From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 30 Apr 2024 08:49:32 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.19.313~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8d70323665ff102ecb7d56770c940838734629d5;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	dm-limit-the-number-of-targets-and-parameter-size-area.patch
---

diff --git a/queue-5.4/dm-limit-the-number-of-targets-and-parameter-size-area.patch b/queue-5.4/dm-limit-the-number-of-targets-and-parameter-size-area.patch
new file mode 100644
index 00000000000..86457259cf9
--- /dev/null
+++ b/queue-5.4/dm-limit-the-number-of-targets-and-parameter-size-area.patch
@@ -0,0 +1,74 @@
+From bd504bcfec41a503b32054da5472904b404341a4 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 9 Jan 2024 15:57:56 +0100
+Subject: dm: limit the number of targets and parameter size area
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit bd504bcfec41a503b32054da5472904b404341a4 upstream.
+
+The kvmalloc function fails with a warning if the size is larger than
+INT_MAX. The warning was triggered by a syscall testing robot.
+
+In order to avoid the warning, this commit limits the number of targets to
+1048576 and the size of the parameter area to 1073741824.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+[srish: Apply to stable branch linux-5.4.y]
+Signed-off-by: Srish Srinivasan <srish.srinivasan@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-core.h  |    2 ++
+ drivers/md/dm-ioctl.c |    3 ++-
+ drivers/md/dm-table.c |    9 +++++++--
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-core.h
++++ b/drivers/md/dm-core.h
+@@ -18,6 +18,8 @@
+ #include "dm.h"
+ 
+ #define DM_RESERVED_MAX_IOS		1024
++#define DM_MAX_TARGETS			1048576
++#define DM_MAX_TARGET_PARAMS		1024
+ 
+ struct dm_kobject_holder {
+ 	struct kobject kobj;
+--- a/drivers/md/dm-ioctl.c
++++ b/drivers/md/dm-ioctl.c
+@@ -1760,7 +1760,8 @@ static int copy_params(struct dm_ioctl _
+ 	if (copy_from_user(param_kernel, user, minimum_data_size))
+ 		return -EFAULT;
+ 
+-	if (param_kernel->data_size < minimum_data_size)
++	if (unlikely(param_kernel->data_size < minimum_data_size) ||
++	    unlikely(param_kernel->data_size > DM_MAX_TARGETS * DM_MAX_TARGET_PARAMS))
+ 		return -EINVAL;
+ 
+ 	secure_data = param_kernel->flags & DM_SECURE_DATA_FLAG;
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -184,7 +184,12 @@ static int alloc_targets(struct dm_table
+ int dm_table_create(struct dm_table **result, fmode_t mode,
+ 		    unsigned num_targets, struct mapped_device *md)
+ {
+-	struct dm_table *t = kzalloc(sizeof(*t), GFP_KERNEL);
++	struct dm_table *t;
++
++	if (num_targets > DM_MAX_TARGETS)
++		return -EOVERFLOW;
++
++	t = kzalloc(sizeof(*t), GFP_KERNEL);
+ 
+ 	if (!t)
+ 		return -ENOMEM;
+@@ -199,7 +204,7 @@ int dm_table_create(struct dm_table **re
+ 
+ 	if (!num_targets) {
+ 		kfree(t);
+-		return -ENOMEM;
++		return -EOVERFLOW;
+ 	}
+ 
+ 	if (alloc_targets(t, num_targets)) {
diff --git a/queue-5.4/series b/queue-5.4/series
index 195c601a468..5f683844fb3 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -102,3 +102,4 @@ idma64-don-t-try-to-serve-interrupts-when-device-is-.patch
 i2c-smbus-fix-null-function-pointer-dereference.patch
 hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch
 bounds-use-the-right-number-of-bits-for-power-of-two-config_nr_cpus.patch
+dm-limit-the-number-of-targets-and-parameter-size-area.patch