Re: general protection fault in bdev_read_page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 18, 2021 at 03:08:06PM -0800, Tadeusz Struk wrote:
> Hi,
> This has triggered in 5.10.77 yesterday [1], and I was able to
> reproduce it on 5.10.80 using the C repro from android-54 [2].
> What happens is that the function do_mpage_readpage() calls
> bdev_read_page() [3] passing in bdev == NULL, and bdev_read_page()
> crashes here [4]. This happens in 5.15 down to 5.10, but it is fixed
> in 5.16-rc1. I bisected it to the first good commit, which is:
> 
> af3c570fb0df ("loop: Use blk_validate_block_size() to validate block size")
> 
> The root cause seems to be loss of precision in loop_configure(),
> when it calls loop_validate_block_size() in [5]. The config->block_size
> is an uint32 and the bsize param passed to loop_validate_block_size() is
> unsigned short. The reproducer sets up a loop device with the block size
> equal to 0x20000400, which is bigger than USHRT_MAX.
> The loop_validate_block_size() returns 0, but uses the invalid size
> to setup the device. The new helper changes the bsize param type to uint,
> and the issue goes away.
> 
> To fix this for the older kernels can we please have the two commits:
> 
> 570b1cac4776 ("block: Add a helper to validate the block size")
> af3c570fb0df ("loop: Use blk_validate_block_size() to validate block size")
> 
> applied to 5.15, 5.14, and 5.10.
> The first one needs to be back ported, but the second applies cleanly.
> I will follow up back ports for each version in few minutes.

All now queued up, thanks.

greg k-h



[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux