android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
49dba30638
android_kernel_xiaomi_sm8450/drivers/md
History
Mikulas Patocka 49dba30638 dm raid: fix address sanitizer warning in raid_status 
commit 1fbeea217d8f297fe0e0956a1516d14ba97d0396 upstream.

There is this warning when using a kernel with the address sanitizer
and running this testsuite:
https://gitlab.com/cki-project/kernel-tests/-/tree/main/storage/swraid/scsi_raid

==================================================================
BUG: KASAN: slab-out-of-bounds in raid_status+0x1747/0x2820 [dm_raid]
Read of size 4 at addr ffff888079d2c7e8 by task lvcreate/13319
CPU: 0 PID: 13319 Comm: lvcreate Not tainted 5.18.0-0.rc3.<snip> #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Call Trace:
 <TASK>
 dump_stack_lvl+0x6a/0x9c
 print_address_description.constprop.0+0x1f/0x1e0
 print_report.cold+0x55/0x244
 kasan_report+0xc9/0x100
 raid_status+0x1747/0x2820 [dm_raid]
 dm_ima_measure_on_table_load+0x4b8/0xca0 [dm_mod]
 table_load+0x35c/0x630 [dm_mod]
 ctl_ioctl+0x411/0x630 [dm_mod]
 dm_ctl_ioctl+0xa/0x10 [dm_mod]
 __x64_sys_ioctl+0x12a/0x1a0
 do_syscall_64+0x5b/0x80

The warning is caused by reading conf->max_nr_stripes in raid_status. The
code in raid_status reads mddev->private, casts it to struct r5conf and
reads the entry max_nr_stripes.

However, if we have different raid type than 4/5/6, mddev->private
doesn't point to struct r5conf; it may point to struct r0conf, struct
r1conf, struct r10conf or struct mpconf. If we cast a pointer to one
of these structs to struct r5conf, we will be reading invalid memory
and KASAN warns about it.

Fix this bug by reading struct r5conf only if raid type is 4, 5 or 6.

Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-08-21 15:16:24 +02:00
..
bcache bcache: memset on stack variables in bch_btree_check() and bch_sectors_dirty_init() 2022-07-02 16:39:23 +02:00
persistent-data dm space map common: add bounds check to sm_ll_lookup_bitmap() 2022-01-27 10:54:20 +01:00
dm-bio-prison-v1.c dm bio prison: replace spin_lock_irqsave with spin_lock_irq 2019-11-05 14:53:03 -05:00
dm-bio-prison-v1.h
dm-bio-prison-v2.c dm bio prison v2: use true/false for bool variable 2020-01-07 12:07:08 -05:00
dm-bio-prison-v2.h
dm-bio-record.h dm bio record: save/restore bi_end_io and bi_integrity 2020-03-03 10:02:46 -05:00
dm-bufio.c dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size 2021-03-09 11:11:12 +01:00
dm-builtin.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-cache-background-tracker.c dm cache background tracker: fix sparse warning 2018-04-30 15:40:40 -04:00
dm-cache-background-tracker.h
dm-cache-block-types.h
dm-cache-metadata.c dm cache metadata: Avoid returning cmd->bm wild pointer on error 2020-09-02 13:38:24 -04:00
dm-cache-metadata.h
dm-cache-policy-internal.h
dm-cache-policy-smq.c dm: remove unnecessary unlikely() around WARN_ON_ONCE() 2018-10-16 14:34:59 -04:00
dm-cache-policy.c
dm-cache-policy.h
dm-cache-target.c Revert "dm cache: fix arm link errors with inline" 2020-12-01 15:43:36 -05:00
dm-clone-metadata.c dm clone metadata: Fix return type of dm_clone_nr_of_hydrated_regions() 2020-03-27 14:42:51 -04:00
dm-clone-metadata.h dm clone metadata: Fix return type of dm_clone_nr_of_hydrated_regions() 2020-03-27 14:42:51 -04:00
dm-clone-target.c writeback: remove bdi->congested_fn 2020-07-08 17:20:46 -06:00
dm-core.h dm: fix deadlock when swapping to encrypted device 2021-03-04 11:38:44 +01:00
dm-crypt.c dm crypt: make printing of the key constant-time 2022-06-06 08:42:44 +02:00
dm-delay.c block: rename generic_make_request to submit_bio_noacct 2020-07-01 07:27:24 -06:00
dm-dust.c dm dust: add interface to list all badblocks 2020-07-20 11:17:41 -04:00
dm-ebs-target.c dm ebs: Fix incorrect checking for REQ_OP_FLUSH 2020-08-04 16:01:40 -04:00
dm-era-target.c dm era: commit metadata in postsuspend after worker stops 2022-06-29 08:59:45 +02:00
dm-exception-store.c
dm-exception-store.h - Improve DM snapshot target's scalability by using finer grained 2019-05-16 15:55:48 -07:00
dm-flakey.c block: rework zone reporting 2019-11-12 19:12:07 -07:00
dm-historical-service-time.c dm mpath: only use ktime_get_ns() in historical selector 2022-04-20 09:23:18 +02:00
dm-init.c dm init: Set file local variable static 2020-08-04 15:51:28 -04:00
dm-integrity.c dm integrity: fix error code in dm_integrity_ctr() 2022-06-06 08:42:43 +02:00
dm-io.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
dm-ioctl.c dm ioctl: prevent potential spectre v1 gadget 2022-04-13 21:00:57 +02:00
dm-kcopyd.c dm kcopyd: always complete failed jobs 2019-08-15 15:57:39 -04:00
dm-linear.c dm: add support for REQ_NOWAIT and enable it for linear target 2020-09-25 08:20:03 -06:00
dm-log-userspace-base.c dm: convert to bioset_init()/mempool_init() 2018-05-30 15:33:32 -06:00
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c dm: replace zero-length array with flexible-array 2020-05-20 17:09:44 -04:00
dm-log.c dm mirror log: clear log bits up to BITS_PER_LONG boundary 2022-06-29 08:59:45 +02:00
dm-mpath.c dm: use dm_table_get_device_name() where appropriate in targets 2020-09-29 16:33:08 -04:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h dm mpath: pass IO start time to path selector 2020-05-15 10:29:36 -04:00
dm-queue-length.c dm mpath: pass IO start time to path selector 2020-05-15 10:29:36 -04:00
dm-raid1.c block: rename generic_make_request to submit_bio_noacct 2020-07-01 07:27:24 -06:00
dm-raid.c dm raid: fix address sanitizer warning in raid_status 2022-08-21 15:16:24 +02:00
dm-region-hash.c - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
dm-round-robin.c
dm-rq.c block: remove the request_queue to argument request based tracepoints 2022-08-21 15:15:36 +02:00
dm-rq.h dm: remove unused _rq_tio_cache and _rq_cache 2019-03-05 14:48:50 -05:00
dm-service-time.c dm mpath: pass IO start time to path selector 2020-05-15 10:29:36 -04:00
dm-snap-persistent.c dm snap persistent: simplify area_io() 2020-09-29 16:33:12 -04:00
dm-snap-transient.c
dm-snap.c dm snapshot: properly fix a crash when an origin has no snapshots 2021-06-03 09:00:30 +02:00
dm-stats.c dm stats: add cond_resched when looping over entries 2022-06-06 08:42:44 +02:00
dm-stats.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dm-stripe.c dm: replace zero-length array with flexible-array 2020-05-20 17:09:44 -04:00
dm-switch.c dm: replace zero-length array with flexible-array 2020-05-20 17:09:44 -04:00
dm-sysfs.c dm: remove legacy request-based IO path 2018-10-11 11:36:09 -04:00
dm-table.c dm table: Fix zoned model check and zone sectors check 2021-03-30 14:32:06 +02:00
dm-target.c dm mpath: fix missing call of path selector type->end_io 2019-04-25 15:38:52 -04:00
dm-thin-metadata.c dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-08-21 15:16:20 +02:00
dm-thin-metadata.h dm thin metadata: Add support for a pre-commit callback 2019-12-05 17:05:24 -05:00
dm-thin.c dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-08-21 15:16:20 +02:00
dm-uevent.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
dm-uevent.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
dm-unstripe.c dm: Check for device sector overflow if CONFIG_LBDAF is not set 2018-12-18 09:02:26 -05:00
dm-verity-fec.c dm verity fec: fix misaligned RS roots IO 2021-04-21 13:00:54 +02:00
dm-verity-fec.h dm verity fec: fix misaligned RS roots IO 2021-04-21 13:00:54 +02:00
dm-verity-target.c dm verity: set DM_TARGET_IMMUTABLE feature flag 2022-06-06 08:42:44 +02:00
dm-verity-verify-sig.c dm verity: fix require_signatures module_param permissions 2021-06-16 12:01:37 +02:00
dm-verity-verify-sig.h dm verity: Fix compilation warning 2020-08-04 15:48:13 -04:00
dm-verity.h dm verity: add "panic_on_corruption" error handling mode 2020-07-13 11:47:33 -04:00
dm-writecache.c dm writecache: set a default MAX_WRITEBACK_JOBS 2022-08-21 15:16:19 +02:00
dm-zero.c
dm-zoned-metadata.c dm zoned: check zone capacity 2021-07-19 09:45:01 +02:00
dm-zoned-reclaim.c dm zoned: Fix zone reclaim trigger 2020-07-08 12:21:53 -04:00
dm-zoned-target.c dm table: Fix zoned model check and zone sectors check 2021-03-30 14:32:06 +02:00
dm-zoned.h dm zoned: select reclaim zone based on device index 2020-06-05 14:59:53 -04:00
dm.c dm: return early from dm_pr_call() if DM device is suspended 2022-08-21 15:15:37 +02:00
dm.h dm table: fix DAX iterate_devices based device capability checks 2021-03-04 11:38:44 +01:00
Kconfig dm integrity: select CRYPTO_SKCIPHER 2021-01-27 11:54:57 +01:00
Makefile md: move the early init autodetect code to drivers/md/ 2020-07-16 15:34:47 +02:00
md-autodetect.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
md-bitmap.c md/bitmap: don't set sb values if can't pass sanity check 2022-06-09 10:20:52 +02:00
md-bitmap.h md: Avoid namespace collision with bitmap API 2018-08-01 15:49:39 -07:00
md-cluster.c md/cluster: fix deadlock when node is doing resync job 2020-12-30 11:54:25 +01:00
md-cluster.h md-cluster: introduce resync_info_get interface for sanity check 2018-10-18 09:36:35 -07:00
md-faulty.c block: rename generic_make_request to submit_bio_noacct 2020-07-01 07:27:24 -06:00
md-linear.c block: add a new revalidate_disk_size helper 2020-09-02 08:00:07 -06:00
md-linear.h md/raid1: Replace zero-length array with flexible-array 2020-05-13 12:02:23 -07:00
md-multipath.c writeback: remove bdi->congested_fn 2020-07-08 17:20:46 -06:00
md-multipath.h md: convert to bioset_init()/mempool_init() 2018-05-30 15:33:32 -06:00
md.c md-raid: destroy the bitmap after destroying the thread 2022-08-21 15:15:25 +02:00
md.h md: revert io stats accounting 2022-01-16 09:14:21 +01:00
raid0.c md/raid0: Ignore RAID0 layout if the second zone has only one device 2022-06-14 18:32:47 +02:00
raid0.h md/raid0: avoid RAID0 data corruption due to layout confusion. 2019-09-13 13:10:05 -07:00
raid1-10.c md: raid1-10: Unify r{1,10}bio_pool_free 2019-06-15 01:37:35 -06:00
raid1.c md/raid10: properly indicate failure when ending a failed write request 2021-08-12 13:22:17 +02:00
raid1.h md/raid1: Replace zero-length array with flexible-array 2020-05-13 12:02:23 -07:00
raid5-cache.c raid5-cache: hold spinlock instead of mutex in r5c_journal_mode_show 2020-08-02 23:03:52 -07:00
raid5-log.h raid5: set write hint for PPL 2019-03-12 10:15:18 -07:00
raid5-ppl.c md/raid456: convert macro STRIPE_* to RAID5_STRIPE_* 2020-07-21 17:18:12 -07:00
raid5.c dm raid: fix KASAN warning in raid5_add_disks 2022-07-07 17:52:16 +02:00
raid5.h md/raid5: let multiple devices of stripe_head share page 2020-09-24 16:44:44 -07:00
raid10.c md-raid10: fix KASAN warning 2022-08-21 15:15:25 +02:00
raid10.h Revert "md/raid10: improve discard request for far layout" 2020-12-09 20:46:00 -08:00