[PATCH] block: no show partitions if partno corrupted

[PATCH] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 block/genhd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..8d539a4a3b37 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
-		if (!bdev_nr_sectors(part))
+		int partno = bdev_partno(part);
+
+		if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
 			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
 			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
-- 
2.47.0

Re: [syzbot] [fs?] KASAN: global-out-of-bounds Read in number

[syzbot]

syzbot has bisected this issue to:

commit 8d4826cc8a8aca01a3b5e95438dfc0eb3bd589ab
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Dec 19 21:52:53 2024 +0000

    vsnprintf: collapse the number format state into one single state

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16342a18580000
start commit:   7b4b9bf203da Add linux-next specific files for 20250107
git tree:       linux-next
final oops:     https://syzkaller.appspot.com/x/report.txt?x=15342a18580000
console output: https://syzkaller.appspot.com/x/log.txt?x=11342a18580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=63fa2c9d5e12faef
dashboard link: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=174f0a18580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=168aecb0580000

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Fixes: 8d4826cc8a8a ("vsnprintf: collapse the number format state into one single state")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [PATCH] block: no show partitions if partno corrupted

[Hannes Reinecke]

On 1/14/25 03:28, Edward Adam Davis wrote:
> syzbot reported a global-out-of-bounds in number. [1]
> 
> Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
> array.
> 
> To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.
> 
> [1]
> BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
> Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832
> 
> CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> Call Trace:
>   <TASK>
>   __dump_stack lib/dump_stack.c:94 [inline]
>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
>   print_address_description mm/kasan/report.c:378 [inline]
>   print_report+0x169/0x550 mm/kasan/report.c:489
>   kasan_report+0x143/0x180 mm/kasan/report.c:602
>   number+0x3be/0xf40 lib/vsprintf.c:494
>   pointer+0x764/0x1210 lib/vsprintf.c:2484
>   vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
>   seq_vprintf fs/seq_file.c:391 [inline]
>   seq_printf+0x172/0x270 fs/seq_file.c:406
>   show_partition+0x29f/0x3f0 block/genhd.c:905
>   seq_read_iter+0x969/0xd70 fs/seq_file.c:272
>   proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
>   copy_splice_read+0x63a/0xb40 fs/splice.c:365
>   do_splice_read fs/splice.c:985 [inline]
>   splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
>   do_splice_direct_actor fs/splice.c:1207 [inline]
>   do_splice_direct+0x289/0x3e0 fs/splice.c:1233
>   do_sendfile+0x564/0x8a0 fs/read_write.c:1363
>   __do_sys_sendfile64 fs/read_write.c:1424 [inline]
>   __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
> Tested-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
>   block/genhd.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..8d539a4a3b37 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>   
>   	rcu_read_lock();
>   	xa_for_each(&sgp->part_tbl, idx, part) {
> -		if (!bdev_nr_sectors(part))
> +		int partno = bdev_partno(part);
> +
> +		if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
>   			continue;
>   		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>   			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
Maybe a warning is in order; when we are hitting this issue it means
that linux has a limitation on causing it to ignore the (otherwise 
valid) partition entry.

Otherwise looks good.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

[PATCH V2] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Add a warning

 block/genhd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..8d539a4a3b37 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
-		if (!bdev_nr_sectors(part))
+		int partno = bdev_partno(part);
+
+		if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
 			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
 			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
-- 
2.47.0

Re: [PATCH V2] block: no show partitions if partno corrupted

[Jens Axboe]

On 1/14/25 1:51 AM, Edward Adam Davis wrote:
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..8d539a4a3b37 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>  
>  	rcu_read_lock();
>  	xa_for_each(&sgp->part_tbl, idx, part) {
> -		if (!bdev_nr_sectors(part))
> +		int partno = bdev_partno(part);
> +
> +		if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
>  			continue;
>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>  			   MAJOR(part->bd_dev), MINOR(part->bd_dev),

This should be a WARN_ON_ONCE(), and please put warn-on's on a separate
line.

-- 
Jens Axboe

[PATCH V3] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Add a warning
V2 -> V3: replace to WARN_ON_ONCE on a separate line

 block/genhd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..3a9c36ad6bbd 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
+		int partno = bdev_partno(part);
+
+		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
 		if (!bdev_nr_sectors(part))
 			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
-- 
2.47.0

Re: [PATCH V3] block: no show partitions if partno corrupted

[Jens Axboe]

On 1/14/25 7:58 AM, Edward Adam Davis wrote:
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..3a9c36ad6bbd 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>  
>  	rcu_read_lock();
>  	xa_for_each(&sgp->part_tbl, idx, part) {
> +		int partno = bdev_partno(part);
> +
> +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>  		if (!bdev_nr_sectors(part))
>  			continue;
>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",

Surely you still want to continue for that condition?

-- 
Jens Axboe

Re: [PATCH V3] block: no show partitions if partno corrupted

[Edward Adam Davis]

On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
> > diff --git a/block/genhd.c b/block/genhd.c
> > index 9130e163e191..3a9c36ad6bbd 100644
> > --- a/block/genhd.c
> > +++ b/block/genhd.c
> > @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
> >
> >  	rcu_read_lock();
> >  	xa_for_each(&sgp->part_tbl, idx, part) {
> > +		int partno = bdev_partno(part);
> > +
> > +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
> >  		if (!bdev_nr_sectors(part))
> >  			continue;
> >  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
> 
> Surely you still want to continue for that condition?
No.
But like following, ok?
diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..142b13620f0c 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
 
        rcu_read_lock();
        xa_for_each(&sgp->part_tbl, idx, part) {
-               if (!bdev_nr_sectors(part))
+               int partno = bdev_partno(part);
+
+               WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
+               if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
                        continue;
                seq_printf(seqf, "%4d  %7d %10llu %pg\n",
                           MAJOR(part->bd_dev), MINOR(part->bd_dev),

Re: [PATCH V3] block: no show partitions if partno corrupted

[Jens Axboe]

On 1/14/25 8:15 AM, Edward Adam Davis wrote:
> On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
>>> diff --git a/block/genhd.c b/block/genhd.c
>>> index 9130e163e191..3a9c36ad6bbd 100644
>>> --- a/block/genhd.c
>>> +++ b/block/genhd.c
>>> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>>>
>>>  	rcu_read_lock();
>>>  	xa_for_each(&sgp->part_tbl, idx, part) {
>>> +		int partno = bdev_partno(part);
>>> +
>>> +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>>>  		if (!bdev_nr_sectors(part))
>>>  			continue;
>>>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>>
>> Surely you still want to continue for that condition?
> No.

No?

> But like following, ok?
> diff --git a/block/genhd.c b/block/genhd.c
> index 9130e163e191..142b13620f0c 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
>  
>         rcu_read_lock();
>         xa_for_each(&sgp->part_tbl, idx, part) {
> -               if (!bdev_nr_sectors(part))
> +               int partno = bdev_partno(part);
> +
> +               WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
> +               if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
>                         continue;
>                 seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>                            MAJOR(part->bd_dev), MINOR(part->bd_dev),

That's just silly...

	xa_for_each(&sgp->part_tbl, idx, part) {
		int partno = bdev_partno(part);

		if (!bdev_nr_sectors(part))
			continue;
		if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
			continue;

		...
	}

-- 
Jens Axboe

[PATCH V4] block: no show partitions if partno corrupted

[Edward Adam Davis]

syzbot reported a global-out-of-bounds in number. [1]

Corrupted partno causes out-of-bounds access when accessing the hex_asc_upper
array.

To avoid this issue, skip partitions with partno greater than DISK_MAX_PARTS.

[1]
BUG: KASAN: global-out-of-bounds in number+0x3be/0xf40 lib/vsprintf.c:494
Read of size 1 at addr ffffffff8c5fc971 by task syz-executor351/5832

CPU: 0 UID: 0 PID: 5832 Comm: syz-executor351 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:489
 kasan_report+0x143/0x180 mm/kasan/report.c:602
 number+0x3be/0xf40 lib/vsprintf.c:494
 pointer+0x764/0x1210 lib/vsprintf.c:2484
 vsnprintf+0x75a/0x1220 lib/vsprintf.c:2846
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x172/0x270 fs/seq_file.c:406
 show_partition+0x29f/0x3f0 block/genhd.c:905
 seq_read_iter+0x969/0xd70 fs/seq_file.c:272
 proc_reg_read_iter+0x1c2/0x290 fs/proc/inode.c:299
 copy_splice_read+0x63a/0xb40 fs/splice.c:365
 do_splice_read fs/splice.c:985 [inline]
 splice_direct_to_actor+0x4af/0xc80 fs/splice.c:1089
 do_splice_direct_actor fs/splice.c:1207 [inline]
 do_splice_direct+0x289/0x3e0 fs/splice.c:1233
 do_sendfile+0x564/0x8a0 fs/read_write.c:1363
 __do_sys_sendfile64 fs/read_write.c:1424 [inline]
 __se_sys_sendfile64+0x17c/0x1e0 fs/read_write.c:1410
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+fcee6b76cf2e261c51a4@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fcee6b76cf2e261c51a4
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Add a warning
V2 -> V3: replace to WARN_ON_ONCE on a separate line
V3 -> V4: add continue

 block/genhd.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index 9130e163e191..a9a1d5a429aa 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -890,8 +890,12 @@ static int show_partition(struct seq_file *seqf, void *v)
 
 	rcu_read_lock();
 	xa_for_each(&sgp->part_tbl, idx, part) {
+		int partno = bdev_partno(part);
+
 		if (!bdev_nr_sectors(part))
 			continue;
+		if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
+			continue;
 		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
 			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
 			   bdev_nr_sectors(part) >> 1, part);
-- 
2.47.0

Re: [PATCH V3] block: no show partitions if partno corrupted

[Edward Adam Davis]

On Tue, 14 Jan 2025 08:25:13 -0700, Jens Axboe wrote:
>> On Tue, 14 Jan 2025 08:02:15 -0700, Jens Axboe wrote:
>>>> diff --git a/block/genhd.c b/block/genhd.c
>>>> index 9130e163e191..3a9c36ad6bbd 100644
>>>> --- a/block/genhd.c
>>>> +++ b/block/genhd.c
>>>> @@ -890,6 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
>>>>
>>>>  	rcu_read_lock();
>>>>  	xa_for_each(&sgp->part_tbl, idx, part) {
>>>> +		int partno = bdev_partno(part);
>>>> +
>>>> +		WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>>>>  		if (!bdev_nr_sectors(part))
>>>>  			continue;
>>>>  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>>>
>>> Surely you still want to continue for that condition?
>> No.
>
>No?
>
>> But like following, ok?
>> diff --git a/block/genhd.c b/block/genhd.c
>> index 9130e163e191..142b13620f0c 100644
>> --- a/block/genhd.c
>> +++ b/block/genhd.c
>> @@ -890,7 +890,10 @@ static int show_partition(struct seq_file *seqf, void *v)
>>
>>         rcu_read_lock();
>>         xa_for_each(&sgp->part_tbl, idx, part) {
>> -               if (!bdev_nr_sectors(part))
>> +               int partno = bdev_partno(part);
>> +
>> +               WARN_ON_ONCE(partno >= DISK_MAX_PARTS);
>> +               if (!bdev_nr_sectors(part) || partno >= DISK_MAX_PARTS)
>>                         continue;
>>                 seq_printf(seqf, "%4d  %7d %10llu %pg\n",
>>                            MAJOR(part->bd_dev), MINOR(part->bd_dev),
>
>That's just silly...
I checked WARN_ON_ONCE(), and when the condition is met, the subsequent
WARN_ON_ONCE() will still return true, so adding it will not affect the
judgment of the condition.
It just issues a warning the first time the condition is met, and it will
still return true if the condition is true.
>
>	xa_for_each(&sgp->part_tbl, idx, part) {
>		int partno = bdev_partno(part);
>
>		if (!bdev_nr_sectors(part))
>			continue;
>		if (WARN_ON_ONCE(partno >= DISK_MAX_PARTS))
>			continue;
>
>		...
>	}

Edward

Re: [PATCH V2] block: no show partitions if partno corrupted

[Christoph Hellwig]

On Tue, Jan 14, 2025 at 07:16:31AM -0700, Jens Axboe wrote:
> On 1/14/25 1:51 AM, Edward Adam Davis wrote:
> > diff --git a/block/genhd.c b/block/genhd.c
> > index 9130e163e191..8d539a4a3b37 100644
> > --- a/block/genhd.c
> > +++ b/block/genhd.c
> > @@ -890,7 +890,9 @@ static int show_partition(struct seq_file *seqf, void *v)
> >  
> >  	rcu_read_lock();
> >  	xa_for_each(&sgp->part_tbl, idx, part) {
> > -		if (!bdev_nr_sectors(part))
> > +		int partno = bdev_partno(part);
> > +
> > +		if (!bdev_nr_sectors(part) || WARN_ON(partno >= DISK_MAX_PARTS))
> >  			continue;
> >  		seq_printf(seqf, "%4d  %7d %10llu %pg\n",
> >  			   MAJOR(part->bd_dev), MINOR(part->bd_dev),
> 
> This should be a WARN_ON_ONCE(), and please put warn-on's on a separate
> line.

Ummm...

DISK_MAX_PARTS is 256.

bdev_partno reads form bdev->__bd_flags and masks out BD_PARTNO,
which is 255.

In other words we should never be able to get a value bigger than 255
from bdev_partno, so something is really fishy here that a WARN_ON in
the show function won't help with.

Also the fact that the low-level printf code trips over a 8-bit integer
sounds wrong, and if it does for something not caused by say a use
after free higher up we've got another deep problem there.

All of that has nothing to do with show_partition, though.