From f5675cdb17c4a6fe5e994207d4cb57df5085d97a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 8 May 2025 07:32:24 +0200 Subject: [PATCH] 6.6-stable patches added patches: dm-fix-copying-after-src-array-boundaries.patch --- ...x-copying-after-src-array-boundaries.patch | 58 +++++++++++++++++++ queue-6.6/series | 1 + 2 files changed, 59 insertions(+) create mode 100644 queue-6.6/dm-fix-copying-after-src-array-boundaries.patch diff --git a/queue-6.6/dm-fix-copying-after-src-array-boundaries.patch b/queue-6.6/dm-fix-copying-after-src-array-boundaries.patch new file mode 100644 index 0000000000..56edfccb06 --- /dev/null +++ b/queue-6.6/dm-fix-copying-after-src-array-boundaries.patch @@ -0,0 +1,58 @@ +From f1aff4bc199cb92c055668caed65505e3b4d2656 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Tue, 6 May 2025 11:31:50 +0000 +Subject: dm: fix copying after src array boundaries + +From: Tudor Ambarus + +commit f1aff4bc199cb92c055668caed65505e3b4d2656 upstream. + +The blammed commit copied to argv the size of the reallocated argv, +instead of the size of the old_argv, thus reading and copying from +past the old_argv allocated memory. + +Following BUG_ON was hit: +[ 3.038929][ T1] kernel BUG at lib/string_helpers.c:1040! +[ 3.039147][ T1] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP +... +[ 3.056489][ T1] Call trace: +[ 3.056591][ T1] __fortify_panic+0x10/0x18 (P) +[ 3.056773][ T1] dm_split_args+0x20c/0x210 +[ 3.056942][ T1] dm_table_add_target+0x13c/0x360 +[ 3.057132][ T1] table_load+0x110/0x3ac +[ 3.057292][ T1] dm_ctl_ioctl+0x424/0x56c +[ 3.057457][ T1] __arm64_sys_ioctl+0xa8/0xec +[ 3.057634][ T1] invoke_syscall+0x58/0x10c +[ 3.057804][ T1] el0_svc_common+0xa8/0xdc +[ 3.057970][ T1] do_el0_svc+0x1c/0x28 +[ 3.058123][ T1] el0_svc+0x50/0xac +[ 3.058266][ T1] el0t_64_sync_handler+0x60/0xc4 +[ 3.058452][ T1] el0t_64_sync+0x1b0/0x1b4 +[ 3.058620][ T1] Code: f800865e a9bf7bfd 910003fd 941f48aa (d4210000) +[ 3.058897][ T1] ---[ end trace 0000000000000000 ]--- +[ 3.059083][ T1] Kernel panic - not syncing: Oops - BUG: Fatal exception + +Fix it by copying the size of src, and not the size of dst, as it was. + +Fixes: 5a2a6c428190 ("dm: always update the array size in realloc_argv on success") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -501,9 +501,9 @@ static char **realloc_argv(unsigned int + } + argv = kmalloc_array(new_size, sizeof(*argv), gfp); + if (argv) { +- *size = new_size; + if (old_argv) + memcpy(argv, old_argv, *size * sizeof(*argv)); ++ *size = new_size; + } + + kfree(old_argv); diff --git a/queue-6.6/series b/queue-6.6/series index dd5d4431e5..a33f573464 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -127,3 +127,4 @@ drm-amd-display-add-scoped-mutexes-for-amdgpu_dm_dhc.patch drm-amd-display-fix-slab-use-after-free-in-hdcp.patch usb-xhci-check-for-xhci-interrupters-being-allocated-in-xhci_mem_clearup.patch xhci-fix-possible-null-pointer-dereference-at-secondary-interrupter-removal.patch +dm-fix-copying-after-src-array-boundaries.patch -- 2.47.3