On Fri, Dec 15, 2023 at 09:47:17PM +0000, Yang, Chenyuan wrote: > Hello Linux Kernel community, > > We encountered a crash bug when testing the driver implemented in > `drivers/md/dm-ioctl.c` by using Syzkaller. Notably, we generate the spec for > this driver by ourselves and Syzkaller doesn’t have specification for it. > > Based on our understanding, this bug is caused by `dmi = > kvmalloc(param_kernel->data_size, GFP_NOIO | __GFP_HIGH);` in ` > drivers/md/dm-ioctl.c` > (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-ioctl.c#L1966), > which `kvmalloc` a size more than INT_MAX. > > A possible patch is to have a more strict check for the > `param_kernel->data_size` in `copy_params` before calling `kvmalloc` while > currently it only checks minimal size > (https://github.com/torvalds/linux/blob/3bd7d748816927202268cb335921f7f68b3ca723/drivers/md/dm-ioctl.c#L1944).
Great, submit a patch based on this and see if it solves the issue you reported! thanks, greg k-h
