On Thu, Nov 18, 2021 at 03:08:06PM -0800, Tadeusz Struk wrote:
> Hi,
> This has triggered in 5.10.77 yesterday [1], and I was able to
> reproduce it on 5.10.80 using the C repro from android-54 [2].
> What happens is that the function do_mpage_readpage() calls
> bdev_read_page() [3] passing in bdev == NULL, and bdev_read_page()
> crashes here [4]. This happens in 5.15 down to 5.10, but it is fixed
> in 5.16-rc1. I bisected it to the first good commit, which is:
>
> af3c570fb0df ("loop: Use blk_validate_block_size() to validate block size")
>
> The root cause seems to be loss of precision in loop_configure(),
> when it calls loop_validate_block_size() in [5]. The config->block_size
> is an uint32 and the bsize param passed to loop_validate_block_size() is
> unsigned short. The reproducer sets up a loop device with the block size
> equal to 0x20000400, which is bigger than USHRT_MAX.
> The loop_validate_block_size() returns 0, but uses the invalid size
> to setup the device. The new helper changes the bsize param type to uint,
> and the issue goes away.
>
> To fix this for the older kernels can we please have the two commits:
>
> 570b1cac4776 ("block: Add a helper to validate the block size")
> af3c570fb0df ("loop: Use blk_validate_block_size() to validate block size")
>
> applied to 5.15, 5.14, and 5.10.
> The first one needs to be back ported, but the second applies cleanly.
> I will follow up back ports for each version in few minutes.
All now queued up, thanks.
greg k-h
