From 550f8f3b556cfd1f9190e3895511cf46659521d1 Mon Sep 17 00:00:00 2001 From: Hannes Reinecke Date: Wed, 14 Feb 2024 09:20:21 +0100 Subject: [PATCH] fs/buffer: restart block_read_full_folio() to avoid array overflow block_read_full_folio() uses an on-stack array to hold any buffer_heads which should be updated. The array is sized for the number of buffer_heads per PAGE_SIZE, which of course will overflow for large folios. So instead of increasing the size of the array (and thereby incurring a possible stack overflow for really large folios) stop the iteration when the array is filled up, submit these buffer_heads, and restart the iteration with the remaining buffer_heads. Signed-off-by: Hannes Reinecke --- fs/buffer.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/fs/buffer.c b/fs/buffer.c index fa88e300a946..41511193ae5c 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2349,7 +2349,7 @@ int block_read_full_folio(struct folio *folio, get_block_t *get_block) { struct inode *inode = folio->mapping->host; sector_t iblock, lblock; - struct buffer_head *bh, *head, *arr[MAX_BUF_PER_PAGE]; + struct buffer_head *bh, *head, *restart_bh = NULL, *arr[MAX_BUF_PER_PAGE]; size_t blocksize; int nr, i; int fully_mapped = 1; @@ -2366,6 +2366,7 @@ int block_read_full_folio(struct folio *folio, get_block_t *get_block) iblock = div_u64(folio_pos(folio), blocksize); lblock = div_u64(limit + blocksize - 1, blocksize); bh = head; +restart: nr = 0; i = 0; @@ -2400,7 +2401,12 @@ int block_read_full_folio(struct folio *folio, get_block_t *get_block) continue; } arr[nr++] = bh; - } while (i++, iblock++, (bh = bh->b_this_page) != head); + } while (i++, iblock++, (bh = bh->b_this_page) != head && nr < MAX_BUF_PER_PAGE); + + if (nr == MAX_BUF_PER_PAGE && bh != head) + restart_bh = bh; + else + restart_bh = NULL; if (fully_mapped) folio_set_mappedtodisk(folio); @@ -2433,6 +2439,15 @@ int block_read_full_folio(struct folio *folio, get_block_t *get_block) else submit_bh(REQ_OP_READ, bh); } + /* + * Found more buffers than 'arr' could hold, + * restart to submit the remaining ones. + */ + if (restart_bh) { + bh = restart_bh; + goto restart; + } + return 0; } EXPORT_SYMBOL(block_read_full_folio); -- 2.35.3