From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8434612B94 for ; Thu, 19 Mar 2026 11:07:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773918439; cv=none; b=qGIbQ4bR4PVEC/aXUC5oYWqv2JheGU2UxsF9RVJ/9PsXq60CnLp0lE0Evz35oNu2b4tcobu4kjgd4KSVkdx9HDf3fhTcN6WFV4cHUMRJJ9FGh27l6V/BE7DuYUjLaFIX43aFWCGSSajY9NGclIREf57+omBWZEt1ROv1NmoNwwo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773918439; c=relaxed/simple; bh=LIeYDkw89+VambSpg6wkTqEwnus7IRmuKF3DqFccCdk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZPRgUzVxdFnuOLqhqe5aeBY00LP6T89nUhR30vl6v2e63PftsAqnXShW47PBRL+BGHkfamSuchk6P7aKP6XI60a2GULC1cgUWCQ81PFIGtvCix5N+R9wjmtVDp9pwArPvS9U4fJdANT0H9kgEzOxXP9z1eOn1HLIIpNnNax8spQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OlC9G0gF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OlC9G0gF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7EB55C19424; Thu, 19 Mar 2026 11:07:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1773918439; bh=LIeYDkw89+VambSpg6wkTqEwnus7IRmuKF3DqFccCdk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OlC9G0gF9njuYzvEHs+vOHoOT9ambIb/MZfrK5WEE2lD0z9nsYrvGQDWRefrDCA11 hXaLEdplovia1tx19yyBFxE/7opzhTFedaxsTu/YhVAk+tucRctTijH1xvd2K90Iib i9D7y9jmi0rTH1iByim45jISIW35CSwTPGxc2Jz/GEMWCSKpDKboEiniVOYSqjHwRH EPvKyzpWRzeHjFtns4IioVjhIDAKeeR4gGGoIYPOC44VWdqBaFRmtw1jFGubBIy3st gGL7HUOMUZovg6MVQpnmb9KTn3bnY068dJjLWkFDxjeG/CelMNJd0++v9xt7r/jtNb WdU5WWnp+Gqsw== From: Sasha Levin To: stable@vger.kernel.org Cc: Long Li , "Darrick J. Wong" , Carlos Maiolino , Sasha Levin Subject: [PATCH 6.1.y] xfs: fix integer overflow in bmap intent sort comparator Date: Thu, 19 Mar 2026 07:07:17 -0400 Message-ID: <20260319110717.2314489-1-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <2026031714-whiff-catalyst-aa41@gregkh> References: <2026031714-whiff-catalyst-aa41@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Long Li [ Upstream commit 362c490980867930a098b99f421268fbd7ca05fd ] xfs_bmap_update_diff_items() sorts bmap intents by inode number using a subtraction of two xfs_ino_t (uint64_t) values, with the result truncated to int. This is incorrect when two inode numbers differ by more than INT_MAX (2^31 - 1), which is entirely possible on large XFS filesystems. Fix this by replacing the subtraction with cmp_int(). Cc: # v4.9 Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations") Signed-off-by: Long Li Reviewed-by: Darrick J. Wong Signed-off-by: Carlos Maiolino [ replaced `bi_entry()` macro with `container_of()` and inlined `cmp_int()` as a manual three-way comparison expression ] Signed-off-by: Sasha Levin --- fs/xfs/xfs_bmap_item.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c index 1058603db3ac4..db6b01262c451 100644 --- a/fs/xfs/xfs_bmap_item.c +++ b/fs/xfs/xfs_bmap_item.c @@ -277,7 +277,8 @@ xfs_bmap_update_diff_items( ba = container_of(a, struct xfs_bmap_intent, bi_list); bb = container_of(b, struct xfs_bmap_intent, bi_list); - return ba->bi_owner->i_ino - bb->bi_owner->i_ino; + return (ba->bi_owner->i_ino > bb->bi_owner->i_ino) - + (ba->bi_owner->i_ino < bb->bi_owner->i_ino); } /* Set the map extent flags for this mapping. */ -- 2.51.0