From: Changming Liu <charley.ashbringer@xxxxxxxxx> start, and len are 64 unsigned integers and purely from user-space, thus star + len can wrap-around and bypass the check at start + len > i_size_read(bdev->bd_inode) This overflowed value can cause trouble after passed in truncate_bdev_range. To fix this, a wrap-around check is added just like in blk_ioctl_zeroout, so that such the overflowed value can be rejected. Signed-off-by: Changming Liu <charley.ashbringer@xxxxxxxxx> --- block/ioctl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/block/ioctl.c b/block/ioctl.c index 3fbc382eb926..3fddb1fe5b35 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -133,6 +133,8 @@ static int blk_ioctl_discard(struct block_device *bdev, fmode_t mode, if (start + len > i_size_read(bdev->bd_inode)) return -EINVAL; + if (start + len < start) + return -EINVAL; err = truncate_bdev_range(bdev, mode, start, start + len - 1); if (err) -- 2.17.1
