Patch "block: fix get_max_segment_size() overflow on 32bit arch" has been added to the 5.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 20 Jul 2020 15:09:28 +0200

This is a note to let you know that I've just added the patch titled

    block: fix get_max_segment_size() overflow on 32bit arch

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     block-fix-get_max_segment_size-overflow-on-32bit-arch.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 4a2f704eb2d831a2d73d7f4cdd54f45c49c3c353 Mon Sep 17 00:00:00 2001
From: Ming Lei <ming.lei@xxxxxxxxxx>
Date: Sat, 11 Jan 2020 20:57:43 +0800
Subject: block: fix get_max_segment_size() overflow on 32bit arch

From: Ming Lei <ming.lei@xxxxxxxxxx>

commit 4a2f704eb2d831a2d73d7f4cdd54f45c49c3c353 upstream.

Commit 429120f3df2d starts to take account of segment's start dma address
when computing max segment size, and data type of 'unsigned long'
is used to do that. However, the segment mask may be 0xffffffff, so
the figured out segment size may be overflowed in case of zero physical
address on 32bit arch.

Fix the issue by returning queue_max_segment_size() directly when that
happens.

Fixes: 429120f3df2d ("block: fix splitting segments on boundary masks")
Reported-by: Guenter Roeck <linux@xxxxxxxxxxxx>
Tested-by: Guenter Roeck <linux@xxxxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Tested-by: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>
Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 block/blk-merge.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/block/blk-merge.c
+++ b/block/blk-merge.c
@@ -164,8 +164,13 @@ static inline unsigned get_max_segment_s
 	unsigned long mask = queue_segment_boundary(q);
 
 	offset = mask & (page_to_phys(start_page) + offset);
-	return min_t(unsigned long, mask - offset + 1,
-		     queue_max_segment_size(q));
+
+	/*
+	 * overflow may be triggered in case of zero page physical address
+	 * on 32bit arch, use queue's max segment size when that happens.
+	 */
+	return min_not_zero(mask - offset + 1,
+			(unsigned long)queue_max_segment_size(q));
 }
 
 /**


Patches currently in stable-queue which might be from ming.lei@xxxxxxxxxx are

queue-5.4/block-fix-get_max_segment_size-overflow-on-32bit-arch.patch
queue-5.4/block-fix-splitting-segments-on-boundary-masks.patch






