From f44994874bd829250fb869b5d01da409d2c4da09 Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Wed, 11 Nov 2020 13:48:07 +0000
Subject: ffs: Clamp BIO_SPEEDUP length

On 32-bit platforms, the computed size of the BIO_SPEEDUP requested by
softdep_request_cleanup() may be negative when assigned to bp->b_bcount,
which has type "long".

Clamp the size to LONG_MAX.  Also convert the unused g_io_speedup() to
use an off_t for the magnitude of the shortage for consistency with
softdep_send_speedup().

Reviewed by:	chs, kib
Reported by:	pho
Tested by:	pho
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D27081
---
 sys/geom/geom.h           | 3 ++-
 sys/geom/geom_io.c        | 6 +++---
 sys/ufs/ffs/ffs_softdep.c | 4 ++--
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/sys/geom/geom.h b/sys/geom/geom.h
index 25cf0131355d..cb294e2c7451 100644
--- a/sys/geom/geom.h
+++ b/sys/geom/geom.h
@@ -334,7 +334,8 @@ void g_io_deliver(struct bio *bp, int error);
 int g_io_getattr(const char *attr, struct g_consumer *cp, int *len, void *ptr);
 int g_io_zonecmd(struct disk_zone_args *zone_args, struct g_consumer *cp);
 int g_io_flush(struct g_consumer *cp);
-int g_io_speedup(size_t shortage, u_int flags, size_t *resid, struct g_consumer *cp);
+int g_io_speedup(off_t shortage, u_int flags, size_t *resid,
+    struct g_consumer *cp);
 void g_io_request(struct bio *bp, struct g_consumer *cp);
 struct bio *g_new_bio(void);
 struct bio *g_alloc_bio(void);
diff --git a/sys/geom/geom_io.c b/sys/geom/geom_io.c
index 12e084e14b86..0e857aa3ce10 100644
--- a/sys/geom/geom_io.c
+++ b/sys/geom/geom_io.c
@@ -341,15 +341,15 @@ g_io_zonecmd(struct disk_zone_args *zone_args, struct g_consumer *cp)
  * operation should be done.
  */
 int
-g_io_speedup(size_t shortage, u_int flags, size_t *resid, struct g_consumer *cp)
+g_io_speedup(off_t shortage, u_int flags, size_t *resid, struct g_consumer *cp)
 {
 	struct bio *bp;
 	int error;
 
 	KASSERT((flags & (BIO_SPEEDUP_TRIM | BIO_SPEEDUP_WRITE)) != 0,
 	    ("Invalid flags passed to g_io_speedup: %#x", flags));
-	g_trace(G_T_BIO, "bio_speedup(%s, %zu, %#x)", cp->provider->name,
-	    shortage, flags);
+	g_trace(G_T_BIO, "bio_speedup(%s, %jd, %#x)", cp->provider->name,
+	    (intmax_t)shortage, flags);
 	bp = g_new_bio();
 	if (bp == NULL)
 		return (ENOMEM);
diff --git a/sys/ufs/ffs/ffs_softdep.c b/sys/ufs/ffs/ffs_softdep.c
index fd0a3197008f..6b9c6c30629f 100644
--- a/sys/ufs/ffs/ffs_softdep.c
+++ b/sys/ufs/ffs/ffs_softdep.c
@@ -1464,7 +1464,7 @@ worklist_speedup(mp)
 }
 
 static void
-softdep_send_speedup(struct ufsmount *ump, size_t shortage, u_int flags)
+softdep_send_speedup(struct ufsmount *ump, off_t shortage, u_int flags)
 {
 	struct buf *bp;
 
@@ -1474,7 +1474,7 @@ softdep_send_speedup(struct ufsmount *ump, size_t shortage, u_int flags)
 	bp = malloc(sizeof(*bp), M_TRIM, M_WAITOK | M_ZERO);
 	bp->b_iocmd = BIO_SPEEDUP;
 	bp->b_ioflags = flags;
-	bp->b_bcount = shortage;
+	bp->b_bcount = omin(shortage, LONG_MAX);
 	g_vfs_strategy(ump->um_bo, bp);
 	bufwait(bp);
 	free(bp, M_TRIM);
-- 
cgit v1.2.3