From: Dmitry Kandybka <d.kandybka@gmail.com>
Date: Tue, 22 Apr 2025 09:32:04 +0000 (+0300)
Subject: ceph: fix possible integer overflow in ceph_zero_objects()
X-Git-Tag: v6.6.96~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acc1d4cc47f185e7c0669a69c7a0cc56f10cb3ef;p=thirdparty%2Fkernel%2Fstable.git

ceph: fix possible integer overflow in ceph_zero_objects()

[ Upstream commit 0abd87942e0c93964e93224836944712feba1d91 ]

In 'ceph_zero_objects', promote 'object_size' to 'u64' to avoid possible
integer overflow.

Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index a03b11cf78872..e12657b4c3e04 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -2513,7 +2513,7 @@ static int ceph_zero_objects(struct inode *inode, loff_t offset, loff_t length)
 	s32 stripe_unit = ci->i_layout.stripe_unit;
 	s32 stripe_count = ci->i_layout.stripe_count;
 	s32 object_size = ci->i_layout.object_size;
-	u64 object_set_size = object_size * stripe_count;
+	u64 object_set_size = (u64) object_size * stripe_count;
 	u64 nearly, t;
 
 	/* round offset up to next period boundary */