diff options
authorMing Lei <>2019-04-17 09:11:26 +0800
committerJens Axboe <>2019-04-19 11:32:14 -0600
commit6bedf00e55e5dd0a4ed1ad3f06131edd6fb56ec8 (patch)
parentb40fabc05ea047f6af5933d26a5483873340b0d4 (diff)
block: make sure that bvec length can't be overflowfor-linus-20190420
bvec->bv_offset may be bigger than PAGE_SIZE sometimes, such as, when one bio is splitted in the middle of one bvec via bio_split(), and bi_iter.bi_bvec_done is used to build offset of the 1st bvec of remained bio. And the remained bio's bvec may be re-submitted to fs layer via ITER_IBVEC, such as loop and nvme-loop. So we have to make sure that every bvec's offset is less than PAGE_SIZE from bio_for_each_segment_all() because some drivers(loop, nvme-loop) passes the splitted bvec to fs layer via ITER_BVEC. This patch fixes this issue reported by Zhang Yi When running nvme/011. Cc: Christoph Hellwig <> Cc: Yi Zhang <> Reported-by: Yi Zhang <> Reviewed-by: Christoph Hellwig <> Fixes: 6dc4f100c175 ("block: allow bio_for_each_segment_all() to iterate over multi-page bvec") Signed-off-by: Ming Lei <> Signed-off-by: Jens Axboe <>
1 files changed, 3 insertions, 2 deletions
diff --git a/include/linux/bvec.h b/include/linux/bvec.h
index 3bc91879e1e2..ff13cbc1887d 100644
--- a/include/linux/bvec.h
+++ b/include/linux/bvec.h
@@ -160,8 +160,9 @@ static inline void bvec_advance(const struct bio_vec *bvec,
bv->bv_page = nth_page(bv->bv_page, 1);
bv->bv_offset = 0;
} else {
- bv->bv_page = bvec->bv_page;
- bv->bv_offset = bvec->bv_offset;
+ bv->bv_page = bvec_nth_page(bvec->bv_page, bvec->bv_offset /
+ bv->bv_offset = bvec->bv_offset & ~PAGE_MASK;
bv->bv_len = min_t(unsigned int, PAGE_SIZE - bv->bv_offset,
bvec->bv_len - iter_all->done);