5.4-stable patches

added patches: dm-fix-copying-after-src-array-boundaries.patch
author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-05-08 07:31:42 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-05-08 07:31:42 +0200
commit: 2bc2353bd65153a6efe01e16f9096bdc78c135ff (patch)
tree: 1eab58ec4495ea16f1f9e7b5308f9b3d3e0a4ee5
parent: 4b811835a2ffc24ed9dd20dd9b8b66c13e13daac (diff)
download: stable-queue-2bc2353bd65153a6efe01e16f9096bdc78c135ff.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/queue-5.4/dm-fix-copying-after-src-array-boundaries.patch b/queue-5.4/dm-fix-copying-after-src-array-boundaries.patch
new file mode 100644
index 00000000000..9adb22b58f2
--- /dev/null
+++ b/queue-5.4/dm-fix-copying-after-src-array-boundaries.patch
@@ -0,0 +1,58 @@
+From f1aff4bc199cb92c055668caed65505e3b4d2656 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Tue, 6 May 2025 11:31:50 +0000
+Subject: dm: fix copying after src array boundaries
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit f1aff4bc199cb92c055668caed65505e3b4d2656 upstream.
+
+The blammed commit copied to argv the size of the reallocated argv,
+instead of the size of the old_argv, thus reading and copying from
+past the old_argv allocated memory.
+
+Following BUG_ON was hit:
+[    3.038929][    T1] kernel BUG at lib/string_helpers.c:1040!
+[    3.039147][    T1] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
+...
+[    3.056489][    T1] Call trace:
+[    3.056591][    T1]  __fortify_panic+0x10/0x18 (P)
+[    3.056773][    T1]  dm_split_args+0x20c/0x210
+[    3.056942][    T1]  dm_table_add_target+0x13c/0x360
+[    3.057132][    T1]  table_load+0x110/0x3ac
+[    3.057292][    T1]  dm_ctl_ioctl+0x424/0x56c
+[    3.057457][    T1]  __arm64_sys_ioctl+0xa8/0xec
+[    3.057634][    T1]  invoke_syscall+0x58/0x10c
+[    3.057804][    T1]  el0_svc_common+0xa8/0xdc
+[    3.057970][    T1]  do_el0_svc+0x1c/0x28
+[    3.058123][    T1]  el0_svc+0x50/0xac
+[    3.058266][    T1]  el0t_64_sync_handler+0x60/0xc4
+[    3.058452][    T1]  el0t_64_sync+0x1b0/0x1b4
+[    3.058620][    T1] Code: f800865e a9bf7bfd 910003fd 941f48aa (d4210000)
+[    3.058897][    T1] ---[ end trace 0000000000000000 ]---
+[    3.059083][    T1] Kernel panic - not syncing: Oops - BUG: Fatal exception
+
+Fix it by copying the size of src, and not the size of dst, as it was.
+
+Fixes: 5a2a6c428190 ("dm: always update the array size in realloc_argv on success")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-table.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -574,9 +574,9 @@ static char **realloc_argv(unsigned *siz
+ 	}
+ 	argv = kmalloc_array(new_size, sizeof(*argv), gfp);
+ 	if (argv) {
+-		*size = new_size;
+ 		if (old_argv)
+ 			memcpy(argv, old_argv, *size * sizeof(*argv));
++		*size = new_size;
+ 	}
+ 
+ 	kfree(old_argv);
diff --git a/queue-5.4/series b/queue-5.4/series
index 89b1cc2c70e..9f468602cf7 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -30,3 +30,4 @@ usb-chipidea-ci_hdrc_imx-implement-usb_phy_init-erro.patch
 serial-msm-configure-correct-working-mode-before-sta.patch
 arm64-dts-rockchip-fix-iface-clock-name-on-px30-iomm.patch
 iommu-amd-fix-potential-buffer-overflow-in-parse_ivr.patch
+dm-fix-copying-after-src-array-boundaries.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-05-08 07:31:42 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-05-08 07:31:42 +0200
commit	2bc2353bd65153a6efe01e16f9096bdc78c135ff (patch)
tree	1eab58ec4495ea16f1f9e7b5308f9b3d3e0a4ee5
parent	4b811835a2ffc24ed9dd20dd9b8b66c13e13daac (diff)
download	stable-queue-2bc2353bd65153a6efe01e16f9096bdc78c135ff.tar.gz