diff options
| author | Mikulas Patocka <mpatocka@redhat.com> | 2022-06-16 13:28:57 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-06-22 14:22:04 +0200 |
| commit | 0d2209b54f1de0c2f99cab246d4cf2cfe24aaaa9 (patch) | |
| tree | d0ed4e86f87d8962f3ea84487aab76632b080b5a | |
| parent | ccd1751092341ac120a961835211f9f2e3735963 (diff) | |
| download | linux-0d2209b54f1de0c2f99cab246d4cf2cfe24aaaa9.tar.gz linux-0d2209b54f1de0c2f99cab246d4cf2cfe24aaaa9.tar.bz2 linux-0d2209b54f1de0c2f99cab246d4cf2cfe24aaaa9.zip | |
dm mirror log: round up region bitmap size to BITS_PER_LONG
commit 85e123c27d5cbc22cfdc01de1e2ca1d9003a02d0 upstream.
The code in dm-log rounds up bitset_size to 32 bits. It then uses
find_next_zero_bit_le on the allocated region. find_next_zero_bit_le
accesses the bitmap using unsigned long pointers. So, on 64-bit
architectures, it may access 4 bytes beyond the allocated size.
Fix this bug by rounding up bitset_size to BITS_PER_LONG.
This bug was found by running the lvm2 testsuite with kasan.
Fixes: 29121bd0b00e ("[PATCH] dm mirror log: bitset_size fix")
Cc: stable@vger.kernel.org
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/md/dm-log.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/md/dm-log.c b/drivers/md/dm-log.c index 1ecf75ef276a..ccdd65148498 100644 --- a/drivers/md/dm-log.c +++ b/drivers/md/dm-log.c @@ -415,8 +415,7 @@ static int create_log_context(struct dm_dirty_log *log, struct dm_target *ti, /* * Work out how many "unsigned long"s we need to hold the bitset. */ - bitset_size = dm_round_up(region_count, - sizeof(*lc->clean_bits) << BYTE_SHIFT); + bitset_size = dm_round_up(region_count, BITS_PER_LONG); bitset_size >>= BYTE_SHIFT; lc->bitset_uint32_count = bitset_size / sizeof(*lc->clean_bits); |