[PATCH] block: bio: check offset/length sanity in {__,}bio_add

Linux block layer
 help / color / mirror / Atom feed

* [PATCH] block: bio: check offset/length sanity in {__,}bio_add_page()
@ 2026-06-24 20:33 Sergey Shtylyov
  2026-06-26  6:12 ` Christoph Hellwig
  0 siblings, 1 reply; 2+ messages in thread
From: Sergey Shtylyov @ 2026-06-24 20:33 UTC (permalink / raw)
  To: Jens Axboe, linux-block; +Cc: Sergey Shtylyov, linux-kernel, Karina Yankevich

Sum of the *struct* bio_vec's fields bv_offset and bv_len is calculated in
some functions in block/{blk-merge.c,blk.h> (and that sum is often compared
to PAGE_SIZE) -- that sum may overflow (and so the comparison yield a wrong
result) if some bad arguments were previusly passed to {__,}bio_add_page().
Add a check that the sum of the offset and length parameters won't overflow
to {__,}bio_add_page()...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev>

---
The patch is against the for-next branch of Jens Axboeu's linux.git repo...

 block/bio.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/bio.c b/block/bio.c
index f2a5f4d0a967..daca63b94fae 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1000,6 +1000,7 @@ void __bio_add_page(struct bio *bio, struct page *page,
 {
 	WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED));
 	WARN_ON_ONCE(bio_full(bio, len));
+	WARN_ON_ONCE(off + len < off);	/* does the sum overflow? */
 
 	if (is_pci_p2pdma_page(page))
 		bio->bi_opf |= REQ_NOMERGE;
@@ -1045,6 +1046,9 @@ int bio_add_page(struct bio *bio, struct page *page,
 		return 0;
 	if (bio->bi_iter.bi_size > BIO_MAX_SIZE - len)
 		return 0;
+	/* Are offset and len sane, i.e. their sum doesn't overflow? */
+	if (offset + len < offset)
+		return 0;
 
 	if (bio->bi_vcnt > 0) {
 		struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1];
-- 
2.54.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] block: bio: check offset/length sanity in {__,}bio_add_page()
  2026-06-24 20:33 [PATCH] block: bio: check offset/length sanity in {__,}bio_add_page() Sergey Shtylyov
@ 2026-06-26  6:12 ` Christoph Hellwig
  0 siblings, 0 replies; 2+ messages in thread
From: Christoph Hellwig @ 2026-06-26  6:12 UTC (permalink / raw)
  To: Sergey Shtylyov; +Cc: Jens Axboe, linux-block, linux-kernel, Karina Yankevich

On Wed, Jun 24, 2026 at 11:33:26PM +0300, Sergey Shtylyov wrote:
> Sum of the *struct* bio_vec's fields bv_offset and bv_len is calculated in
> some functions in block/{blk-merge.c,blk.h> (and that sum is often compared
> to PAGE_SIZE) -- that sum may overflow (and so the comparison yield a wrong
> result) if some bad arguments were previusly passed to {__,}bio_add_page().
> Add a check that the sum of the offset and length parameters won't overflow
> to {__,}bio_add_page()...

I'm not really sure there's much of a point in this, because the
error handling isn't really going to help to recover either.  I think
we have to trust our programmers to at least get the very basics
right.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-26  6:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24 20:33 [PATCH] block: bio: check offset/length sanity in {__,}bio_add_page() Sergey Shtylyov
2026-06-26  6:12 ` Christoph Hellwig

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox