[PATCH] block: bio: check offset/length sanity in {__,}bio_add_page()
From: Sergey Shtylyov
Date: Wed Jun 24 2026 - 16:50:23 EST
Sum of the *struct* bio_vec's fields bv_offset and bv_len is calculated in
some functions in block/{blk-merge.c,blk.h> (and that sum is often compared
to PAGE_SIZE) -- that sum may overflow (and so the comparison yield a wrong
result) if some bad arguments were previusly passed to {__,}bio_add_page().
Add a check that the sum of the offset and length parameters won't overflow
to {__,}bio_add_page()...
Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.
Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxxxxxxxx>
---
The patch is against the for-next branch of Jens Axboeu's linux.git repo...
block/bio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/bio.c b/block/bio.c
index f2a5f4d0a967..daca63b94fae 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1000,6 +1000,7 @@ void __bio_add_page(struct bio *bio, struct page *page,
{
WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED));
WARN_ON_ONCE(bio_full(bio, len));
+ WARN_ON_ONCE(off + len < off); /* does the sum overflow? */
if (is_pci_p2pdma_page(page))
bio->bi_opf |= REQ_NOMERGE;
@@ -1045,6 +1046,9 @@ int bio_add_page(struct bio *bio, struct page *page,
return 0;
if (bio->bi_iter.bi_size > BIO_MAX_SIZE - len)
return 0;
+ /* Are offset and len sane, i.e. their sum doesn't overflow? */
+ if (offset + len < offset)
+ return 0;
if (bio->bi_vcnt > 0) {
struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1];
--
2.54.0