On Sun, May 3, 2026 at 11:22 AM Bart Van Assche <[email protected]> wrote: > > On 3/22/26 6:18 AM, Deepanshu Kartikey wrote: > > Closes: https://syzkaller.appspot.com/bug?extid=ed8bc247f231c1a48e21 > > [ ... ] > > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c > > index 8cd2520b4c99..6cc7d83ed1c2 100644 > > --- a/kernel/trace/blktrace.c > > +++ b/kernel/trace/blktrace.c > > @@ -773,7 +773,7 @@ int blk_trace_setup(struct request_queue *q, char > > *name, dev_t dev, > > if (ret) > > return -EFAULT; > > > > - if (!buts.buf_size || !buts.buf_nr) > > + if (buts.buf_size < sizeof(struct blk_io_trace) || !buts.buf_nr) > > return -EINVAL; > > > > buts2 = (struct blk_user_trace_setup2) { > > Why sizeof(struct blk_io_trace) instead of sizeof(struct blk_io_trace2)? > Even sizeof(struct blk_io_trace2) is too small if any additional data is > included. > > Additionally, how can this patch fix the issue mentioned in the linked > syzbot report? Is the syzbot link correct? From the syzbot report: > > Oops: general protection fault, probably for non-canonical address > 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] > RIP: 0010:bvec_set_page include/linux/bvec.h:44 [inline] > RIP: 0010:__bio_add_page block/bio.c:992 [inline] > RIP: 0010:bio_add_page+0x462/0x6e0 block/bio.c:1048 > Call Trace: > <TASK> > bio_add_folio+0x64/0x90 block/bio.c:1084 > io_submit_add_bh fs/ext4/page-io.c:465 [inline] > ext4_bio_write_folio+0x1446/0x1ea0 fs/ext4/page-io.c:603 > mpage_map_and_submit_buffers fs/ext4/inode.c:2326 [inline] > mpage_map_and_submit_extent fs/ext4/inode.c:2516 [inline] > ext4_do_writepages+0x207e/0x46e0 fs/ext4/inode.c:2928 > ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3022 > do_writepages+0x32e/0x550 mm/page-writeback.c:2554 > __writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750 > writeback_sb_inodes+0x992/0x1a20 fs/fs-writeback.c:2042 > __writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2118 > wb_writeback+0x46a/0xb70 fs/fs-writeback.c:2229 > wb_check_start_all fs/fs-writeback.c:2355 [inline] > wb_do_writeback fs/fs-writeback.c:2381 [inline] > wb_workfn+0x95b/0xf50 fs/fs-writeback.c:2414 > process_one_work+0x9ab/0x1780 kernel/workqueue.c:3288 > process_scheduled_works kernel/workqueue.c:3379 [inline] > worker_thread+0xba8/0x11e0 kernel/workqueue.c:3465 > kthread+0x388/0x470 kernel/kthread.c:436 > ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > </TASK> > > Thanks, > > Bart.
Hi Bart, Thank you for the review. You are right on both points: 1. The minimum size check should use sizeof(struct blk_io_trace2) as it is the larger of the two structs. We will fix this in v2. 2. The connection between buf_size being too small and the ext4 null-ptr-deref is not clearly established. We will remove the syzbot link from the commit message in v2. Will send v2 shortly. Thanks, Deepanshu Kartikey
