Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp813770lqh; Thu, 28 Mar 2024 18:31:24 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWJN4Iv39mvbDixE0b3uv/y59iDIa3WaIe1gAlbJ+lQwqM+Cx90S6hCjnt0E3lHDtP0INi0C/h/sc24AM5JMUTbI2yLYXn2itDcLbAYIQ== X-Google-Smtp-Source: AGHT+IFjZe3mQOteSIeUMpElGehMTx044ijvAonII4NaKR+T/1SjUfn8cJpI8ZprYK/FbrYpQYcZ X-Received: by 2002:ac2:5e9c:0:b0:513:c4d9:a0d9 with SMTP id b28-20020ac25e9c000000b00513c4d9a0d9mr795990lfq.22.1711675884569; Thu, 28 Mar 2024 18:31:24 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711675884; cv=pass; d=google.com; s=arc-20160816; b=NTLoRiBTXDcJy72BcduwaCwlWNiXVaGEBSTheSuGPh4/1VO1xyxPJV8MWirzE/5eRT Vnu7L1DhRo1OLI5enH8FGi+vpDxOw6vKHJEsWAn+/ESH6XubCDJcBVw56DPh3FvL91Hw bl9ASocxQMqWxslKkpkSThYHlwNomHkfOohschOC5YBm7qRdAH4w/BWAJ8lHhScSsEc/ GUTpVSVZ4FHLxeS7iU1jFr0lxvDvcGrg/Y9scHIJXr+PjnoO42XWpIbl1ZHEq7nI3ocK D4zctBr/DBCVnX6US1citruw269Dqwd67z98uqJQBhS+JQ8Sc0fHQI/1vPmrGc0i8YvO gFvw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from; bh=C8plX7TmVtBf9up+B5JnzvZ6RF6pgrSxi38HmzGmNkA=; fh=DLadoqZbJeN2dYaZfEwLg+rG+CjPthlwWN84Bibt+xo=; b=v0Ce6imKsrFGjnWu7nPbEYUNN8AAb60v45yqHkeOG/wUw4MDyJPlEVAn+F6CWV0O/l 9CM/39q1mn7deH8cs1Ue5ctSSwN5rCBW2Vz2DQTluUcj/B9a/3dFTqreBRgLj+S81Khd rDvGHNvmrvvlaR389utINrSiWQYBr2cKzdcCl1DUG7HpLrIWnQXv+gM9S/VcKHuqtbLu IT5UQQkNhEM84T9EILirKKfN4x7AfM4b7wJZcdodbPQgEl33/RuKu3yCu9tVoEAS6OLt 8HHoBVstX4kMtTC1cIYcoKRBzL8qyCMk/hQDWjObLDi8cunf+zGVyBEPMSI9kr4tAurx BWHQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-123962-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-123962-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id gz25-20020a170906f2d900b00a46651b0961si1238334ejb.282.2024.03.28.18.31.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Mar 2024 18:31:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-123962-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-123962-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-123962-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 187E91F2271E for ; Fri, 29 Mar 2024 01:31:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C1C6B182AF; Fri, 29 Mar 2024 01:31:16 +0000 (UTC) Received: from dggsgout11.his.huawei.com (unknown [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 468AF17576; Fri, 29 Mar 2024 01:31:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711675876; cv=none; b=Zv8Xzcx5Q0JKzYdIDu2IgXuCuZedHExrwLe/NdWV+IvKZmL42gQMtWsrKKkuDFL5Mh76iwbYuBJtwURE/BzSmc9V5pq/64ghxY6ONnWhGClMk1c+b4cOOJxBW54W8m8iJ80HuPoBumqr8+hKLq6izfW08B718icuP6UGVgfgbzk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711675876; c=relaxed/simple; bh=dUzneKDmKI2/ZqHcy7SUm51OUjy4WueE8rOc8uA+kn8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=aHaVQTtPabRh65fR59s0SZPfX/v6ersH6g9bx6G4FTE4RG39MKXXBPJblSOdVYGSeRFrs6YGQJFmE6YrVDH2EvQATizC5JbE6mNWFw9UsuHhOBSOMtLoBsetv0PeVTq/Z7w1YRXKopsipoDJbrrzGCIRumGsk+gpDnLz4biKfGQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.235]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4V5NCX2pmWz4f3kKj; Fri, 29 Mar 2024 09:31:04 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.112]) by mail.maildlp.com (Postfix) with ESMTP id 7459B1A0232; Fri, 29 Mar 2024 09:31:08 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.104.67]) by APP1 (Coremail) with SMTP id cCh0CgAn+RHSGQZm1waRIQ--.26612S4; Fri, 29 Mar 2024 09:31:00 +0800 (CST) From: linan666@huaweicloud.com To: axboe@kernel.dk Cc: hch@lst.de, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, linan666@huaweicloud.com, yukuai3@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com Subject: [PATCH] block: fix overflow in blk_ioctl_discard() Date: Fri, 29 Mar 2024 09:23:19 +0800 Message-Id: <20240329012319.2034550-1-linan666@huaweicloud.com> X-Mailer: git-send-email 2.39.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:cCh0CgAn+RHSGQZm1waRIQ--.26612S4 X-Coremail-Antispam: 1UD129KBjvdXoWrZw18WryUXF4xtr15ZFWxXrb_yoWkJFX_Wr yFvrykKrWrAF93Crs0kF15XrnY9rs7Cr1Ikr1rGry2qF47JF1rAryxXFnrZr4DXFW8uay3 ZFsxXF4vvr1S9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUbsAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j 6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC 0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr 1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IE rcIFxwAKzVCY07xG64k0F24l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr 1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE 14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7 IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvE x4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnU UI43ZEXa7VUbSApUUUUUU== X-CM-SenderInfo: polqt0awwwqx5xdzvxpfor3voofrz/ From: Li Nan There is no check for overflow of 'start + len' in blk_ioctl_discard(). Hung task occurs if submit an discard ioctl with the following param: start = 0x80000000000ff000, len = 0x8000000000fff000; Add the overflow validation now. Signed-off-by: Li Nan --- block/ioctl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/block/ioctl.c b/block/ioctl.c index 0c76137adcaa..a9028a2c2db5 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -96,7 +96,7 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode, unsigned long arg) { uint64_t range[2]; - uint64_t start, len; + uint64_t start, len, end; struct inode *inode = bdev->bd_inode; int err; @@ -117,7 +117,8 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode, if (len & 511) return -EINVAL; - if (start + len > bdev_nr_bytes(bdev)) + if (check_add_overflow(start, len, &end) || + end > bdev_nr_bytes(bdev)) return -EINVAL; filemap_invalidate_lock(inode->i_mapping); -- 2.39.2