3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jens Axboe <axboe@xxxxxxxxx> commit bc811f05d77f47059c197a98b6ad242eb03999cb upstream. syzbot reports a divide-by-zero off the NBD_SET_BLKSIZE ioctl. We need proper validation of the input here. Not just if it's zero, but also if the value is a power-of-2 and in a valid range. Add that. Reported-by: syzbot <syzbot+25dbecbec1e62c6b0dd4@xxxxxxxxxxxxxxxxxxxxxxxxx> Reviewed-by: Josef Bacik <josef@xxxxxxxxxxxxxx> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> --- drivers/block/nbd.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -667,6 +667,9 @@ static int __nbd_ioctl(struct block_devi } case NBD_SET_BLKSIZE: + if (!arg || !is_power_of_2(arg) || arg < 512 || + arg > PAGE_SIZE) + return -EINVAL; nbd->blksize = arg; nbd->bytesize &= ~(nbd->blksize-1); bdev->bd_inode->i_size = nbd->bytesize;
