zbookmark_compare: avoid negative shift in block span calculation#18598
Open
robn wants to merge 1 commit into
Open
zbookmark_compare: avoid negative shift in block span calculation#18598robn wants to merge 1 commit into
robn wants to merge 1 commit into
Conversation
BP_SPANB subtracts SPA_BLKPTRSHIFT from the indirect block shift before shifting it. However, 0 is a legal value for ibs here, and the math is all unsigned, so the subtract can underflow, which is UB, and even if the compiler does resolve it to something negative, a negative shift is also UB. Its unclear if this can be a correctness issue because it (hopefully!) only impacts the sort order. It's definitely not good though, and UBSAN has been seen to complain about. This commit fixes it by only calling BP_SPANB if the ibs not zero, instead just using the block id, which is the intent. The asserts are extended to ensure that if it is non-zero, it is in a safe range. Sponsored-by: TrueNAS Signed-off-by: Rob Norris <rob.norris@truenas.com>
amotin
reviewed
May 28, 2026
Member
amotin
left a comment
amotin
left a comment
There was a problem hiding this comment.
I feel like there is something weird going on. The existing IMPLY()'es should be sufficient to verify the ibs'es if the level is not 0. And even if the subtraction result end up negative for the level 0, then zero level multiplication should make it irrelevant. If in some way (due to non-debug build) we miss a case when ibs is zero for non-zero level, then you are just burying the problem deeper, not solving it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[Sponsors: TrueNAS]
Motivation and Context
Fixes #14777
Description
BP_SPANBsubtractsSPA_BLKPTRSHIFTfrom the indirect block shift before shifting it. However, 0 is a legal value foribshere, and the math is all unsigned, so the subtract can underflow, which is UB, and even if the compiler does resolve it to something negative, a negative shift is also UB.Its unclear if this can be a correctness issue because it (hopefully!) only impacts the sort order. It's definitely not good though, and UBSAN has been seen to complain about.
This commit fixes it by only calling
BP_SPANBif the ibs not zero, instead just using the block id, which is the intent. The asserts are extended to ensure that if it is non-zero, it is in a safe range.How Has This Been Tested?
ZTS run completed and passed, so that's nice. However! #14777 mentions scrub with L2ARC, which we don't have a test for (unless its hidden down the back somewhere and I missed it). But it also might be coincidental. The examples all show a negative shifts that aren't
0 - SPA_BLKPTRSHIFT == -7, so either that's the UB at play, or its real and different things are callingzbookmark_compare()with weird small values foribs. I suspect the former, but I don't really know this code path at all.Types of changes
Checklist:
Signed-off-by.