Commit 362c4909 authored Mar 10, 2026 by Long Li Committed by Carlos Maiolino Mar 11, 2026

xfs: fix integer overflow in bmap intent sort comparator



xfs_bmap_update_diff_items() sorts bmap intents by inode number using
a subtraction of two xfs_ino_t (uint64_t) values, with the result
truncated to int. This is incorrect when two inode numbers differ by
more than INT_MAX (2^31 - 1), which is entirely possible on large XFS
filesystems.

Fix this by replacing the subtraction with cmp_int().

Cc: <stable@vger.kernel.org> # v4.9
Fixes: 9f3afb57 ("xfs: implement deferred bmbt map/unmap operations")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>

parent 52a8a1ba

fs/xfs/xfs_bmap_item.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -245,7 +245,7 @@ xfs_bmap_update_diff_items(
		struct xfs_bmap_intent *ba = bi_entry(a);
		struct xfs_bmap_intent *bb = bi_entry(b);

		return ba->bi_owner->i_ino - bb->bi_owner->i_ino;
		return cmp_int(ba->bi_owner->i_ino, bb->bi_owner->i_ino);
		}

		/* Log bmap updates in the intent item. */