From d2ccad3c9ce947664160e47ee80fa8e779f26e2e Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Sat, 11 Jan 2020 20:57:43 +0800 Subject: [PATCH] block: fix get_max_segment_size() overflow on 32bit arch commit 4a2f704eb2d831a2d73d7f4cdd54f45c49c3c353 upstream. Commit 429120f3df2d starts to take account of segment's start dma address when computing max segment size, and data type of 'unsigned long' is used to do that. However, the segment mask may be 0xffffffff, so the figured out segment size may be overflowed in case of zero physical address on 32bit arch. Fix the issue by returning queue_max_segment_size() directly when that happens. Fixes: 429120f3df2d ("block: fix splitting segments on boundary masks") Reported-by: Guenter Roeck Tested-by: Guenter Roeck Cc: Christoph Hellwig Tested-by: Steven Rostedt (VMware) Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- block/blk-merge.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/block/blk-merge.c b/block/blk-merge.c index 832a8dd61d4e..93cff719b066 100644 --- a/block/blk-merge.c +++ b/block/blk-merge.c @@ -164,8 +164,13 @@ static inline unsigned get_max_segment_size(const struct request_queue *q, unsigned long mask = queue_segment_boundary(q); offset = mask & (page_to_phys(start_page) + offset); - return min_t(unsigned long, mask - offset + 1, - queue_max_segment_size(q)); + + /* + * overflow may be triggered in case of zero page physical address + * on 32bit arch, use queue's max segment size when that happens. + */ + return min_not_zero(mask - offset + 1, + (unsigned long)queue_max_segment_size(q)); } /**