From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3971EEA8; Sat, 30 May 2026 17:12:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780161127; cv=none; b=FtOIQY0fm5HnVv30IGn7M+T0ZpjAzFwYlgDIh3yD65iRbljeXFxY2QyeTalfqBwJ6RH57TSu9crOc2V0e7gr9cHKBbT9JnurYOc+Itl/Dcdl7asTfcu+NTsNa+M2ZQhvB7t2E7wRDDDakHUlZKRT8pfpbh/ZcmGIYjh19pscOkk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780161127; c=relaxed/simple; bh=FLBdZUR2hiJPhDdBTOXmOczSVEYmfrTyoO6MuwLxeJA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pZbk+A0xOCKelO5oOk4e7i2J2zI+o1cgBJTBqUehZCuuAzhRrgz18JuiWNroWYwroV35g48Z3bAKzHcBWiBDhNYgcZWggJTQuOnr5qaH5YzUMvP1inUPB1Jgp/gLAlauX8pEDsCq4Ws+AUS+LPEeGiWKwBZKPmEoCTqLne4Tw64= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=nZ2kBjeT; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="nZ2kBjeT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 30F7B1F00893; Sat, 30 May 2026 17:12:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780161126; bh=EnpRNyQPQLP0/7ZNdwPwjUgQT5hGlhEnElgLql5q8JI=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=nZ2kBjeTOP24PI+kLjHFjIKpOr0r6lYsj1tlVHdAmsnWaRiqNHpqo40GSrx8PZuiW TVRYliky/qJ4FuhMemXjg86Uu88DQl8cJFProNWGdb817O1OmGddy2EoPxQyWzGWyB IudAwg7gzL8rf16FQYfZsnag7C55KD5lw0xNA6dY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Yuhao Jiang , Junrui Luo , Mikulas Patocka , Sasha Levin Subject: [PATCH 6.1 503/969] dm log: fix out-of-bounds write due to region_count overflow Date: Sat, 30 May 2026 18:00:27 +0200 Message-ID: <20260530160314.218578354@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260530160300.485627683@linuxfoundation.org> References: <20260530160300.485627683@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Junrui Luo [ Upstream commit c20e36b7631d83e7535877f08af8b0af72c44b1a ] The local variable region_count in create_log_context() is declared as unsigned int (32-bit), but dm_sector_div_up() returns sector_t (64-bit). When a device-mapper target has a sufficiently large ti->len with a small region_size, the division result can exceed UINT_MAX. The truncated value is then used to calculate bitset_size, causing clean_bits, sync_bits, and recovering_bits to be allocated far smaller than needed for the actual number of regions. Subsequent log operations (log_set_bit, log_clear_bit, log_test_bit) use region indices derived from the full untruncated region space, causing out-of-bounds writes to kernel heap memory allocated by vmalloc. This can be reproduced by creating a mirror target whose region_count overflows 32 bits: dmsetup create bigzero --table '0 8589934594 zero' dmsetup create mymirror --table '0 8589934594 mirror \ core 2 2 nosync 2 /dev/mapper/bigzero 0 \ /dev/mapper/bigzero 0' The status output confirms the truncation (sync_count=1 instead of 4294967297, because 0x100000001 was truncated to 1): $ dmsetup status mymirror 0 8589934594 mirror 2 254:1 254:1 1/4294967297 ... This leads to a kernel crash in core_in_sync: BUG: scheduling while atomic: (udev-worker)/9150/0x00000000 RIP: 0010:core_in_sync+0x14/0x30 [dm_log] CR2: 0000000000000008 Fixing recursive fault but reboot is needed! Fix by widening the local region_count to sector_t and adding an explicit overflow check before the value is assigned to lc->region_count. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Yuhao Jiang Signed-off-by: Junrui Luo Signed-off-by: Mikulas Patocka Signed-off-by: Sasha Levin --- drivers/md/dm-log.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c index da77878cb2c02..32a3cb131e578 100644 --- a/drivers/md/dm-log.c +++ b/drivers/md/dm-log.c @@ -366,7 +366,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti, struct log_c *lc; uint32_t region_size; - unsigned int region_count; + sector_t region_count; size_t bitset_size, buf_size; int r; char dummy; @@ -394,6 +394,10 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti, } region_count = dm_sector_div_up(ti->len, region_size); + if (region_count > UINT_MAX) { + DMWARN("region count exceeds limit of %u", UINT_MAX); + return -EINVAL; + } lc = kmalloc(sizeof(*lc), GFP_KERNEL); if (!lc) { -- 2.53.0