From 4bd6d63dc5e89f1165b3c4403b019bab953d9fe0 Mon Sep 17 00:00:00 2001
From: Fedor Uporov <fsu@FreeBSD.org>
Date: Sun, 17 May 2020 14:10:46 +0000
Subject: [PATCH] Restrict the max runp and runb return values in case of
 extents mapping.

This restriction already present in case of indirect mapping, do the same
in case of extents.

PR:		246182
Reported by:	Teran McKinney
MFC after:	2 weeks
---
 sys/fs/ext2fs/ext2_bmap.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/sys/fs/ext2fs/ext2_bmap.c b/sys/fs/ext2fs/ext2_bmap.c
index 5d159b8ec15..8991a7e8fde 100644
--- a/sys/fs/ext2fs/ext2_bmap.c
+++ b/sys/fs/ext2fs/ext2_bmap.c
@@ -94,21 +94,28 @@ ext4_bmapext(struct vnode *vp, int32_t bn, int64_t *bnp, int *runp, int *runb)
 {
 	struct inode *ip;
 	struct m_ext2fs *fs;
+	struct mount *mp;
+	struct ext2mount *ump;
 	struct ext4_extent_header *ehp;
 	struct ext4_extent *ep;
 	struct ext4_extent_path *path = NULL;
 	daddr_t lbn;
-	int error, depth;
+	int error, depth, maxrun = 0, bsize;
 
 	ip = VTOI(vp);
 	fs = ip->i_e2fs;
+	mp = vp->v_mount;
+	ump = VFSTOEXT2(mp);
 	lbn = bn;
 	ehp = (struct ext4_extent_header *)ip->i_data;
 	depth = ehp->eh_depth;
+	bsize = EXT2_BLOCK_SIZE(ump->um_e2fs);
 
 	*bnp = -1;
-	if (runp != NULL)
+	if (runp != NULL) {
+		maxrun = mp->mnt_iosize_max / bsize - 1;
 		*runp = 0;
+	}
 	if (runb != NULL)
 		*runb = 0;
 
@@ -119,18 +126,21 @@ ext4_bmapext(struct vnode *vp, int32_t bn, int64_t *bnp, int *runp, int *runb)
 	ep = path[depth].ep_ext;
 	if(ep) {
 		if (lbn < ep->e_blk) {
-			if (runp != NULL)
-				*runp = ep->e_blk - lbn - 1;
+			if (runp != NULL) {
+				*runp = min(maxrun, ep->e_blk - lbn - 1);
+			}
 		} else if (ep->e_blk <= lbn && lbn < ep->e_blk + ep->e_len) {
 			*bnp = fsbtodb(fs, lbn - ep->e_blk +
 			    (ep->e_start_lo | (daddr_t)ep->e_start_hi << 32));
-			if (runp != NULL)
-				*runp = ep->e_len - (lbn - ep->e_blk) - 1;
+			if (runp != NULL) {
+				*runp = min(maxrun,
+				    ep->e_len - (lbn - ep->e_blk) - 1);
+			}
 			if (runb != NULL)
-				*runb = lbn - ep->e_blk;
+				*runb = min(maxrun, lbn - ep->e_blk);
 		} else {
 			if (runb != NULL)
-				*runb = ep->e_blk + lbn - ep->e_len;
+				*runb = min(maxrun, ep->e_blk + lbn - ep->e_len);
 		}
 	}