[PATCH 4.19/5.4/5.10] ceph: fix possible overflow in start_read()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For a huge read request with >= 524288 pages in list passed
to 'start_read()', 'nr_pages << PAGE_SHIFT' may overflow 'int'
(for a convenient 4K page size) and make 'len' undefined, so
prefer 's64' for 'nr_pages' instead. Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
---
 fs/ceph/addr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
index 2362f2591f4a..bc50918284bf 100644
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -329,7 +329,7 @@ static int start_read(struct inode *inode, struct ceph_rw_context *rw_ctx,
 	int i;
 	struct page **pages;
 	pgoff_t next_index;
-	int nr_pages = 0;
+	s64 nr_pages = 0;
 	int got = 0;
 	int ret = 0;
 
@@ -370,7 +370,7 @@ static int start_read(struct inode *inode, struct ceph_rw_context *rw_ctx,
 			break;
 	}
 	len = nr_pages << PAGE_SHIFT;
-	dout("start_read %p nr_pages %d is %lld~%lld\n", inode, nr_pages,
+	dout("start_read %p nr_pages %lld is %lld~%lld\n", inode, nr_pages,
 	     off, len);
 	vino = ceph_vino(inode);
 	req = ceph_osdc_new_request(osdc, &ci->i_layout, vino, off, &len,
-- 
2.47.0





[Index of Archives]     [CEPH Users]     [Ceph Large]     [Ceph Dev]     [Information on CEPH]     [Linux BTRFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux