[PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator

Next message: Mateusz Guzik: "[PATCH] fs: hide file and bfile caches behind runtime const machinery"
Previous message: SeongJae Park: "Re: (sashiko status) [RFC PATCH 0/2] Docs/admin-guide/mm/damon: warn commit_inputs vs other params race"
In reply to: Christoph Hellwig: "Re: [PATCH 1/2] xfs: fix integer overflow in deferred intent sort comparators"
Next in thread: Christoph Hellwig: "Re: [PATCH 2/2] xfs: fix integer overflow in busy extent sort comparator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yuto Ohnuki

Date: Sat Mar 28 2026 - 13:36:41 EST

xfs_extent_busy_ag_cmp() subtracts two uint32_t values (group
numbers and block numbers) and returns the result as s32. When
the difference exceeds INT_MAX, the result overflows and the sort
order is corrupted.

Use cmp_int() instead, as was done in commit 362c49098086 ("xfs:
fix integer overflow in bmap intent sort comparator").

Fixes: 4a137e09151e ("xfs: keep a reference to the pag for busy extents")
Signed-off-by: Yuto Ohnuki <ytohnuki@xxxxxxxxxx>
---
fs/xfs/xfs_extent_busy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_extent_busy.c b/fs/xfs/xfs_extent_busy.c
index 3efdca3d675b..41cf0605ec22 100644
--- a/fs/xfs/xfs_extent_busy.c
+++ b/fs/xfs/xfs_extent_busy.c
@@ -690,9 +690,9 @@ xfs_extent_busy_ag_cmp(
container_of(l2, struct xfs_extent_busy, list);
s32 diff;

- diff = b1->group->xg_gno - b2->group->xg_gno;
+ diff = cmp_int(b1->group->xg_gno, b2->group->xg_gno);
if (!diff)
- diff = b1->bno - b2->bno;
+ diff = cmp_int(b1->bno, b2->bno);
return diff;
}

--
2.50.1

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705