From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ming-Hung Tsai <mtsai@redhat.com>,
Mikulas Patocka <mpatocka@redhat.com>,
Joe Thornber <thornber@redhat.com>
Subject: [PATCH 4.19 23/52] dm cache: fix potential out-of-bounds access on the first resume
Date: Fri, 15 Nov 2024 07:37:36 +0100 [thread overview]
Message-ID: <20241115063723.694049653@linuxfoundation.org> (raw)
In-Reply-To: <20241115063722.845867306@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming-Hung Tsai <mtsai@redhat.com>
commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream.
Out-of-bounds access occurs if the fast device is expanded unexpectedly
before the first-time resume of the cache table. This happens because
expanding the fast device requires reloading the cache table for
cache_create to allocate new in-core data structures that fit the new
size, and the check in cache_preresume is not performed during the
first resume, leading to the issue.
Reproduce steps:
1. prepare component devices:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
2. load a cache table of 512 cache blocks, and deliberately expand the
fast device before resuming the cache, making the in-core data
structures inadequate.
dmsetup create cache --notable
dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
dmsetup resume cdata
dmsetup resume cache
3. suspend the cache to write out the in-core dirty bitset and hint
array, leading to out-of-bounds access to the dirty bitset at offset
0x40:
dmsetup suspend cache
KASAN reports:
BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
Read of size 8 at addr ffffc90000085040 by task dmsetup/90
(...snip...)
The buggy address belongs to the virtual mapping at
[ffffc90000085000, ffffc90000087000) created by:
cache_ctr+0x176a/0x35f0
(...snip...)
Memory state around the buggy address:
ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Fix by checking the size change on the first resume.
Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Acked-by: Joe Thornber <thornber@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-target.c | 37 ++++++++++++++++---------------------
1 file changed, 16 insertions(+), 21 deletions(-)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -2991,24 +2991,24 @@ static dm_cblock_t get_cache_dev_size(st
static bool can_resize(struct cache *cache, dm_cblock_t new_size)
{
if (from_cblock(new_size) > from_cblock(cache->cache_size)) {
- if (cache->sized) {
- DMERR("%s: unable to extend cache due to missing cache table reload",
- cache_device_name(cache));
- return false;
- }
+ DMERR("%s: unable to extend cache due to missing cache table reload",
+ cache_device_name(cache));
+ return false;
}
/*
* We can't drop a dirty block when shrinking the cache.
*/
- new_size = to_cblock(find_next_bit(cache->dirty_bitset,
- from_cblock(cache->cache_size),
- from_cblock(new_size)));
- if (new_size != cache->cache_size) {
- DMERR("%s: unable to shrink cache; cache block %llu is dirty",
- cache_device_name(cache),
- (unsigned long long) from_cblock(new_size));
- return false;
+ if (cache->loaded_mappings) {
+ new_size = to_cblock(find_next_bit(cache->dirty_bitset,
+ from_cblock(cache->cache_size),
+ from_cblock(new_size)));
+ if (new_size != cache->cache_size) {
+ DMERR("%s: unable to shrink cache; cache block %llu is dirty",
+ cache_device_name(cache),
+ (unsigned long long) from_cblock(new_size));
+ return false;
+ }
}
return true;
@@ -3039,20 +3039,15 @@ static int cache_preresume(struct dm_tar
/*
* Check to see if the cache has resized.
*/
- if (!cache->sized) {
- r = resize_cache_dev(cache, csize);
- if (r)
- return r;
-
- cache->sized = true;
-
- } else if (csize != cache->cache_size) {
+ if (!cache->sized || csize != cache->cache_size) {
if (!can_resize(cache, csize))
return -EINVAL;
r = resize_cache_dev(cache, csize);
if (r)
return r;
+
+ cache->sized = true;
}
if (!cache->loaded_mappings) {
next prev parent reply other threads:[~2024-11-15 6:40 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 6:37 [PATCH 4.19 00/52] 4.19.324-rc1 review Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 01/52] arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 02/52] ARM: dts: rockchip: fix rk3036 acodec node Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 03/52] ARM: dts: rockchip: drop grf reference from rk3036 hdmi Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 04/52] ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 05/52] HID: core: zero-initialize the report buffer Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 06/52] security/keys: fix slab-out-of-bounds in key_task_permission Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 07/52] sctp: properly validate chunk size in sctp_sf_ootb() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 08/52] can: c_can: fix {rx,tx}_errors statistics Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 09/52] net: hns3: fix kernel crash when uninstalling driver Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 10/52] media: stb0899_algo: initialize cfr before using it Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 11/52] media: dvbdev: prevent the risk of out of memory access Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 12/52] media: dvb_frontend: dont play tricks with underflow values Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 13/52] media: adv7604: prevent underflow condition when reporting colorspace Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 14/52] ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 15/52] media: s5p-jpeg: prevent buffer overflows Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 16/52] media: cx24116: prevent overflows on SNR calculus Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 17/52] media: v4l2-tpg: prevent the risk of a division by zero Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 18/52] drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 19/52] drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 20/52] dm cache: correct the number of origin blocks to match the target length Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 21/52] dm cache: fix out-of-bounds access to the dirty bitset when resizing Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 22/52] dm cache: optimize dirty bit checking with find_next_bit " Greg Kroah-Hartman
2024-11-15 6:37 ` Greg Kroah-Hartman [this message]
2024-11-15 6:37 ` [PATCH 4.19 24/52] dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 25/52] nfs: Fix KMSAN warning in decode_getfattr_attrs() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 26/52] btrfs: reinitialize delayed ref list after deleting it from the list Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 27/52] bonding (gcc13): synchronize bond_{a,t}lb_xmit() types Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 28/52] net: bridge: xmit: make sure we have at least eth header len bytes Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 29/52] media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 30/52] fs/proc: fix compile warning about variable vmcore_mmap_ops Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 31/52] usb: musb: sunxi: Fix accessing an released usb phy Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 32/52] USB: serial: io_edgeport: fix use after free in debug printk Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 33/52] USB: serial: qcserial: add support for Sierra Wireless EM86xx Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 34/52] USB: serial: option: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 35/52] USB: serial: option: add Quectel RG650V Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 36/52] irqchip/gic-v3: Force propagation of the active state with a read-back Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 37/52] ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 38/52] ALSA: pcm: Return 0 when size < start_threshold in capture Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 39/52] ALSA: usb-audio: Add custom mixer status quirks for RME CC devices Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 40/52] ALSA: usb-audio: Support jack detection on Dell dock Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 41/52] ALSA: usb-audio: Add quirks for Dell WD19 dock Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 42/52] hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 43/52] vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 44/52] ALSA: usb-audio: Add endianness annotations Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 45/52] 9p: Avoid creating multiple slab caches with the same name Greg Kroah-Hartman
2024-11-15 6:37 ` [PATCH 4.19 46/52] HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 47/52] bpf: use kvzmalloc to allocate BPF verifier environment Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 48/52] sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 49/52] powerpc/powernv: Free name on error in opal_event_init() Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 50/52] fs: Fix uninitialized value issue in from_kuid and from_kgid Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 51/52] net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 4.19 52/52] 9p: fix slab cache name creation for real Greg Kroah-Hartman
2024-11-15 16:00 ` [PATCH 4.19 00/52] 4.19.324-rc1 review Harshit Mogalapalli
2024-11-15 17:55 ` Jon Hunter
2024-11-16 12:54 ` Naresh Kamboju
2024-11-16 21:18 ` Shuah Khan
2024-11-17 13:25 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241115063723.694049653@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=mpatocka@redhat.com \
--cc=mtsai@redhat.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=thornber@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox