From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: John Garry <john.g.garry@oracle.com>,
Hannes Reinecke <hare@suse.de>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
Damien Le Moal <dlemoal@kernel.org>, Jens Axboe <axboe@kernel.dk>,
Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 6.16-5.10] block: avoid possible overflow for chunk_sectors check in blk_stack_limits()
Date: Sun, 10 Aug 2025 12:51:43 -0400 [thread overview]
Message-ID: <20250810165158.1888206-1-sashal@kernel.org> (raw)
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ]
In blk_stack_limits(), we check that the t->chunk_sectors value is a
multiple of the t->physical_block_size value.
However, by finding the chunk_sectors value in bytes, we may overflow
the unsigned int which holds chunk_sectors, so change the check to be
based on sectors.
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
**Backport Status: YES**
## Extensive Analysis
This commit should be backported to stable kernel trees for the
following reasons:
### 1. **It fixes a real integer overflow bug**
The original code performs `(t->chunk_sectors << 9)` which can cause an
integer overflow. Since both `chunk_sectors` and `physical_block_size`
are `unsigned int` (32-bit), when `chunk_sectors` is larger than
8,388,607 (2^23 - 1), shifting it left by 9 bits (multiplying by 512)
will overflow the 32-bit unsigned integer. This overflow can lead to
incorrect alignment checks.
### 2. **The fix is minimal and contained**
The change is a single-line modification that replaces:
```c
if ((t->chunk_sectors << 9) & (t->physical_block_size - 1))
```
with:
```c
if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT))
```
This mathematically equivalent check avoids the overflow by dividing
`physical_block_size` by the sector size (512 bytes) instead of
multiplying `chunk_sectors` by 512.
### 3. **It's a correctness issue in critical block layer code**
The `blk_stack_limits()` function is fundamental to the block layer's
device stacking functionality, used by MD, DM, and other stacked block
devices. An overflow here could lead to:
- Incorrect alignment detection
- Improper chunk_sectors being cleared when it shouldn't be
- Potential data corruption or I/O errors in stacked block devices
### 4. **The fix has low regression risk**
- The new calculation is mathematically equivalent to the intended check
- It only changes how the comparison is performed, not the logic
- The fix has been reviewed by multiple maintainers (Hannes Reinecke,
Martin K. Petersen, Damien Le Moal)
- No new features or architectural changes are introduced
### 5. **Real-world impact potential**
Modern storage devices can have large chunk sizes. For example:
- NVMe devices with large zones could have chunk_sectors approaching or
exceeding the overflow threshold
- RAID configurations with large stripe sizes
- This becomes more likely as storage devices grow in capacity and
complexity
### 6. **Follows stable kernel criteria**
According to stable kernel rules, this qualifies because it:
- Fixes a bug that users can potentially hit
- Is obviously correct and tested
- Is small (single line change)
- Fixes only one thing
- Has no dependencies on other patches
The commit message clearly describes the problem (overflow in unsigned
int) and the solution (changing the check to avoid overflow). The fix
maintains the same semantic meaning while being overflow-safe, making it
an ideal candidate for stable backporting.
block/blk-settings.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-settings.c b/block/blk-settings.c
index a000daafbfb4..88890e904320 100644
--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -779,7 +779,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
}
/* chunk_sectors a multiple of the physical block size? */
- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) {
+ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) {
t->chunk_sectors = 0;
t->flags |= BLK_FLAG_MISALIGNED;
ret = -1;
--
2.39.5
next reply other threads:[~2025-08-10 16:52 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-10 16:51 Sasha Levin [this message]
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.12] tools/power turbostat: Handle non-root legacy-uncore sysfs permissions Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.12] ALSA: hda/realtek: add LG gram 16Z90R-A to alc269 fixup table Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.12] lib/sbitmap: convert shallow_depth from one word to the whole sbitmap Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.1] ASoC: Intel: avs: Fix uninitialized pointer error in probe() Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.12] smb: client: don't call init_waitqueue_head(&info->conn_wait) twice in _smbd_get_connection Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-5.4] pNFS: Fix stripe mapping in block/scsi layout Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-5.4] pNFS: Fix uninited ptr deref " Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-5.4] net: phy: smsc: add proper reset flags for LAN8710A Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.15] ASoC: Intel: sof_sdw: Add quirk for Alienware Area 51 (2025) 0CCC SKU Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16] regmap: irq: Free the regmap-irq mutex Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.12] tools/power turbostat: Fix build with musl Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16] irqchip/mvebu-gicp: Clear pending interrupts on init Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-5.4] pNFS: Fix disk addr range check in block/scsi layout Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-6.12] tools/power turbostat: Handle cap_get_proc() ENOSYS Sasha Levin
2025-08-10 16:51 ` [PATCH AUTOSEL 6.16-5.4] pNFS: Handle RPC size limit for layoutcommits Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250810165158.1888206-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=dlemoal@kernel.org \
--cc=hare@suse.de \
--cc=john.g.garry@oracle.com \
--cc=linux-block@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox