[V2] block: make sure that bvec length can't be overflow

Message ID	20190417011126.20430-1-ming.lei@redhat.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-block-owner@kernel.org> From: Ming Lei <ming.lei@redhat.com> To: Jens Axboe <axboe@kernel.dk> Cc: linux-block@vger.kernel.org, Ming Lei <ming.lei@redhat.com>, Christoph Hellwig <hch@lst.de>, Yi Zhang <yi.zhang@redhat.com> Subject: [PATCH V2] block: make sure that bvec length can't be overflow Date: Wed, 17 Apr 2019 09:11:26 +0800 Message-Id: <20190417011126.20430-1-ming.lei@redhat.com> Sender: linux-block-owner@vger.kernel.org Precedence: bulk
Series	[V2] block: make sure that bvec length can't be overflow \| expand [V2] block: make sure that bvec length can't be overflow

Message ID

20190417011126.20430-1-ming.lei@redhat.com (mailing list archive)

State

New, archived

Headers

From: Ming Lei <ming.lei@redhat.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org, Ming Lei <ming.lei@redhat.com>,
        Christoph Hellwig <hch@lst.de>, Yi Zhang <yi.zhang@redhat.com>
Subject: [PATCH V2] block: make sure that bvec length can't be overflow
Date: Wed, 17 Apr 2019 09:11:26 +0800
Message-Id: <20190417011126.20430-1-ming.lei@redhat.com>
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk

Series

[V2] block: make sure that bvec length can't be overflow | expand

Commit Message

Ming Lei April 17, 2019, 1:11 a.m. UTC

bvec->bv_offset may be bigger than PAGE_SIZE sometimes, such as,
when one bio is splitted in the middle of one bvec via bio_split(),
and bi_iter.bi_bvec_done is used to build offset of the 1st bvec of
remained bio. And the remained bio's bvec may be re-submitted to fs
layer via ITER_IBVEC, such as loop and nvme-loop.

So we have to make sure that every bvec's offset is less than
PAGE_SIZE from bio_for_each_segment_all() because some drivers(loop,
nvme-loop) passes the splitted bvec to fs layer via ITER_BVEC.

This patch fixes this issue reported by Zhang Yi When running nvme/011.

Cc: Christoph Hellwig <hch@lst.de>
Cc: Yi Zhang <yi.zhang@redhat.com>
Reported-by: Yi Zhang <yi.zhang@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Fixes: 6dc4f100c175 ("block: allow bio_for_each_segment_all() to iterate over multi-page bvec")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
 include/linux/bvec.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Jens Axboe April 19, 2019, 5:32 p.m. UTC | #1

On 4/16/19 7:11 PM, Ming Lei wrote:
> bvec->bv_offset may be bigger than PAGE_SIZE sometimes, such as,
> when one bio is splitted in the middle of one bvec via bio_split(),
> and bi_iter.bi_bvec_done is used to build offset of the 1st bvec of
> remained bio. And the remained bio's bvec may be re-submitted to fs
> layer via ITER_IBVEC, such as loop and nvme-loop.
> 
> So we have to make sure that every bvec's offset is less than
> PAGE_SIZE from bio_for_each_segment_all() because some drivers(loop,
> nvme-loop) passes the splitted bvec to fs layer via ITER_BVEC.
> 
> This patch fixes this issue reported by Zhang Yi When running nvme/011.

Applied, thanks.

diff --git a/include/linux/bvec.h b/include/linux/bvec.h
index 3bc91879e1e2..ff13cbc1887d 100644
--- a/include/linux/bvec.h
+++ b/include/linux/bvec.h
@@ -160,8 +160,9 @@  static inline void bvec_advance(const struct bio_vec *bvec,
 		bv->bv_page = nth_page(bv->bv_page, 1);
 		bv->bv_offset = 0;
 	} else {
-		bv->bv_page = bvec->bv_page;
-		bv->bv_offset = bvec->bv_offset;
+		bv->bv_page = bvec_nth_page(bvec->bv_page, bvec->bv_offset /
+					    PAGE_SIZE);
+		bv->bv_offset = bvec->bv_offset & ~PAGE_MASK;
 	}
 	bv->bv_len = min_t(unsigned int, PAGE_SIZE - bv->bv_offset,
 			   bvec->bv_len - iter_all->done);

[V2] block: make sure that bvec length can't be overflow

Commit Message

Comments

Patch