Patch "dm table: fail dm_table_create on dm_round_up overflow" has been added to the 3.12-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Wed, 18 Dec 2013 11:36:48 -0800

This is a note to let you know that I've just added the patch titled

    dm table: fail dm_table_create on dm_round_up overflow

to the 3.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     dm-table-fail-dm_table_create-on-dm_round_up-overflow.patch
and it can be found in the queue-3.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 5b2d06576c5410c10d95adfd5c4d8b24de861d87 Mon Sep 17 00:00:00 2001
From: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Date: Fri, 22 Nov 2013 19:52:06 -0500
Subject: dm table: fail dm_table_create on dm_round_up overflow

From: Mikulas Patocka <mpatocka@xxxxxxxxxx>

commit 5b2d06576c5410c10d95adfd5c4d8b24de861d87 upstream.

The dm_round_up function may overflow to zero.  In this case,
dm_table_create() must fail rather than go on to allocate an empty array
with alloc_targets().

This fixes a possible memory corruption that could be caused by passing
too large a number in "param->target_count".

Signed-off-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Signed-off-by: Mike Snitzer <snitzer@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/md/dm-table.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -200,6 +200,11 @@ int dm_table_create(struct dm_table **re
 
 	num_targets = dm_round_up(num_targets, KEYS_PER_NODE);
 
+	if (!num_targets) {
+		kfree(t);
+		return -ENOMEM;
+	}
+
 	if (alloc_targets(t, num_targets)) {
 		kfree(t);
 		return -ENOMEM;


Patches currently in stable-queue which might be from mpatocka@xxxxxxxxxx are

queue-3.12/dm-table-fail-dm_table_create-on-dm_round_up-overflow.patch
queue-3.12/dm-stats-initialize-read-only-module-parameter.patch
queue-3.12/dm-bufio-initialize-read-only-module-parameters.patch
queue-3.12/dm-snapshot-avoid-snapshot-space-leak-on-crash.patch
queue-3.12/dm-delay-fix-a-possible-deadlock-due-to-shared-workqueue.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







