bcachefs: Fix shift-out-of-bounds in bch2_blacklist_entries_gc

This series fix the shift-out-of-bounds issue in
bch2_blacklist_entries_gc().

Instead of passing 0 to eytzinger0_first() when iterating the entries,
we explicitly check 0 and initialize i to be 0.

syzbot has tested the proposed patch and the reproducer did not trigger
any issue:

Reported-and-tested-by: syzbot+835d255ad6bc7f29ee12@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=835d255ad6bc7f29ee12
Signed-off-by: Pei Li <peili.dev@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/journal_seq_blacklist.c b/fs/bcachefs/journal_seq_blacklist.c
index ed484670961152b1ce83d11e1c235dd7e5d4dc26..1f25c111c54cdd342be1592d607fc5d926115a82 100644 (file)
--- a/fs/bcachefs/journal_seq_blacklist.c
+++ b/fs/bcachefs/journal_seq_blacklist.c
@@ -232,7 +232,7 @@ bool bch2_blacklist_entries_gc(struct bch_fs *c)
        BUG_ON(nr != t->nr);
 
        unsigned i;
-       for (src = bl->start, i = eytzinger0_first(t->nr);
+       for (src = bl->start, i = t->nr == 0 ? 0 : eytzinger0_first(t->nr);
             src < bl->start + nr;
             src++, i = eytzinger0_next(i, nr)) {
                BUG_ON(t->entries[i].start      != le64_to_cpu(src->start));