linux/drivers/md
Ming-Hung Tsai c0ade5d989 dm cache: fix potential out-of-bounds access on the first resume
Out-of-bounds access occurs if the fast device is expanded unexpectedly
before the first-time resume of the cache table. This happens because
expanding the fast device requires reloading the cache table for
cache_create to allocate new in-core data structures that fit the new
size, and the check in cache_preresume is not performed during the
first resume, leading to the issue.

Reproduce steps:

1. prepare component devices:

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct

2. load a cache table of 512 cache blocks, and deliberately expand the
   fast device before resuming the cache, making the in-core data
   structures inadequate.

dmsetup create cache --notable
dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache

3. suspend the cache to write out the in-core dirty bitset and hint
   array, leading to out-of-bounds access to the dirty bitset at offset
   0x40:

dmsetup suspend cache

KASAN reports:

  BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
  Read of size 8 at addr ffffc90000085040 by task dmsetup/90

  (...snip...)
  The buggy address belongs to the virtual mapping at
   [ffffc90000085000, ffffc90000087000) created by:
   cache_ctr+0x176a/0x35f0

  (...snip...)
  Memory state around the buggy address:
   ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
                                             ^
   ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
   ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

Fix by checking the size change on the first resume.

Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Fixes: f494a9c6b1 ("dm cache: cache shrinking support")
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Joe Thornber <thornber@redhat.com>
2024-11-04 17:39:31 +01:00
..
bcache - In the series "treewide: Refactor heap related implementation", 2024-07-21 17:56:22 -07:00
dm-vdo move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
persistent-data dm persistent data: fix memory allocation failure 2024-08-13 21:14:21 +02:00
dm-audit.c
dm-audit.h
dm-bio-prison-v1.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-bio-prison-v1.h
dm-bio-prison-v2.c dm: use bio_list_merge_init 2024-04-01 11:53:37 -06:00
dm-bio-prison-v2.h
dm-bio-record.h
dm-bufio.c dm bufio: Remove NULL check of list_entry() 2024-08-22 18:32:55 +02:00
dm-builtin.c
dm-cache-background-tracker.c
dm-cache-background-tracker.h
dm-cache-block-types.h
dm-cache-metadata.c dm: Constify struct dm_block_validator 2024-07-19 12:08:15 +02:00
dm-cache-metadata.h
dm-cache-policy-internal.h
dm-cache-policy-smq.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-cache-policy.c
dm-cache-policy.h
dm-cache-target.c dm cache: fix potential out-of-bounds access on the first resume 2024-11-04 17:39:31 +01:00
dm-clone-metadata.c dm: Make use of __assign_bit() API 2024-09-02 16:53:53 +02:00
dm-clone-metadata.h
dm-clone-target.c dm: stop using blk_limits_io_{min,opt} 2024-07-10 13:10:06 +02:00
dm-core.h dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm-crypt.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
dm-delay.c dm-delay: remove timer_lock 2024-05-09 09:10:58 -04:00
dm-dust.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-ebs-target.c dm: stop using blk_limits_io_{min,opt} 2024-07-10 13:10:06 +02:00
dm-era-target.c dm: Constify struct dm_block_validator 2024-07-19 12:08:15 +02:00
dm-exception-store.c
dm-exception-store.h
dm-flakey.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-ima.c
dm-ima.h
dm-init.c dm init: Handle minors larger than 255 2024-07-02 20:53:41 +02:00
dm-integrity.c - Misc VDO fixes 2024-09-27 09:12:51 -07:00
dm-io-rewind.c
dm-io-tracker.h
dm-io.c dm io: remove code duplication between sync_io and aysnc_io 2024-07-02 12:00:43 +02:00
dm-ioctl.c dm resume: don't return EINVAL when signalled 2024-08-13 13:51:34 +02:00
dm-kcopyd.c dm io: Support IO priority 2024-02-20 14:22:51 -05:00
dm-linear.c dm: optimize flushes 2024-06-26 11:32:39 -04:00
dm-log-userspace-base.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-log.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-mpath.c dm mpath: don't call dm_get_device in multipath_message 2024-07-10 13:10:06 +02:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h
dm-ps-historical-service-time.c
dm-ps-io-affinity.c
dm-ps-queue-length.c
dm-ps-round-robin.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-ps-service-time.c
dm-raid1.c dm io: Support IO priority 2024-02-20 14:22:51 -05:00
dm-raid.c - Misc VDO fixes 2024-09-27 09:12:51 -07:00
dm-region-hash.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-rq.c Revert "dm: requeue IO if mapping table not yet available" 2024-09-15 21:02:54 +02:00
dm-rq.h
dm-snap-persistent.c dm io: Support IO priority 2024-02-20 14:22:51 -05:00
dm-snap-transient.c
dm-snap.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-stats.c dm stats: limit the number of entries 2024-01-30 14:06:44 -05:00
dm-stats.h
dm-stripe.c dm: stop using blk_limits_io_{min,opt} 2024-07-10 13:10:06 +02:00
dm-switch.c
dm-sysfs.c
dm-table.c dm: introduce the target flag mempool_needs_integrity 2024-07-12 12:39:06 -04:00
dm-target.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-thin-metadata.c dm: Constify struct dm_block_validator 2024-07-19 12:08:15 +02:00
dm-thin-metadata.h
dm-thin.c dm: Convert to use ERR_CAST() 2024-09-02 11:41:11 +02:00
dm-uevent.c
dm-uevent.h
dm-unstripe.c dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow 2024-11-04 17:34:56 +01:00
dm-verity-fec.c dm-verity: make verity_hash() take dm_verity_io instead of ahash_request 2024-07-03 21:41:11 +02:00
dm-verity-fec.h dm-verity: always "map" the data blocks 2024-07-03 21:41:11 +02:00
dm-verity-loadpin.c
dm-verity-target.c dm-verity: don't crash if panic_on_corruption is not selected 2024-11-04 17:39:23 +01:00
dm-verity-verify-sig.c dm verity: fallback to platform keyring also if key in trusted keyring is rejected 2024-09-26 17:27:08 +02:00
dm-verity-verify-sig.h
dm-verity.h dm-verity: don't crash if panic_on_corruption is not selected 2024-11-04 17:39:23 +01:00
dm-writecache.c dm: update relevant MODULE_AUTHOR entries to latest dm-devel mailing list 2024-02-20 14:22:55 -05:00
dm-zero.c dm: always manage discard support in terms of max_hw_discard_sectors 2024-05-20 15:51:19 -04:00
dm-zone.c dm: handle REQ_OP_ZONE_RESET_ALL 2024-07-05 00:42:04 -06:00
dm-zoned-metadata.c block: remove gfp_flags from blkdev_zone_mgmt 2024-02-12 08:41:16 -07:00
dm-zoned-reclaim.c
dm-zoned-target.c dm: stop using blk_limits_io_{min,opt} 2024-07-10 13:10:06 +02:00
dm-zoned.h
dm.c dm: fix a crash if blk_alloc_disk fails 2024-10-15 13:37:17 +02:00
dm.h dm: Remove unused declaration and empty definition "dm_zone_map_bio" 2024-08-21 13:12:12 +02:00
Kconfig dm verity: add support for signature verification with platform keyring 2024-07-03 21:41:11 +02:00
Makefile dm vdo: use a proper Makefile for dm-vdo 2024-02-20 13:43:17 -05:00
md-autodetect.c md: Remove deprecated CONFIG_MD_LINEAR 2023-12-19 10:16:51 -08:00
md-bitmap.c for-6.12/block-20240913 2024-09-16 13:33:06 +02:00
md-bitmap.h md/md-bitmap: make in memory structure internal 2024-08-27 12:43:16 -07:00
md-cluster.c md/md-bitmap: make in memory structure internal 2024-08-27 12:43:16 -07:00
md-cluster.h md-cluster: fix no recovery job when adding/re-adding a disk 2024-07-12 01:30:18 +00:00
md.c md: Add new_level sysfs interface 2024-09-06 10:31:12 -07:00
md.h Merge branch 'md-6.12-bitmap' into md-6.12 2024-08-28 14:55:57 -07:00
raid0.c md: set md-specific flags for all queue limits 2024-06-26 09:37:35 -06:00
raid0.h
raid1-10.c md/md-bitmap: merge md_bitmap_enabled() into bitmap_operations 2024-08-27 12:43:16 -07:00
raid1.c for-6.12/block-20240913 2024-09-16 13:33:06 +02:00
raid1.h md/raid1: record nonrot rdevs while adding/removing rdevs to conf 2024-02-29 22:49:45 -08:00
raid5-cache.c md/raid5: use wait_on_bit() for R5_Overlap 2024-08-29 09:37:10 -07:00
raid5-log.h
raid5-ppl.c md: remove mddev->queue 2024-03-06 08:59:53 -08:00
raid5.c md/raid5: rename wait_for_overlap to wait_for_reshape 2024-08-29 09:37:10 -07:00
raid5.h md/raid5: rename wait_for_overlap to wait_for_reshape 2024-08-29 09:37:10 -07:00
raid10.c md/md-bitmap: merge md_bitmap_resize() into bitmap_operations 2024-08-27 12:43:15 -07:00
raid10.h