From: Rosen Penev <rosenp@gmail.com>
Date: Sat, 30 May 2026 01:12:55 +0000 (-0700)
Subject: rbd: check snap_count against RBD_MAX_SNAP_COUNT
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=2e1b3f4c51ace14f67201bd2a92ca6312a3c3724;p=thirdparty%2Fkernel%2Flinux.git

rbd: check snap_count against RBD_MAX_SNAP_COUNT

snap_count is u32 but the comparison is against a SIZE_MAX-derived value
(~2^61 on 64-bit), which clang flags as always false with
-Wtautological-constant-out-of-range-compare.

The proper check here should be that snap_count does not go over
RBD_MAX_SNAP_COUNT.

Assisted-by: Opencode:Big-pickle
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Alex Elder <elder@riscstar.com>
Link: https://patch.msgid.link/20260530011255.52916-1-rosenp@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 4065336ebd1f1..0a0b0a1af7691 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -6094,12 +6094,9 @@ static int rbd_dev_v2_snap_context(struct rbd_device *rbd_dev,
 
 	/*
 	 * Make sure the reported number of snapshot ids wouldn't go
-	 * beyond the end of our buffer.  But before checking that,
-	 * make sure the computed size of the snapshot context we
-	 * allocate is representable in a size_t.
+	 * beyond the end of our buffer.
 	 */
-	if (snap_count > (SIZE_MAX - sizeof (struct ceph_snap_context))
-				 / sizeof (u64)) {
+	if (snap_count > RBD_MAX_SNAP_COUNT) {
 		ret = -EINVAL;
 		goto out;
 	}