6.6-stable patches

added patches:
	dm-fix-copying-after-src-array-boundaries.patch

diff --git a/queue-6.6/dm-fix-copying-after-src-array-boundaries.patch b/queue-6.6/dm-fix-copying-after-src-array-boundaries.patch
new file mode 100644 (file)
index 0000000..56edfcc
--- /dev/null
+++ b/queue-6.6/dm-fix-copying-after-src-array-boundaries.patch
@@ -0,0 +1,58 @@
+From f1aff4bc199cb92c055668caed65505e3b4d2656 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Tue, 6 May 2025 11:31:50 +0000
+Subject: dm: fix copying after src array boundaries
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit f1aff4bc199cb92c055668caed65505e3b4d2656 upstream.
+
+The blammed commit copied to argv the size of the reallocated argv,
+instead of the size of the old_argv, thus reading and copying from
+past the old_argv allocated memory.
+
+Following BUG_ON was hit:
+[    3.038929][    T1] kernel BUG at lib/string_helpers.c:1040!
+[    3.039147][    T1] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
+...
+[    3.056489][    T1] Call trace:
+[    3.056591][    T1]  __fortify_panic+0x10/0x18 (P)
+[    3.056773][    T1]  dm_split_args+0x20c/0x210
+[    3.056942][    T1]  dm_table_add_target+0x13c/0x360
+[    3.057132][    T1]  table_load+0x110/0x3ac
+[    3.057292][    T1]  dm_ctl_ioctl+0x424/0x56c
+[    3.057457][    T1]  __arm64_sys_ioctl+0xa8/0xec
+[    3.057634][    T1]  invoke_syscall+0x58/0x10c
+[    3.057804][    T1]  el0_svc_common+0xa8/0xdc
+[    3.057970][    T1]  do_el0_svc+0x1c/0x28
+[    3.058123][    T1]  el0_svc+0x50/0xac
+[    3.058266][    T1]  el0t_64_sync_handler+0x60/0xc4
+[    3.058452][    T1]  el0t_64_sync+0x1b0/0x1b4
+[    3.058620][    T1] Code: f800865e a9bf7bfd 910003fd 941f48aa (d4210000)
+[    3.058897][    T1] ---[ end trace 0000000000000000 ]---
+[    3.059083][    T1] Kernel panic - not syncing: Oops - BUG: Fatal exception
+
+Fix it by copying the size of src, and not the size of dst, as it was.
+
+Fixes: 5a2a6c428190 ("dm: always update the array size in realloc_argv on success")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-table.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -501,9 +501,9 @@ static char **realloc_argv(unsigned int
+       }
+       argv = kmalloc_array(new_size, sizeof(*argv), gfp);
+       if (argv) {
+-              *size = new_size;
+               if (old_argv)
+                       memcpy(argv, old_argv, *size * sizeof(*argv));
++              *size = new_size;
+       }
+ 
+       kfree(old_argv);

diff --git a/queue-6.6/series b/queue-6.6/series
index dd5d4431e596cddb250f4a8a1da8a204a43d7c6d..a33f573464d08181605b9c80c996ba82d39e102c 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -127,3 +127,4 @@ drm-amd-display-add-scoped-mutexes-for-amdgpu_dm_dhc.patch
 drm-amd-display-fix-slab-use-after-free-in-hdcp.patch
 usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch
 xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch
+dm-fix-copying-after-src-array-boundaries.patch