block: prevent an integer overflow in bvec_try_merge_hw_page

[ Upstream commit 3f034c374ad55773c12dd8f3c1607328e17c0072 ]

Reordered a check to avoid a possible overflow when adding len to bv_len.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Link: https://lore.kernel.org/r/20231204173419.782378-2-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/block/bio.c b/block/bio.c
index b729f0240082691ff5831c27b2d43629110fcbe5..6f7a1aa9ea2254171604450b76f613d21ea24735 100644 (file)
--- a/block/bio.c
+++ b/block/bio.c
@@ -770,7 +770,7 @@ static bool bio_try_merge_hw_seg(struct request_queue *q, struct bio *bio,
 
        if ((addr1 | mask) != (addr2 | mask))
                return false;
-       if (bv->bv_len + len > queue_max_segment_size(q))
+       if (len > queue_max_segment_size(q) - bv->bv_len)
                return false;
        return __bio_try_merge_page(bio, page, len, offset, same_page);
 }