From 9dcafe16d4e83ce1ed740c8cff64a34a899bd8c3 Mon Sep 17 00:00:00 2001
From: Maxim Sobolev <sobomax@FreeBSD.org>
Date: Tue, 4 Dec 2018 21:48:56 +0000
Subject: [PATCH] Another attempt to fix issue with the DIOCGDELETE ioctl(2)
 not handling slightly out-of-bound requests properly (r340187). Perform range
 check here rather then rely on g_delete_data() to DTRT.

The g_delete_data() would always return success for requests
starting just the next byte after providers media boundary.

MFC after:	4 weeks
---
 sys/geom/geom_dev.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/sys/geom/geom_dev.c b/sys/geom/geom_dev.c
index 2a5aca6b423..e470a516ca7 100644
--- a/sys/geom/geom_dev.c
+++ b/sys/geom/geom_dev.c
@@ -583,6 +583,20 @@ g_dev_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int fflag, struct thread
 			error = EINVAL;
 			break;
 		}
+		if ((cp->provider->mediasize > 0) &&
+		    (offset >= cp->provider->mediasize)) {
+			/*
+			 * Catch out-of-bounds requests here. The problem is
+			 * that due to historical GEOM I/O implementation
+			 * peculatities, g_delete_data() would always return
+			 * success for requests starting just the next byte
+			 * after providers media boundary. Condition check on
+			 * non-zero media size, since that condition would
+			 * (most likely) cause ENXIO instead.
+			 */
+			error = EIO;
+			break;
+		}
 		while (length > 0) {
 			chunk = length;
 			if (g_dev_del_max_sectors != 0 && chunk >