Patch "md/raid10: check slab-out-of-bounds in md_bitmap_get_counter" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Jul 2023 02:37:20 -0400

This is a note to let you know that I've just added the patch titled

    md/raid10: check slab-out-of-bounds in md_bitmap_get_counter

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     md-raid10-check-slab-out-of-bounds-in-md_bitmap_get_.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c42045a300917bf19d72afa28c7485a1e242ad54
Author: Li Nan <linan122@xxxxxxxxxx>
Date:   Mon May 15 21:48:05 2023 +0800

    md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
    
    [ Upstream commit 301867b1c16805aebbc306aafa6ecdc68b73c7e5 ]
    
    If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage()
    will return -EINVAL because 'page >= bitmap->pages', but the return value
    was not checked immediately in md_bitmap_get_counter() in order to set
    *blocks value and slab-out-of-bounds occurs.
    
    Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and
    return directly if true.
    
    Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.")
    Signed-off-by: Li Nan <linan122@xxxxxxxxxx>
    Reviewed-by: Yu Kuai <yukuai3@xxxxxxxxxx>
    Signed-off-by: Song Liu <song@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@xxxxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index 1c4c462787198..7ca81e917aef4 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -53,14 +53,7 @@ __acquires(bitmap->lock)
 {
 	unsigned char *mappage;
 
-	if (page >= bitmap->pages) {
-		/* This can happen if bitmap_start_sync goes beyond
-		 * End-of-device while looking for a whole page.
-		 * It is harmless.
-		 */
-		return -EINVAL;
-	}
-
+	WARN_ON_ONCE(page >= bitmap->pages);
 	if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */
 		return 0;
 
@@ -1368,6 +1361,14 @@ __acquires(bitmap->lock)
 	sector_t csize;
 	int err;
 
+	if (page >= bitmap->pages) {
+		/*
+		 * This can happen if bitmap_start_sync goes beyond
+		 * End-of-device while looking for a whole page or
+		 * user set a huge number to sysfs bitmap_set_bits.
+		 */
+		return NULL;
+	}
 	err = md_bitmap_checkpage(bitmap, page, create, 0);
 
 	if (bitmap->bp[page].hijacked ||






