diff options
author | Kent Overstreet <kent.overstreet@gmail.com> | 2012-02-08 22:07:18 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2012-05-31 00:43:14 +0100 |
commit | c8616ea3986b2e65f77a5442ca056683d6df987d (patch) | |
tree | 8567ff52f07911c48f298eb63390a0f549033d61 /include/asm-generic/sembuf.h | |
parent | 06250be2b65f0c23272369bc36803337880e61b5 (diff) |
bio: don't overflow in bio_get_nr_vecs()
commit 5abebfdd02450fa1349daacf242e70b3736581e3 upstream.
There were two places bio_get_nr_vecs() could overflow:
First, it did a left shift to convert from sectors to bytes immediately
before dividing by PAGE_SIZE. If PAGE_SIZE ever was less than 512 a great
many things would break, so dividing by PAGE_SIZE >> 9 is safe and will
generate smaller code too.
The nastier overflow was in the DIV_ROUND_UP() (that's what the code was
effectively doing, anyways). If n + d overflowed, the whole thing would
return 0 which breaks things rather effectively.
bio_get_nr_vecs() doesn't claim to give an exact value anyways, so the
DIV_ROUND_UP() is silly; we could do a straight divide except if a
device's queue_max_sectors was less than PAGE_SIZE we'd return 0. So we
just add 1; this should always be safe - things will break badly if
bio_get_nr_vecs() returns > BIO_MAX_PAGES (bio_alloc() will suddenly start
failing) but it's queue_max_segments that must guard against this, if
queue_max_sectors is preventing this from happen things are going to
explode on architectures with different PAGE_SIZE.
Signed-off-by: Kent Overstreet <koverstreet@google.com>
Cc: Tejun Heo <tj@kernel.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'include/asm-generic/sembuf.h')
0 files changed, 0 insertions, 0 deletions