From: Christoph Hellwig hch@lst.de
commit 3eb96946f0be6bf447cbdf219aba22bc42672f92 upstream.
This patch is a backport.
Since the dawn of time bio_check_eod has a check for a non-zero size of the device. This doesn't really make any sense as we never want to send I/O to a device that's been set to zero size, or never moved out of that.
I am a bit surprised we haven't caught this for a long time, but the removal of the extra validation inside of zram caused syzbot to trip over this issue recently. I've added a Fixes tag for that commit, but the issue really goes back way before git history.
Fixes: 9fe95babc742 ("zram: remove valid_io_request") Reported-by: syzbot+2aca91e1d3ae43aef10c@syzkaller.appspotmail.com Bug: https://syzkaller.appspot.com/bug?extid=2aca91e1d3ae43aef10c Signed-off-by: Christoph Hellwig hch@lst.de Link: https://lore.kernel.org/r/20230524060538.1593686-1-hch@lst.de Signed-off-by: Jens Axboe axboe@kernel.dk (cherry picked from commit 3eb96946f0be6bf447cbdf219aba22bc42672f92) Signed-off-by: Miguel García miguelgarciaroman8@gmail.com --- block/blk-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-core.c b/block/blk-core.c index 94941e3ce219..6a66f4f6912f 100644 --- a/block/blk-core.c +++ b/block/blk-core.c @@ -515,7 +515,7 @@ static inline int bio_check_eod(struct bio *bio) sector_t maxsector = bdev_nr_sectors(bio->bi_bdev); unsigned int nr_sectors = bio_sectors(bio);
- if (nr_sectors && maxsector && + if (nr_sectors && (nr_sectors > maxsector || bio->bi_iter.bi_sector > maxsector - nr_sectors)) { pr_info_ratelimited("%s: attempt to access beyond end of device\n"
On Sat, Apr 12, 2025 at 12:24:24PM +0200, Miguel García wrote:
From: Christoph Hellwig hch@lst.de
commit 3eb96946f0be6bf447cbdf219aba22bc42672f92 upstream.
This patch is a backport.
Why? What requires this change? I don't see the justification for this, especially:
Fixes: 9fe95babc742 ("zram: remove valid_io_request")
That commit is in 6.4, NOT 6.1.y, so why does 6.1.y need this?
thanks,
greg k-h
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 3eb96946f0be6bf447cbdf219aba22bc42672f92
WARNING: Author mismatch between patch and upstream commit: Backport author: miguelgarciaroman8@gmail.com Commit author: Christoph Hellwighch@lst.de
Status in newer kernel trees: 6.14.y | Present (exact SHA1) 6.13.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Present (exact SHA1)
Note: The patch differs from the upstream commit: --- 1: 3eb96946f0be6 ! 1: 6a6f180aae691 block: make bio_check_eod work for zero sized devices @@ Metadata ## Commit message ## block: make bio_check_eod work for zero sized devices
+ commit 3eb96946f0be6bf447cbdf219aba22bc42672f92 upstream. + + This patch is a backport. + Since the dawn of time bio_check_eod has a check for a non-zero size of the device. This doesn't really make any sense as we never want to send I/O to a device that's been set to zero size, or never moved out of that. @@ Commit message the issue really goes back way before git history.
Fixes: 9fe95babc742 ("zram: remove valid_io_request") - Reported-by: syzbot+b8d61a58b7c7ebd2c8e0@syzkaller.appspotmail.com + Reported-by: syzbot+2aca91e1d3ae43aef10c@syzkaller.appspotmail.com + Bug: https://syzkaller.appspot.com/bug?extid=2aca91e1d3ae43aef10c Signed-off-by: Christoph Hellwig hch@lst.de Link: https://lore.kernel.org/r/20230524060538.1593686-1-hch@lst.de Signed-off-by: Jens Axboe axboe@kernel.dk + (cherry picked from commit 3eb96946f0be6bf447cbdf219aba22bc42672f92) + Signed-off-by: Miguel García miguelgarciaroman8@gmail.com
## block/blk-core.c ## @@ block/blk-core.c: static inline int bio_check_eod(struct bio *bio) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Miguel García -
Sasha Levin