Re: [PATCH] Fix nasty 32-bit overflow bug in buffer i/o code.

From: Linus Torvalds <torvalds@linux-foundation.org>
To: Anton Altaparmakov <aia21@cam.ac.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	Hugh Dickins <hughd@google.com>, stable <stable@vger.kernel.org>
Subject: Re: [PATCH] Fix nasty 32-bit overflow bug in buffer i/o code.
Date: Mon, 22 Sep 2014 08:18:44 -0700	[thread overview]
Message-ID: <CA+55aFyYpe=oyF9yVqF3E6t4ZCpHAdnLj1g36FWUDZydW9mdgQ@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.64.1409220042400.2595@hermes-1.csi.cam.ac.uk>

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

On Sun, Sep 21, 2014 at 5:53 PM, Anton Altaparmakov <aia21@cam.ac.uk> wrote:
>
> This patch fixes this issue by type casting "index" to sector_t before
> doing the left shift.

Ugh. Does the simpler patch to just pass in "block" work as well?

                    Linus

[-- Attachment #2: patch.diff --]
[-- Type: text/plain, Size: 936 bytes --]

 fs/buffer.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/fs/buffer.c b/fs/buffer.c
index 8f05111bbb8b..f32d6a3cff38 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -1021,8 +1021,7 @@ grow_dev_page(struct block_device *bdev, sector_t block,
 	if (page_has_buffers(page)) {
 		bh = page_buffers(page);
 		if (bh->b_size == size) {
-			end_block = init_page_buffers(page, bdev,
-						index << sizebits, size);
+			end_block = init_page_buffers(page, bdev, block, size);
 			goto done;
 		}
 		if (!try_to_free_buffers(page))
@@ -1043,7 +1042,7 @@ grow_dev_page(struct block_device *bdev, sector_t block,
 	 */
 	spin_lock(&inode->i_mapping->private_lock);
 	link_dev_buffers(page, bh);
-	end_block = init_page_buffers(page, bdev, index << sizebits, size);
+	end_block = init_page_buffers(page, bdev, block, size);
 	spin_unlock(&inode->i_mapping->private_lock);
 done:
 	ret = (block < end_block) ? 1 : -ENXIO;
