Commit 5c41f75d authored by Jeongjun Park's avatar Jeongjun Park Committed by Kent Overstreet
Browse files

bcachefs: fix shift oob in alloc_lru_idx_fragmentation 



The size of a.data_type is set abnormally large, causing shift-out-of-bounds.
To fix this, we need to add validation on a.data_type in
alloc_lru_idx_fragmentation().

Reported-by: default avatar <syzbot+7f45fa9805c40db3f108@syzkaller.appspotmail.com>
Fixes: 260af156 ("bcachefs: Kill alloc_v4.fragmentation_lru")
Signed-off-by: default avatarJeongjun Park <aha310510@gmail.com>
Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
parent 2045fc42

fs/bcachefs/alloc_background.h

+3 −0
Original line number Diff line number Diff line
@@ -168,6 +168,9 @@ static inline bool data_type_movable(enum bch_data_type type) 
static inline u64 alloc_lru_idx_fragmentation(struct bch_alloc_v4 a,

					      struct bch_dev *ca)

{

	if (a.data_type >= BCH_DATA_NR)

		return 0;



	if (!data_type_movable(a.data_type) ||

	    !bch2_bucket_sectors_fragmented(ca, a))

		return 0;