5.4-stable patches

added patches:
	dm-limit-the-number-of-targets-and-parameter-size-area.patch

diff --git a/queue-5.4/dm-limit-the-number-of-targets-and-parameter-size-area.patch b/queue-5.4/dm-limit-the-number-of-targets-and-parameter-size-area.patch
new file mode 100644 (file)
index 0000000..8645725
--- /dev/null
+++ b/queue-5.4/dm-limit-the-number-of-targets-and-parameter-size-area.patch
@@ -0,0 +1,74 @@
+From bd504bcfec41a503b32054da5472904b404341a4 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 9 Jan 2024 15:57:56 +0100
+Subject: dm: limit the number of targets and parameter size area
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bd504bcfec41a503b32054da5472904b404341a4 upstream.
+
+The kvmalloc function fails with a warning if the size is larger than
+INT_MAX. The warning was triggered by a syscall testing robot.
+
+In order to avoid the warning, this commit limits the number of targets to
+1048576 and the size of the parameter area to 1073741824.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+[srish: Apply to stable branch linux-5.4.y]
+Signed-off-by: Srish Srinivasan <srish.srinivasan@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-core.h  |    2 ++
+ drivers/md/dm-ioctl.c |    3 ++-
+ drivers/md/dm-table.c |    9 +++++++--
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-core.h
++++ b/drivers/md/dm-core.h
+@@ -18,6 +18,8 @@
+ #include "dm.h"
+ 
+ #define DM_RESERVED_MAX_IOS           1024
++#define DM_MAX_TARGETS                        1048576
++#define DM_MAX_TARGET_PARAMS          1024
+ 
+ struct dm_kobject_holder {
+       struct kobject kobj;
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -1760,7 +1760,8 @@ static int copy_params(struct dm_ioctl _
+       if (copy_from_user(param_kernel, user, minimum_data_size))
+               return -EFAULT;
+ 
+-      if (param_kernel->data_size < minimum_data_size)
++      if (unlikely(param_kernel->data_size < minimum_data_size) ||
++          unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS))
+               return -EINVAL;
+ 
+       secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG;
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -184,7 +184,12 @@ static int alloc_targets(struct dm_table
+ int dm_table_create(struct dm_table **result, fmode_t mode,
+                   unsigned num_targets, struct mapped_device *md)
+ {
+-      struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL);
++      struct dm_table *t;
++
++      if (num_targets > DM_MAX_TARGETS)
++              return -EOVERFLOW;
++
++      t = kzalloc(sizeof(*t), GFP_KERNEL);
+ 
+       if (!t)
+               return -ENOMEM;
+@@ -199,7 +204,7 @@ int dm_table_create(struct dm_table **re
+ 
+       if (!num_targets) {
+               kfree(t);
+-              return -ENOMEM;
++              return -EOVERFLOW;
+       }
+ 
+       if (alloc_targets(t, num_targets)) {

diff --git a/queue-5.4/series b/queue-5.4/series
index 195c601a468610a497e8d42570b305f304cee009..5f683844fb3911dbd35db71af75ae09bf9ef60b9 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -102,3 +102,4 @@ idma64-don-t-try-to-serve-interrupts-when-device-is-.patch
 i2c-smbus-fix-null-function-pointer-dereference.patch
 hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch
 bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
+dm-limit-the-number-of-targets-and-parameter-size-area.patch