From: Jens Axboe <jaxboe@fusionio.com>
Date: Fri, 29 Oct 2010 17:46:56 +0000 (-0600)
Subject: block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
X-Git-Tag: firefly_0821_release~9833^2~79^2^2~286
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=e085dd9e936199e6e57bd80de7748b8cdcf9c2ff;p=firefly-linux-kernel-4.4.55.git

block: limit vec count in bio_kmalloc() and bio_alloc_map_data()

commit f3f63c1c28bc861a931fac283b5bc3585efb8967 upstream.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/fs/bio.c b/fs/bio.c
index 8abb2dfb2e7c..8317a2c106bc 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -370,6 +370,9 @@ struct bio *bio_kmalloc(gfp_t gfp_mask, int nr_iovecs)
 {
 	struct bio *bio;
 
+	if (nr_iovecs > UIO_MAXIOV)
+		return NULL;
+
 	bio = kmalloc(sizeof(struct bio) + nr_iovecs * sizeof(struct bio_vec),
 		      gfp_mask);
 	if (unlikely(!bio))
@@ -697,8 +700,12 @@ static void bio_free_map_data(struct bio_map_data *bmd)
 static struct bio_map_data *bio_alloc_map_data(int nr_segs, int iov_count,
 					       gfp_t gfp_mask)
 {
-	struct bio_map_data *bmd = kmalloc(sizeof(*bmd), gfp_mask);
+	struct bio_map_data *bmd;
+
+	if (iov_count > UIO_MAXIOV)
+		return NULL;
 
+	bmd = kmalloc(sizeof(*bmd), gfp_mask);
 	if (!bmd)
 		return NULL;