On Tue, 2024-06-11 at 09:15 -0600, Keith Busch wrote: > On Tue, Jun 11, 2024 at 02:23:48PM +0000, Roman Smirnov wrote: > > Hello. > > > > There is a case of integer overflow in __bvec_gap_to_prev(): > > > > ((bprv->bv_offset + bprv->bv_len) & lim->virt_boundary_mask); > > > > bio_vec can cross multiple pages: > > > > https://lore.kernel.org/lkml/20190215111324.30129-1-ming.lei@xxxxxxxxxx/t/ > > > > So, in case bio has one bio_vec bv_len can have a maximum value of UINT_MAX. > > The check happens in bio_full(). In the case when bv_len is equal to > > UINT_MAX and bv_offset is greater than zero, an overflow may occur. > > Does it matter? The lower bits checked against the mask should be the > same regardless of overflow. There are several other places where this kind of thing happens: https://elixir.bootlin.com/linux/latest/source/block/blk-merge.c#L292 https://elixir.bootlin.com/linux/latest/source/block/blk.h#L331 I think in those cases overflow would make a difference. I also found a comment before __bio_add_page(). It says that the caller should watch out for free space in bio: https://elixir.bootlin.com/linux/latest/source/block/bio.c#L1075 But what happens if it doesn't keep a check on it? Such code won't get into the kernel?
