From bb0a7642d63b95a0f7db23f38d7f1c957930ec08 Mon Sep 17 00:00:00 2001
From: Kelvin Zhang <zhangkelvin@google.com>
Date: Wed, 1 Sep 2021 14:21:47 -0700
Subject: [PATCH 1/2] Fix a typo

this check should be performed on newly returned `op` instead of
`cow_op`

Test: th
Change-Id: Ia0812a1126d3e0bdfaff82859eb4b4a066a73bff
---
 fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp b/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp
index b868eed5f..ac3c22252 100644
--- a/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp
@@ -194,10 +194,12 @@ void ReadAheadThread::PrepareReadAhead(uint64_t* source_offset, int* pending_ops
                                        std::vector<uint64_t>& blocks) {
     int num_ops = *pending_ops;
     int nr_consecutive = 0;
+    CHECK_NE(source_offset, nullptr);
 
     if (!RAIterDone() && num_ops) {
         // Get the first block with offset
         const CowOperation* cow_op = GetRAOpIter();
+        CHECK_NE(cow_op, nullptr);
         *source_offset = cow_op->source;
         if (cow_op->type == kCowCopyOp) {
             *source_offset *= BLOCK_SZ;
@@ -216,8 +218,9 @@ void ReadAheadThread::PrepareReadAhead(uint64_t* source_offset, int* pending_ops
          */
         while (!RAIterDone() && num_ops) {
             const CowOperation* op = GetRAOpIter();
+            CHECK_NE(op, nullptr);
             uint64_t next_offset = op->source;
-            if (cow_op->type == kCowCopyOp) {
+            if (op->type == kCowCopyOp) {
                 next_offset *= BLOCK_SZ;
             }
             if (next_offset != (*source_offset - nr_consecutive * BLOCK_SZ)) {

From 0518f8cb192fa4ee694f10d007522ab70c40ad15 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Thu, 2 Sep 2021 13:28:03 -0700
Subject: [PATCH 2/2] snapuserd: Fix PrepareReadAhead

When checking the instead of current, and when checking the position, we could underflow,
which would get caught by UBSAN

Bug: 177104308
Test: Map cow file with xor op or copy op at position 0
Change-Id: I4fba1982419e08b58759ec893e238175d245dbfc
---
 fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp b/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp
index ac3c22252..3bb7a0a07 100644
--- a/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/snapuserd_readahead.cpp
@@ -223,7 +223,7 @@ void ReadAheadThread::PrepareReadAhead(uint64_t* source_offset, int* pending_ops
             if (op->type == kCowCopyOp) {
                 next_offset *= BLOCK_SZ;
             }
-            if (next_offset != (*source_offset - nr_consecutive * BLOCK_SZ)) {
+            if (next_offset + nr_consecutive * BLOCK_SZ != *source_offset) {
                 break;
             }
             nr_consecutive += 1;