On Wed, Feb 08, 2017 at 06:54:24PM +0800, Ming Lei wrote:
> > + struct bio *bio)
> > +{
> > + unsigned short segments = blk_rq_nr_discard_segments(req);
> > +
> > + if (segments >= queue_max_discard_segments(q))
> > + goto no_merge;
> > + if (blk_rq_sectors(req) + bio_sectors(bio) >
> > + blk_rq_get_max_sectors(req, blk_rq_pos(req)))
> > + goto no_merge;
> > +
> > + req->biotail->bi_next = bio;
> > + req->biotail = bio;
> > + req->__data_len += bio->bi_iter.bi_size;
>
> typeof(__data_len) is unsigned, and should be easy to overflow
> for discard rq's merge.
We respect the max_discard_sectors setting which is unsigned as well
above in blk_rq_get_max_sectors(), so we can't actually overflow here.
And please remove the fullquote after your two line comment, thanks!
