Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-14 16:12:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
c0ade5d989
linux/drivers
History
Ming-Hung Tsai c0ade5d989 dm cache: fix potential out-of-bounds access on the first resume 
Out-of-bounds access occurs if the fast device is expanded unexpectedly
before the first-time resume of the cache table. This happens because
expanding the fast device requires reloading the cache table for
cache_create to allocate new in-core data structures that fit the new
size, and the check in cache_preresume is not performed during the
first resume, leading to the issue.

Reproduce steps:

1. prepare component devices:

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct

2. load a cache table of 512 cache blocks, and deliberately expand the
   fast device before resuming the cache, making the in-core data
   structures inadequate.

dmsetup create cache --notable
dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache

3. suspend the cache to write out the in-core dirty bitset and hint
   array, leading to out-of-bounds access to the dirty bitset at offset
   0x40:

dmsetup suspend cache

KASAN reports:

  BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
  Read of size 8 at addr ffffc90000085040 by task dmsetup/90

  (...snip...)
  The buggy address belongs to the virtual mapping at
   [ffffc90000085000, ffffc90000087000) created by:
   cache_ctr+0x176a/0x35f0

  (...snip...)
  Memory state around the buggy address:
   ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
                                             ^
   ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by checking the size change on the first resume.

Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Fixes: f494a9c6b1 ("dm cache: cache shrinking support")
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Joe Thornber <thornber@redhat.com>
2024-11-04 17:39:31 +01:00
..
accel dma-mapping updates for linux 6.12 2024-09-19 11:12:49 +02:00
accessibility
acpi ACPI fixes for 6.12-rc3 2024-10-11 11:32:10 -07:00
amba
android
ata ata: libata: avoid superfluous disk spin down + spin up during hibernation 2024-10-09 16:21:19 +02:00
atm
auxdisplay move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
base pmdomain core: 2024-10-11 11:26:15 -07:00
bcma
block block-6.12-20241004 2024-10-04 10:43:44 -07:00
bluetooth Bluetooth: btusb: Don't fail external suspend requests 2024-10-04 16:54:25 -04:00
bus Driver core update for 6.12-rc1 2024-09-27 08:48:37 -07:00
cache
cdrom
cdx
char virtio: bugfixes 2024-10-07 11:33:26 -07:00
clk move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
clocksource Updates for x86 timers: 2024-09-17 15:27:01 +02:00
comedi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
connector
counter move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cpufreq Power management fixes for 6.12-rc2 2024-10-04 11:57:15 -07:00
cpuidle pmdomain core: 2024-09-18 10:49:45 +02:00
crypto move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cxl move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
dax device-dax: correct pgoff align in dax_set_mapping() 2024-10-09 12:47:19 -07:00
dca
devfreq
dio
dma soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
dma-buf drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
dpll
edac - Drop a now obsolete ppc4xx_edac driver 2024-09-16 06:36:37 +02:00
eisa
extcon Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
firewire move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
firmware drm fixes for 6.12-rc2 2024-10-04 11:25:14 -07:00
fpga move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
fsi move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
gnss [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
gpio gpio: aspeed: Use devm_clk api to manage clock source 2024-10-08 16:01:58 +02:00
gpu pmdomain core: 2024-10-11 11:26:15 -07:00
greybus move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
hid Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
hsi
hte
hv drm next for 6.12-rc1 2024-09-19 10:18:15 +02:00
hwmon hwmon: (max1668) Add missing dependency on REGMAP_I2C 2024-10-07 08:42:32 -07:00
hwspinlock
hwtracing [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
i2c i2c-for-6.12-rc2 2024-10-05 10:31:04 -07:00
i3c i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition 2024-09-17 16:51:45 +02:00
idle intel_idle: fix ACPI _CST matching for newer Xeon platforms 2024-09-25 22:30:33 +02:00
iio move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
infiniband [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
input Getting rid of asm/unaligned.h includes 2024-10-02 16:42:28 -07:00
interconnect
iommu [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
ipack
irqchip Merge tag 'irq-core-2024-09-16' into loongarch-next 2024-09-17 22:20:12 +08:00
isdn move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
leds move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
macintosh move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mailbox mailbox, remoteproc: omap2+: fix compile testing 2024-09-27 09:11:05 -05:00
mcb
md dm cache: fix potential out-of-bounds access on the first resume 2024-11-04 17:39:31 +01:00
media move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
memory
memstick move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
message SCSI misc on 20240928 2024-09-29 09:22:34 -07:00
mfd move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
misc misc: sgi-gru: Don't disable preemption in GRU driver 2024-10-09 12:47:01 -07:00
mmc MMC core: 2024-10-11 11:23:21 -07:00
most
mtd move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
mux
net slip: make slhc_remember() more robust against malicious packets 2024-10-10 09:06:32 -07:00
nfc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ntb ntb: Force physically contiguous allocation of rx ring buffers 2024-09-20 10:51:25 -04:00
nubus
nvdimm virtio: features, fixes, cleanups 2024-09-26 08:43:17 -07:00
nvme move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nvmem Char/Misc and other driver changes for 6.12-rc1 2024-09-26 10:13:08 -07:00
of of: Skip kunit tests when arm64+ACPI doesn't populate root node 2024-10-10 12:43:01 -05:00
opp OPP: fix error code in dev_pm_opp_set_config() 2024-10-02 01:27:50 +02:00
parisc
parport
pci move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pcmcia move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
peci move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
perf drivers/perf: riscv: Align errno for unsupported perf event 2024-10-01 02:47:39 -07:00
phy phy-for-6.12 2024-09-23 14:05:10 -07:00
pinctrl soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
platform platform-drivers-x86 for v6.12-2 2024-10-06 11:11:01 -07:00
pmdomain pmdomain: qcom-cpr: Fix the return of uninitialized variable 2024-10-02 12:38:53 +02:00
pnp
power move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
powercap powercap: intel_rapl_msr: Add PL4 support for Arrowlake-U 2024-10-08 21:39:33 +02:00
pps [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
ps3
ptp move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
pwm soc: convert ep93xx to devicetree 2024-09-26 12:00:25 -07:00
rapidio
ras
regulator regulator: sm5703: Remove because it is unused and fails to build 2024-09-13 19:08:14 +01:00
remoteproc mhu-v3, omap2+ : fix kconfig dependencies 2024-09-29 09:53:04 -07:00
reset
rpmsg rpmsg: glink: Avoid -Wflex-array-member-not-at-end warnings 2024-09-13 14:09:47 -07:00
rtc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
s390 more s390 updates for 6.12 merge window 2024-09-28 09:11:46 -07:00
sbus [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
scsi SCSI fixes on 20241011 2024-10-12 09:24:13 -07:00
sh sh: intc: Replace simple_strtoul() with kstrtoul() 2024-09-26 17:25:29 +02:00
siox
slimbus
soc move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
soundwire soundwire updates for 6.12 2024-09-23 14:00:46 -07:00
spi spi: Fixes for v6.12 2024-10-05 10:25:04 -07:00
spmi
ssb
staging move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
target move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
tc
tee
thermal Power management updates for 6.12-rc3 2024-10-11 11:41:20 -07:00
thunderbolt
tty move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
ufs SCSI fixes on 20241011 2024-10-12 09:24:13 -07:00
uio uio: Constify struct kobj_type 2024-09-11 16:02:54 +02:00
usb USB fixes for 6.12-rc3 2024-10-13 09:21:36 -07:00
vdpa virtio: bugfixes 2024-10-07 11:33:26 -07:00
vfio [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
vhost virtio: bugfixes 2024-10-07 11:33:26 -07:00
video fbdev: Switch back to struct platform_driver::remove() 2024-10-08 21:47:18 +02:00
virt [tree-wide] finally take no_llseek out 2024-09-27 08:18:43 -07:00
virtio virtio: bugfixes 2024-10-07 11:33:26 -07:00
w1
watchdog move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
xen xen: Fix config option reference in XEN_PRIVCMD definition 2024-10-02 16:14:30 +02:00
zorro
Kconfig
Makefile