| Message ID | 2811951.1684766430@warthog.procyon.org.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: Fix cifs_limit_bvec_subset() to correctly check the maxmimum size | expand |
On Mon, May 22, 2023 at 8:22 PM David Howells <dhowells@redhat.com> wrote: > > Fix cifs_limit_bvec_subset() so that it limits the span to the maximum > specified and won't return with a size greater than max_size. > > Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") > Reported-by: Shyam Prasad N <sprasad@microsoft.com> > Signed-off-by: David Howells <dhowells@redhat.com> > cc: Steve French <smfrench@gmail.com> > cc: Rohith Surabattula <rohiths.msft@gmail.com> > cc: Paulo Alcantara <pc@manguebit.com> > cc: Tom Talpey <tom@talpey.com> > cc: Jeff Layton <jlayton@kernel.org> > cc: linux-cifs@vger.kernel.org > cc: linux-fsdevel@vger.kernel.org > --- > fs/cifs/file.c | 1 + > 1 file changed, 1 insertion(+) > > > diff --git a/fs/cifs/file.c b/fs/cifs/file.c > index ba7f2e09d6c8..4778614cfccf 100644 > --- a/fs/cifs/file.c > +++ b/fs/cifs/file.c > @@ -3353,6 +3353,7 @@ static size_t cifs_limit_bvec_subset(const struct iov_iter *iter, size_t max_siz > while (n && ix < nbv) { > len = min3(n, bvecs[ix].bv_len - skip, max_size); > span += len; > + max_size -= len; Shouldn't this decrement happen below, after the span has been compared with max_size? > nsegs++; > ix++; > if (span >= max_size || nsegs >= max_segs) >
Shyam Prasad N <nspmangalore@gmail.com> wrote: > > + max_size -= len; > > Shouldn't this decrement happen below, after the span has been > compared with max_size? It probably doesn't matter. The compiler is free to move it around, but yes that and ix++ can both be moved down. David
On Mon, May 22, 2023 at 1:11 PM David Howells <dhowells@redhat.com> wrote: > > Shyam Prasad N <nspmangalore@gmail.com> wrote: > > > > + max_size -= len; > > > > Shouldn't this decrement happen below, after the span has been > > compared with max_size? > > It probably doesn't matter. The compiler is free to move it around, but yes > that and ix++ can both be moved down. I am not sure I follow - can you explain? It looks like moving it up vs. down would change behavior
diff --git a/fs/cifs/file.c b/fs/cifs/file.c index ba7f2e09d6c8..4778614cfccf 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -3353,6 +3353,7 @@ static size_t cifs_limit_bvec_subset(const struct iov_iter *iter, size_t max_siz while (n && ix < nbv) { len = min3(n, bvecs[ix].bv_len - skip, max_size); span += len; + max_size -= len; nsegs++; ix++; if (span >= max_size || nsegs >= max_segs)
Fix cifs_limit_bvec_subset() so that it limits the span to the maximum specified and won't return with a size greater than max_size. Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Reported-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: Steve French <smfrench@gmail.com> cc: Rohith Surabattula <rohiths.msft@gmail.com> cc: Paulo Alcantara <pc@manguebit.com> cc: Tom Talpey <tom@talpey.com> cc: Jeff Layton <jlayton@kernel.org> cc: linux-cifs@vger.kernel.org cc: linux-fsdevel@vger.kernel.org --- fs/cifs/file.c | 1 + 1 file changed, 1 insertion(+)