On Tue, Feb 11, 2014 at 10:02:57AM -0800, Darrick J. Wong wrote: > The BUG_ON at the end of __bch_btree_mark_key can be triggered due to > an integer overflow error: > > BITMASK(GC_SECTORS_USED, struct bucket, gc_mark, 2, 13); > ... > SET_GC_SECTORS_USED(g, min_t(unsigned, > GC_SECTORS_USED(g) + KEY_SIZE(k), > (1 << 14) - 1)); > BUG_ON(!GC_SECTORS_USED(g)); > > In bcache.h, the SECTORS_USED bitfield is defined to be 13 bits wide. > While the SET_ code tries to ensure that the field doesn't overflow by > clamping it to (1<<14)-1 == 16383, this is incorrect because 16383 > requires 14 bits. Therefore, if GC_SECTORS_USED() + KEY_SIZE() = > 8192, the SET_ statement tries to store 8192 into a 13-bit field. In > a 13-bit field, 8192 becomes zero, thus triggering the BUG_ON. > > Therefore, create a field width constant and a max value constant, and > use those to create the bitfield and check the inputs to > SET_GC_SECTORS_USED. Arguably the BITMASK() template ought to have > BUG_ON checks for too-large values, but that's a separate patch. > > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > Signed-off-by: Kent Overstreet <kmo@xxxxxxxxxxxxx> > --- > Greg, stable team et. all - can you apply this asap to 3.13? It hasn't hit > Linus's tree yet (it's on its way via Jens), but multiple users are hitting this > BUG_ON() and the fix has been tested. Think about what you just wrote. Then go read Documentation/stable_kernel_rules.txt. You should know better... greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-bcache" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
