bcachefs: Fix out of bounds read in fs usage ioctl

Fix a possible read out of bounds if bch2_ioctl_fs_usage is called when
replica_entries_bytes is set to a value that is smaller than the size
of bch_replicas_usage.

Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index b0cbbb70161d04957c96678c4c4ffbe87ab99b74..99f112072ae5208fbea24450cf2cfb07b57ef8e4 100644 (file)
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -414,7 +414,8 @@ static long bch2_ioctl_fs_usage(struct bch_fs *c,
                struct bch_replicas_entry *src_e =
                        cpu_replicas_entry(&c->replicas, i);
 
-               if (replicas_usage_next(dst_e) > dst_end) {
+               /* check that we have enough space for one replicas entry */
+               if (dst_e + 1 > dst_end) {
                        ret = -ERANGE;
                        break;
                }