• Kent Overstreet's avatar
    bio: don't overflow in bio_get_nr_vecs() · 5abebfdd
    Kent Overstreet authored
    There were two places bio_get_nr_vecs() could overflow:
    
    First, it did a left shift to convert from sectors to bytes immediately
    before dividing by PAGE_SIZE.  If PAGE_SIZE ever was less than 512 a great
    many things would break, so dividing by PAGE_SIZE >> 9 is safe and will
    generate smaller code too.
    
    The nastier overflow was in the DIV_ROUND_UP() (that's what the code was
    effectively doing, anyways).  If n + d overflowed, the whole thing would
    return 0 which breaks things rather effectively.
    
    bio_get_nr_vecs() doesn't claim to give an exact value anyways, so the
    DIV_ROUND_UP() is silly; we could do a straight divide except if a
    device's queue_max_sectors was less than PAGE_SIZE we'd return 0.  So we
    just add 1; this should always be safe - things will break badly if
    bio_get_nr_vecs() returns > BIO_MAX_PAGES (bio_alloc() will suddenly start
    failing) but it's queue_max_segments that must guard against this, if
    queue_max_sectors is preventing this from happen things are going to
    explode on architectures with different PAGE_SIZE.
    Signed-off-by: default avatarKent Overstreet <koverstreet@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Acked-by: default avatarValdis Kletnieks <Valdis.Kletnieks@vt.edu>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    5abebfdd
bio.c 39.4 KB