Re: [PATCH] blktrace: reject buf_size smaller than blk_io_trace

Sat, 02 May 2026 22:52:53 -0700 

On 3/22/26 6:18 AM, Deepanshu Kartikey wrote:

Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21
[ ... ] diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c 
index 8cd2520b4c99..6cc7d83ed1c2 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -773,7 +773,7 @@ int blk_trace_setup(struct request_queue *q, char *name, 
dev_t dev,
        if (ret)
                return -EFAULT;
- if (!buts.buf_size || !buts.buf_nr) 
+       if (buts.buf_size < sizeof(struct blk_io_trace) || !buts.buf_nr)
                return -EINVAL;
buts2 = (struct blk_user_trace_setup2) { 

Why sizeof(struct blk_io_trace) instead of sizeof(struct blk_io_trace2)?
Even sizeof(struct blk_io_trace2) is too small if any additional data is
included.


Additionally, how can this patch fix the issue mentioned in the linked 
syzbot report? Is the syzbot link correct? From the syzbot report:



Oops: general protection fault, probably for non-canonical address 
0xdffffc0000000000: 0000 [#1] SMP KASAN PTI

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:bvec_set_page include/linux/bvec.h:44 [inline]
RIP: 0010:__bio_add_page block/bio.c:992 [inline]
RIP: 0010:bio_add_page+0x462/0x6e0 block/bio.c:1048
Call Trace:
 <TASK>
 bio_add_folio+0x64/0x90 block/bio.c:1084
 io_submit_add_bh fs/ext4/page-io.c:465 [inline]
 ext4_bio_write_folio+0x1446/0x1ea0 fs/ext4/page-io.c:603
 mpage_map_and_submit_buffers fs/ext4/inode.c:2326 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2516 [inline]
 ext4_do_writepages+0x207e/0x46e0 fs/ext4/inode.c:2928
 ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3022
 do_writepages+0x32e/0x550 mm/page-writeback.c:2554
 __writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750
 writeback_sb_inodes+0x992/0x1a20 fs/fs-writeback.c:2042
 __writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2118
 wb_writeback+0x46a/0xb70 fs/fs-writeback.c:2229
 wb_check_start_all fs/fs-writeback.c:2355 [inline]
 wb_do_writeback fs/fs-writeback.c:2381 [inline]
 wb_workfn+0x95b/0xf50 fs/fs-writeback.c:2414
 process_one_work+0x9ab/0x1780 kernel/workqueue.c:3288
 process_scheduled_works kernel/workqueue.c:3379 [inline]
 worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Thanks,

Bart.























					Reply via email to