diff mbox series

[4.19/5.4/5.10] ceph: fix possible overflow in start_read()

Message ID 20241115103124.1361582-1-dmantipov@yandex.ru (mailing list archive)
State New
Headers show
Series [4.19/5.4/5.10] ceph: fix possible overflow in start_read() | expand

Commit Message

Dmitry Antipov Nov. 15, 2024, 10:31 a.m. UTC 
For a huge read request with >= 524288 pages in list passed
to 'start_read()', 'nr_pages << PAGE_SHIFT' may overflow 'int'
(for a convenient 4K page size) and make 'len' undefined, so
prefer 's64' for 'nr_pages' instead. Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 fs/ceph/addr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
index 2362f2591f4a..bc50918284bf 100644
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -329,7 +329,7 @@  static int start_read(struct inode *inode, struct ceph_rw_context *rw_ctx,
 	int i;
 	struct page **pages;
 	pgoff_t next_index;
-	int nr_pages = 0;
+	s64 nr_pages = 0;
 	int got = 0;
 	int ret = 0;
 
@@ -370,7 +370,7 @@  static int start_read(struct inode *inode, struct ceph_rw_context *rw_ctx,
 			break;
 	}
 	len = nr_pages << PAGE_SHIFT;
-	dout("start_read %p nr_pages %d is %lld~%lld\n", inode, nr_pages,
+	dout("start_read %p nr_pages %lld is %lld~%lld\n", inode, nr_pages,
 	     off, len);
 	vino = ceph_vino(inode);
 	req = ceph_osdc_new_request(osdc, &ci->i_layout, vino, off, &len,