From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A48701ED38 for ; Tue, 25 Jul 2023 11:34:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 24BAAC433C8; Tue, 25 Jul 2023 11:34:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1690284899; bh=IcHyIVsIG9SnJRp4MalCtaRPuWE9SJi2yK0TKu0hAVU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mro7CHSbWceFAZ+xWAYLJNtrIgAJ5NLvH7wur1qlpvCmJPzPSQ5/F8ZXVK0U7KT4A hq8I2GYE8HOn910lPkS2Np43jqDUUJdRdjyHO3cVW77H0LwURbphuLlbYEu45JTetr /e+oBJE+lN9UYPJPK0qmpnmEaqVEe9TV15RsCRN8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Li Nan , Yu Kuai , Song Liu , Sasha Levin Subject: [PATCH 5.4 012/313] md/raid10: check slab-out-of-bounds in md_bitmap_get_counter Date: Tue, 25 Jul 2023 12:42:45 +0200 Message-ID: <20230725104521.700725001@linuxfoundation.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230725104521.167250627@linuxfoundation.org> References: <20230725104521.167250627@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Li Nan [ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ] If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() will return -EINVAL because 'page >= bitmap->pages', but the return value was not checked immediately in md_bitmap_get_counter() in order to set *blocks value and slab-out-of-bounds occurs. Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and return directly if true. Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") Signed-off-by: Li Nan Reviewed-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com Signed-off-by: Sasha Levin --- drivers/md/md-bitmap.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c index 0545cdccf6369..bea8265ce9b8e 100644 --- a/drivers/md/md-bitmap.c +++ b/drivers/md/md-bitmap.c @@ -54,14 +54,7 @@ __acquires(bitmap->lock) { unsigned char *mappage; - if (page >= bitmap->pages) { - /* This can happen if bitmap_start_sync goes beyond - * End-of-device while looking for a whole page. - * It is harmless. - */ - return -EINVAL; - } - + WARN_ON_ONCE(page >= bitmap->pages); if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */ return 0; @@ -1369,6 +1362,14 @@ __acquires(bitmap->lock) sector_t csize; int err; + if (page >= bitmap->pages) { + /* + * This can happen if bitmap_start_sync goes beyond + * End-of-device while looking for a whole page or + * user set a huge number to sysfs bitmap_set_bits. + */ + return NULL; + } err = md_bitmap_checkpage(bitmap, page, create, 0); if (bitmap->bp[page].hijacked || -- 2.39.2