Hi
I'd like to ask you to also backport f1aff4bc199cb92c055668caed65505e3b4d2656 ("dm: fix copying after src array boundaries") to all stable branches because it fixes a bug introduced in the commit 5a2a6c428190f945c5cbf5791f72dbea83e97f66.
Mikulas
On Wed, 7 May 2025, Greg Kroah-Hartman wrote:
6.14-stable review patch. If anyone has any objections, please let me know.
From: Benjamin Marzinski bmarzins@redhat.com
commit 5a2a6c428190f945c5cbf5791f72dbea83e97f66 upstream.
realloc_argv() was only updating the array size if it was called with old_argv already allocated. The first time it was called to create an argv array, it would allocate the array but return the array size as zero. dm_split_args() would think that it couldn't store any arguments in the array and would call realloc_argv() again, causing it to reallocate the initial slots (this time using GPF_KERNEL) and finally return a size. Aside from being wasteful, this could cause deadlocks on targets that need to process messages without starting new IO. Instead, realloc_argv should always update the allocated array size on success.
Fixes: a0651926553c ("dm table: don't copy from a NULL pointer in realloc_argv()") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Marzinski bmarzins@redhat.com Signed-off-by: Mikulas Patocka mpatocka@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/md/dm-table.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -523,9 +523,10 @@ static char **realloc_argv(unsigned int gfp = GFP_NOIO; } argv = kmalloc_array(new_size, sizeof(*argv), gfp);
- if (argv && old_argv) {
memcpy(argv, old_argv, *size * sizeof(*argv));
- if (argv) { *size = new_size;
if (old_argv)memcpy(argv, old_argv, *size * sizeof(*argv));kfree(old_argv);