bcachefs: fix shift oob in alloc_lru_idx_fragmentation

The size of a.data_type is set abnormally large, causing shift-out-of-bounds. To fix this, we need to add validation on a.data_type in alloc_lru_idx_fragmentation(). Reported-by: syzbot+7f45fa9805c40db3f108@syzkaller.appspotmail.com Fixes: 260af1562ec1 ("bcachefs: Kill alloc_v4.fragmentation_lru") Signed-off-by: Jeongjun Park <aha310510@gmail.com> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
author: Jeongjun Park <aha310510@gmail.com> 2024-10-22 00:43:56 +0900
committer: Kent Overstreet <kent.overstreet@linux.dev> 2024-10-24 17:41:43 -0400
commit: 5c41f75d1b921b9eaf79588cdd3b22b00fb4ec52 (patch)
tree: f418a08a55aeff77e3d753f64e9c1d980e60189e /fs
parent: 2045fc4295c427d420aa1ff551b4de8179b6e5d5 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/bcachefs/alloc_background.h b/fs/bcachefs/alloc_background.h
index f8e87c6721b1..163a67b97a40 100644
--- a/fs/bcachefs/alloc_background.h
+++ b/fs/bcachefs/alloc_background.h
@@ -168,6 +168,9 @@ static inline bool data_type_movable(enum bch_data_type type)
 static inline u64 alloc_lru_idx_fragmentation(struct bch_alloc_v4 a,
 					      struct bch_dev *ca)
 {
+	if (a.data_type >= BCH_DATA_NR)
+		return 0;
+
 	if (!data_type_movable(a.data_type) ||
 	    !bch2_bucket_sectors_fragmented(ca, a))
 		return 0;
author	Jeongjun Park <aha310510@gmail.com>	2024-10-22 00:43:56 +0900
committer	Kent Overstreet <kent.overstreet@linux.dev>	2024-10-24 17:41:43 -0400
commit	5c41f75d1b921b9eaf79588cdd3b22b00fb4ec52 (patch)
tree	f418a08a55aeff77e3d753f64e9c1d980e60189e /fs
parent	2045fc4295c427d420aa1ff551b4de8179b6e5d5 (diff)