From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 30FF136AB4D for ; Thu, 19 Mar 2026 11:32:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773919978; cv=none; b=oG9cxQtTKRQqyOz3leNaMC03ntCv2jo4SAQhIQ0Oa0UG3QmUykcWYpO46iteIfFeSTK+xE9nikHddq9yYY5EuOF+/RbK86ctwQh0waP3Y24yryP6XUlJ7aN4mRPY9vF7/vywt0dHr28tALk+esEE13BJhbce2PGRTS58vHRGzXc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773919978; c=relaxed/simple; bh=ZobLhFw1cQ9GjUhFS/59kNjABBuzyxqalAd5qPNZ4WQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J6GB+7z6HnQSYMo7sanaomuxjUYn7zex2acmiLdVr6sEgetnwe4A1oQ0ZhhbqyMV6gTjvSnahpUnrqabgzljxEOTUQNGNQlJSBm1qUMlhhqx0HJYDaKiA3afsK2q67n5HTgFxCMi5M9+SA/OpYf0C3yXDVixCMqd0YZroluLfFA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=O2azPRTc; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="O2azPRTc" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0B4AC19424; Thu, 19 Mar 2026 11:32:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1773919977; bh=ZobLhFw1cQ9GjUhFS/59kNjABBuzyxqalAd5qPNZ4WQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=O2azPRTcr54yxB6uB4nT5k9+uqqBbowA/mFkyZRenIh8cB7xC6l28TaqaU9hF2GQY Rxq2zF39uRbtma/fuAzxk8iIoQU5hkWBoBBRNNpr9G9+FZ39yDmBVEv0hLCNUtVoms xGytxJbiHFhooeuaE2JZLuZr9o1mpAmTPV0BA06bqLgUeeB5BazD+3UAbs4spGbCVd tTTd63WoA06ZGQOIm5PtJxDsHUccSc1l45GOHFbzm1W/Qg+BSVsnJ6E4tn6h+gaPZH hR1eUrQUJKJPmsqAktptruHgs+6GbeHMGGxdIArV7M9b1JhFL7QRLp15CLpVa5IIbb +LGapOopVS4yw== From: Sasha Levin To: stable@vger.kernel.org Cc: Long Li , "Darrick J. Wong" , Carlos Maiolino , Sasha Levin Subject: [PATCH 5.15.y] xfs: fix integer overflow in bmap intent sort comparator Date: Thu, 19 Mar 2026 07:32:55 -0400 Message-ID: <20260319113255.2340038-1-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <2026031715-attitude-wildfowl-8193@gregkh> References: <2026031715-attitude-wildfowl-8193@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Long Li [ Upstream commit 362c490980867930a098b99f421268fbd7ca05fd ] xfs_bmap_update_diff_items() sorts bmap intents by inode number using a subtraction of two xfs_ino_t (uint64_t) values, with the result truncated to int. This is incorrect when two inode numbers differ by more than INT_MAX (2^31 - 1), which is entirely possible on large XFS filesystems. Fix this by replacing the subtraction with cmp_int(). Cc: # v4.9 Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations") Signed-off-by: Long Li Reviewed-by: Darrick J. Wong Signed-off-by: Carlos Maiolino [ replaced `bi_entry()` macro with `container_of()` and inlined `cmp_int()` as a manual three-way comparison expression ] Signed-off-by: Sasha Levin --- fs/xfs/xfs_bmap_item.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c index 51ffdec5e4faa..2271cfa6af79e 100644 --- a/fs/xfs/xfs_bmap_item.c +++ b/fs/xfs/xfs_bmap_item.c @@ -274,7 +274,8 @@ xfs_bmap_update_diff_items( ba = container_of(a, struct xfs_bmap_intent, bi_list); bb = container_of(b, struct xfs_bmap_intent, bi_list); - return ba->bi_owner->i_ino - bb->bi_owner->i_ino; + return (ba->bi_owner->i_ino > bb->bi_owner->i_ino) - + (ba->bi_owner->i_ino < bb->bi_owner->i_ino); } /* Set the map extent flags for this mapping. */ -- 2.51.0