From 17fd366091d104702af5b0699ac73b06d0b57619 Mon Sep 17 00:00:00 2001 From: Hongbo Li Date: Mon, 21 Oct 2024 15:35:09 +0800 Subject: [PATCH] bcachefs: Fix shift-out-of-bounds in bch2_alloc_to_text The syzbot found the following issue: ``` ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in fs/bcachefs/alloc_background.h:165:13 shift exponent 129 is too large for 32-bit type 'unsigned int' Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 data_type_movable fs/bcachefs/alloc_background.h:165 [inline] alloc_lru_idx_fragmentation fs/bcachefs/alloc_background.h:171 [inline] bch2_alloc_to_text+0xc79/0xce0 fs/bcachefs/alloc_background.c:369 __bch2_bkey_fsck_err+0x1c8/0x280 fs/bcachefs/error.c:454 bch2_alloc_v4_validate+0x931/0xef0 fs/bcachefs/alloc_background.c:259 ... ``` In bch2_alloc_v4_validate, bcachefs doesn't check the invalid data_type in switch-case. And this will cause shift-out-of-bounds error for invalid data_type. This can be easily avoided by adding the default branch in switch statement for handling the data_type. Reported-by: syzbot+7f45fa9805c40db3f108@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=7f45fa9805c40db3f108 Fixes: 71aba590297e ("bcachefs: Always check alloc data type") Signed-off-by: Hongbo Li --- fs/bcachefs/alloc_background.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/bcachefs/alloc_background.c b/fs/bcachefs/alloc_background.c index 6e161f8ffe8d..09ff41cac5f8 100644 --- a/fs/bcachefs/alloc_background.c +++ b/fs/bcachefs/alloc_background.c @@ -314,6 +314,10 @@ int bch2_alloc_v4_validate(struct bch_fs *c, struct bkey_s_c k, break; case BCH_DATA_stripe: break; + default: + bkey_fsck_err_on(true, c, alloc_key_data_type_bad, + "unknown data type %u", a.data_type); + break; } fsck_err: return ret; -- 2.34.1