @@ xfs_refcount_update_diff_items(
 	struct xfs_refcount_intent	*ra = ci_entry(a);
 	struct xfs_refcount_intent	*rb = ci_entry(b);
 
-	return ra->ri_group->xg_gno - rb->ri_group->xg_gno;
+	return cmp_int(ra->ri_group->xg_gno, rb->ri_group->xg_gno);
 }
 
 /* Log refcount updates in the intent item. */
diff --git a/fs/xfs/xfs_rmap_item.c b/fs/xfs/xfs_rmap_item.c
index a39fe08dcd8f..2a3a73a8566d 100644
--- a/fs/xfs/xfs_rmap_item.c
+++ b/fs/xfs/xfs_rmap_item.c
@@ -267,7 +267,7 @@ xfs_rmap_update_diff_items(
 	struct xfs_rmap_intent		*ra = ri_entry(a);
 	struct xfs_rmap_intent		*rb = ri_entry(b);
 
-	return ra->ri_group->xg_gno - rb->ri_group->xg_gno;
+	return cmp_int(ra->ri_group->xg_gno, rb->ri_group->xg_gno);
 }
 
 /* Log rmap updates in the intent item. */
-- 
2.50.1




Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705




^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator
  2026-03-28 17:34 [PATCH 0/2] xfs: fix potential integer overflow in sort comparators Yuto Ohnuki
  2026-03-28 17:34 ` [PATCH 1/2] xfs: fix integer overflow in deferred intent " Yuto Ohnuki
@ 2026-03-28 17:34 ` Yuto Ohnuki
  2026-03-31 15:05   ` Christoph Hellwig
  1 sibling, 1 reply; 5+ messages in thread
From: Yuto Ohnuki @ 2026-03-28 17:34 UTC (permalink / raw)
  To: Carlos Maiolino
  Cc: Dave Chinner, Darrick J . Wong, linux-xfs, linux-kernel,
	Yuto Ohnuki

xfs_extent_busy_ag_cmp() subtracts two uint32_t values (group
numbers and block numbers) and returns the result as s32. When
the difference exceeds INT_MAX, the result overflows and the sort
order is corrupted.

Use cmp_int() instead, as was done in commit 362c49098086 ("xfs:
fix integer overflow in bmap intent sort comparator").

Fixes: 4a137e09151e ("xfs: keep a reference to the pag for busy extents")
Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
---
 fs/xfs/xfs_extent_busy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_extent_busy.c b/fs/xfs/xfs_extent_busy.c
index 3efdca3d675b..41cf0605ec22 100644
--- a/fs/xfs/xfs_extent_busy.c
+++ b/fs/xfs/xfs_extent_busy.c
@@ -690,9 +690,9 @@ xfs_extent_busy_ag_cmp(
 		container_of(l2, struct xfs_extent_busy, list);
 	s32 diff;
 
-	diff = b1->group->xg_gno - b2->group->xg_gno;
+	diff = cmp_int(b1->group->xg_gno, b2->group->xg_gno);
 	if (!diff)
-		diff = b1->bno - b2->bno;
+		diff = cmp_int(b1->bno, b2->bno);
 	return diff;
 }
 
-- 
2.50.1




Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705




^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] xfs: fix integer overflow in deferred intent sort comparators
  2026-03-28 17:34 ` [PATCH 1/2] xfs: fix integer overflow in deferred intent " Yuto Ohnuki
@ 2026-03-31 15:05   ` Christoph Hellwig
  0 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2026-03-31 15:05 UTC (permalink / raw)
  To: Yuto Ohnuki
  Cc: Carlos Maiolino, Dave Chinner, Darrick J . Wong, linux-xfs,
	linux-kernel

On Sat, Mar 28, 2026 at 05:34:09PM +0000, Yuto Ohnuki wrote:
> xfs_extent_free_diff_items(), xfs_refcount_update_diff_items(), and
> xfs_rmap_update_diff_items() subtract two uint32_t group numbers
> and return the result as int, which can overflow when the difference
> exceeds INT_MAX.
> 
> Use cmp_int() instead, as was done in commit 362c49098086 ("xfs:
> fix integer overflow in bmap intent sort comparator").

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator
  2026-03-28 17:34 ` [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator Yuto Ohnuki
@ 2026-03-31 15:05   ` Christoph Hellwig
  0 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2026-03-31 15:05 UTC (permalink / raw)
  To: Yuto Ohnuki
  Cc: Carlos Maiolino, Dave Chinner, Darrick J . Wong, linux-xfs,
	linux-kernel

On Sat, Mar 28, 2026 at 05:34:10PM +0000, Yuto Ohnuki wrote:
> xfs_extent_busy_ag_cmp() subtracts two uint32_t values (group
> numbers and block numbers) and returns the result as s32. When
> the difference exceeds INT_MAX, the result overflows and the sort
> order is corrupted.
> 
> Use cmp_int() instead, as was done in commit 362c49098086 ("xfs:
> fix integer overflow in bmap intent sort comparator").

Looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-03-31 15:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-28 17:34 [PATCH 0/2] xfs: fix potential integer overflow in sort comparators Yuto Ohnuki
2026-03-28 17:34 ` [PATCH 1/2] xfs: fix integer overflow in deferred intent " Yuto Ohnuki
2026-03-31 15:05   ` Christoph Hellwig
2026-03-28 17:34 ` [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator Yuto Ohnuki
2026-03-31 15:05   ` Christoph Hellwig

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox