From: David Howells dhowells@redhat.com
commit 4ef4aee67eed640064fff95a693c0184cedb7bec upstream.
Fix cifs_limit_bvec_subset() so that it limits the span to the maximum specified and won't return with a size greater than max_size.
Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list") Cc: stable@vger.kernel.org # 6.3 Reported-by: Shyam Prasad N sprasad@microsoft.com Reviewed-by: Shyam Prasad N sprasad@microsoft.com Signed-off-by: David Howells dhowells@redhat.com cc: Steve French smfrench@gmail.com cc: Rohith Surabattula rohiths.msft@gmail.com cc: Paulo Alcantara pc@manguebit.com cc: Tom Talpey tom@talpey.com cc: Jeff Layton jlayton@kernel.org cc: linux-cifs@vger.kernel.org cc: linux-fsdevel@vger.kernel.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/cifs/file.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/file.c b/fs/cifs/file.c index ba7f2e09d6c8..df88b8c04d03 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -3353,9 +3353,10 @@ static size_t cifs_limit_bvec_subset(const struct iov_iter *iter, size_t max_siz while (n && ix < nbv) { len = min3(n, bvecs[ix].bv_len - skip, max_size); span += len; + max_size -= len; nsegs++; ix++; - if (span >= max_size || nsegs >= max_segs) + if (max_size == 0 || nsegs >= max_segs) break; skip = 0; n -= len;