From: Greg Kroah-Hartman Date: Sun, 16 Feb 2014 20:48:08 +0000 (-0800) Subject: 3.13-stable patches X-Git-Tag: v3.4.81~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad4571dd5bc7f64b3c464dbe1ce836ba518d303e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.13-stable patches added patches: bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch --- diff --git a/queue-3.13/bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch b/queue-3.13/bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch new file mode 100644 index 00000000000..dddd47c561f --- /dev/null +++ b/queue-3.13/bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch @@ -0,0 +1,64 @@ +From 947174476701fbc84ea8c7ec9664270f9d80b076 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 28 Jan 2014 16:57:39 -0800 +Subject: bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED + +From: "Darrick J. Wong" + +commit 947174476701fbc84ea8c7ec9664270f9d80b076 upstream. + +The BUG_ON at the end of __bch_btree_mark_key can be triggered due to +an integer overflow error: + +BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, 13); +... +SET_GC_SECTORS_USED(g, min_t(unsigned, + GC_SECTORS_USED(g) + KEY_SIZE(k), + (1 << 14) - 1)); +BUG_ON(!GC_SECTORS_USED(g)); + +In bcache.h, the SECTORS_USED bitfield is defined to be 13 bits wide. +While the SET_ code tries to ensure that the field doesn't overflow by +clamping it to (1<<14)-1 == 16383, this is incorrect because 16383 +requires 14 bits. Therefore, if GC_SECTORS_USED() + KEY_SIZE() = +8192, the SET_ statement tries to store 8192 into a 13-bit field. In +a 13-bit field, 8192 becomes zero, thus triggering the BUG_ON. + +Therefore, create a field width constant and a max value constant, and +use those to create the bitfield and check the inputs to +SET_GC_SECTORS_USED. Arguably the BITMASK() template ought to have +BUG_ON checks for too-large values, but that's a separate patch. + +Signed-off-by: Darrick J. Wong +Cc: Kent Overstreet +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bcache.h | 4 +++- + drivers/md/bcache/btree.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -209,7 +209,9 @@ BITMASK(GC_MARK, struct bucket, gc_mark + #define GC_MARK_RECLAIMABLE 0 + #define GC_MARK_DIRTY 1 + #define GC_MARK_METADATA 2 +-BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, 13); ++#define GC_SECTORS_USED_SIZE 13 ++#define MAX_GC_SECTORS_USED (~(~0ULL << GC_SECTORS_USED_SIZE)) ++BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, GC_SECTORS_USED_SIZE); + BITMASK(GC_MOVE, struct bucket, gc_mark, 15, 1); + + #include "journal.h" +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1163,7 +1163,7 @@ uint8_t __bch_btree_mark_key(struct cach + /* guard against overflow */ + SET_GC_SECTORS_USED(g, min_t(unsigned, + GC_SECTORS_USED(g) + KEY_SIZE(k), +- (1 << 14) - 1)); ++ MAX_GC_SECTORS_USED)); + + BUG_ON(!GC_SECTORS_USED(g)); + } diff --git a/queue-3.13/series b/queue-3.13/series index fe03e66a16f..3e688c15d40 100644 --- a/queue-3.13/series +++ b/queue-3.13/series @@ -36,3 +36,4 @@ pinctrl-imx27-fix-wrong-offset-to-iconfb.patch pinctrl-imx27-fix-offset-calculation-in-imx_read_2bit.patch pinctrl-vt8500-change-devicetree-data-parsing.patch pinctrl-protect-pinctrl_list-add.patch +bcache-fix-bug_on-due-to-integer-overflow-with-gc_sectors_used.patch