dm-stripe: fix a possible integer overflow

There's a possible integer overflow in stripe_io_hints if we have too
large chunk size. Test if the overflow happened, and if it did, don't set
limits->io_min and limits->io_opt;

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Suggested-by: Dongsheng Yang <dongsheng.yang@linux.dev>
Cc: stable@vger.kernel.org

diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
index 58902091bf79b97df1bc653f1c3ce64b05e7a536..1461dc740dae6c774d6eb99c6a4cbda8e3f48644 100644 (file)
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -456,11 +456,15 @@ static void stripe_io_hints(struct dm_target *ti,
                            struct queue_limits *limits)
 {
        struct stripe_c *sc = ti->private;
-       unsigned int chunk_size = sc->chunk_size << SECTOR_SHIFT;
+       unsigned int io_min, io_opt;
 
        limits->chunk_sectors = sc->chunk_size;
-       limits->io_min = chunk_size;
-       limits->io_opt = chunk_size * sc->stripes;
+
+       if (!check_shl_overflow(sc->chunk_size, SECTOR_SHIFT, &io_min) &&
+           !check_mul_overflow(io_min, sc->stripes, &io_opt)) {
+               limits->io_min = io_min;
+               limits->io_opt = io_opt;
+       }
 }
 
 static struct target_type stripe_target = {