On Tue, Jun 11, 2024 at 02:23:48PM +0000, Roman Smirnov wrote: > Hello. > > There is a case of integer overflow in __bvec_gap_to_prev(): > > ((bprv->bv_offset + bprv->bv_len) & lim->virt_boundary_mask); > > bio_vec can cross multiple pages: > > https://lore.kernel.org/lkml/20190215111324.30129-1-ming.lei@xxxxxxxxxx/t/ > > So, in case bio has one bio_vec bv_len can have a maximum value of UINT_MAX. > The check happens in bio_full(). In the case when bv_len is equal to > UINT_MAX and bv_offset is greater than zero, an overflow may occur. Does it matter? The lower bits checked against the mask should be the same regardless of overflow.
