From: Zizhi Wo Commit 697ba0b6ec4a ("block: fix integer overflow in BLKSECDISCARD") fixed the start+len overflow via check_add_overflow() but did not handle the start=0, len=0 case. There, start + len = 0, so end = 0 passes all checks, and truncate_bdev_range()->truncate_inode_pages_range() is then called with lend=UINT64_MAX, whitch is the "truncate to the end of file" sentinel, so the entire page cache is invalidated. Fix this by replacing the validation with blk_validate_byte_range(), which already rejects a zero-length range and is what BLKDISCARD uses. This also switches the alignment check from a hardcoded 512 to bdev_logical_block_size(). Signed-off-by: Zizhi Wo --- block/ioctl.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/block/ioctl.c b/block/ioctl.c index 3d4ea1537457..3b7d33a737e8 100644 --- a/block/ioctl.c +++ b/block/ioctl.c @@ -176,8 +176,7 @@ static int blk_ioctl_discard(struct block_device *bdev, blk_mode_t mode, static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode, void __user *argp) { - uint64_t start, len, end; - uint64_t range[2]; + uint64_t range[2], start, len; int err; if (!(mode & BLK_OPEN_WRITE)) @@ -189,15 +188,13 @@ static int blk_ioctl_secure_erase(struct block_device *bdev, blk_mode_t mode, start = range[0]; len = range[1]; - if ((start & 511) || (len & 511)) - return -EINVAL; - if (check_add_overflow(start, len, &end) || - end > bdev_nr_bytes(bdev)) - return -EINVAL; + err = blk_validate_byte_range(bdev, start, len); + if (err) + return err; inode_lock(bdev->bd_mapping->host); filemap_invalidate_lock(bdev->bd_mapping); - err = truncate_bdev_range(bdev, mode, start, end - 1); + err = truncate_bdev_range(bdev, mode, start, start + len - 1); if (!err) err = blkdev_issue_secure_erase(bdev, start >> 9, len >> 9, GFP_KERNEL); -- 2.52.0