linux/drivers/block
Xiongwei Song 545a32498c floppy: Add max size check for user space request
We need to check the max request size that is from user space before
allocating pages. If the request size exceeds the limit, return -EINVAL.
This check can avoid the warning below from page allocator.

WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline]
WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356
Modules linked in:
CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344
Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9
RSP: 0018:ffffc90023b87850 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960
R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30
FS:  0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
 __get_free_pages+0x8/0x40 mm/page_alloc.c:5418
 raw_cmd_copyin drivers/block/floppy.c:3113 [inline]
 raw_cmd_ioctl drivers/block/floppy.c:3160 [inline]
 fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528
 fd_ioctl drivers/block/floppy.c:3555 [inline]
 fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869
 compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662
 __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c

Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com
Signed-off-by: Xiongwei Song <sxwjean@gmail.com>
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-12-03 06:32:40 -07:00
..
aoe block: aoe: fixup coccinelle warnings 2021-10-21 08:54:15 -06:00
drbd block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
mtip32xx block: remove the gendisk argument to blk_execute_rq 2021-11-29 06:41:29 -07:00
null_blk null_blk: allow zero poll queues 2021-12-02 19:57:47 -07:00
paride block: remove the gendisk argument to blk_execute_rq 2021-11-29 06:41:29 -07:00
rnbd block: remove the ->rq_disk field in struct request 2021-11-29 06:41:29 -07:00
rsxx block/rsxx: add error handling support for add_disk() 2021-10-18 14:41:36 -06:00
xen-blkback block: remove GENHD_FL_CD 2021-11-29 06:35:21 -07:00
zram block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
amiflop.c block: remove the ->rq_disk field in struct request 2021-11-29 06:41:29 -07:00
ataflop.c block: remove the ->rq_disk field in struct request 2021-11-29 06:41:29 -07:00
brd.c block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
floppy.c floppy: Add max size check for user space request 2021-12-03 06:32:40 -07:00
Kconfig vhost,virtio,vhost: fixes,features 2021-11-03 15:00:39 -07:00
loop.c loop: don't hold lo_mutex during __loop_clr_fd() 2021-11-29 06:41:47 -07:00
loop.h block: remove support for cryptoloop and the xor transfer 2021-10-22 08:34:58 -06:00
Makefile block: remove support for cryptoloop and the xor transfer 2021-10-22 08:34:58 -06:00
n64cart.c block: rename GENHD_FL_NO_PART_SCAN to GENHD_FL_NO_PART 2021-11-29 06:35:21 -07:00
nbd.c for-5.16/drivers-2021-11-09 2021-11-09 11:24:08 -08:00
pktcdvd.c block: remove the gendisk argument to blk_execute_rq 2021-11-29 06:41:29 -07:00
ps3disk.c ps3disk: add error handling support for add_disk() 2021-10-30 11:03:37 -06:00
ps3vram.c block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
rbd_types.h libceph, rbd: replace zero-length array with flexible-array 2020-06-01 13:22:53 +02:00
rbd.c block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
sunvdc.c block: remove the ->rq_disk field in struct request 2021-11-29 06:41:29 -07:00
swim3.c block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
swim_asm.S treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
swim.c block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00
sx8.c block: remove the gendisk argument to blk_execute_rq 2021-11-29 06:41:29 -07:00
virtio_blk.c block: remove the gendisk argument to blk_execute_rq 2021-11-29 06:41:29 -07:00
xen-blkfront.c block: remove GENHD_FL_CD 2021-11-29 06:35:21 -07:00
z2ram.c block: remove GENHD_FL_EXT_DEVT 2021-11-29 06:38:35 -07:00