On Fri, Dec 15, 2023 at 09:47:17PM +0000, Yang, Chenyuan wrote: > Hello Linux Kernel community, > > We encountered a crash bug when testing the driver implemented in `drivers/md/dm-ioctl.c` by using Syzkaller. Notably, we generate the spec for this driver by ourselves and Syzkaller doesn’t have specification for it. > > Based on our understanding, this bug is caused by `dmi = kvmalloc(param_kernel->data_size, GFP_NOIO | __GFP_HIGH);` in ` drivers/md/dm-ioctl.c` (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-ioctl.c#L1966), which `kvmalloc` a size more than INT_MAX. > > A possible patch is to have a more strict check for the `param_kernel->data_size` in `copy_params` before calling `kvmalloc` while currently it only checks minimal size (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-ioctl.c#L1944). Great, submit a patch based on this and see if it solves the issue you reported! thanks, greg k-h
