git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Heinz Mauelshagen <heinzm@redhat.com>
	Mon, 27 Jun 2022 22:37:22 +0000 (00:37 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 7 Jul 2022 15:31:16 +0000 (17:31 +0200)
commit	5e161a8826b63c0b8b43e4a7fad1f956780f42ab
tree	2f14fe055fa9123a182cd9f3c56fd4fe2ef9008b	tree
parent	e468764b5f48ca92505f1bab0ec3dfe7e8a1f093	commit \| diff

dm raid: fix accesses beyond end of raid member array

commit 332bd0778775d0cf105c4b9e03e460b590749916 upstream.

On dm-raid table load (using raid_ctr), dm-raid allocates an array
rs->devs[rs->raid_disks] for the raid device members. rs->raid_disks
is defined by the number of raid metadata and image tupples passed
into the target's constructor.

In the case of RAID layout changes being requested, that number can be
different from the current number of members for existing raid sets as
defined in their superblocks. Example RAID layout changes include:
- raid1 legs being added/removed
- raid4/5/6/10 number of stripes changed (stripe reshaping)
- takeover to higher raid level (e.g. raid5 -> raid6)

When accessing array members, rs->raid_disks must be used in control
loops instead of the potentially larger value in rs->md.raid_disks.
Otherwise it will cause memory access beyond the end of the rs->devs
array.

Fix this by changing code that is prone to out-of-bounds access.
Also fix validate_raid_redundancy() to validate all devices that are
added. Also, use braces to help clean up raid_iterate_devices().

The out-of-bounds memory accesses was discovered using KASAN.

This commit was verified to pass all LVM2 RAID tests (with KASAN
enabled).

Cc: stable@vger.kernel.org
Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>