[PATCH OLK-6.6] dm-stripe: fix a possible integer overflow

26 Nov 2025

From: Mikulas Patocka <mpatocka@redhat.com>

mainline inclusion
from mainline-v6.17-rc7
commit 1071d560afb4c245c2076494226df47db5a35708
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID0U8Z
CVE: CVE-2025-39940

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

There's a possible integer overflow in stripe_io_hints if we have too
large chunk size. Test if the overflow happened, and if it did, don't set
limits->io_min and limits->io_opt;

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Suggested-by: Dongsheng Yang <dongsheng.yang@linux.dev>
Cc: stable@vger.kernel.org
Conflicts:
        drivers/md/dm-stripe.c
[Context conflicts]
Signed-off-by: Wang Tao <wangtao554@huawei.com>
---
 drivers/md/dm-stripe.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
index e2854a3cbd28..efc289c3a573 100644
--- a/drivers/md/dm-stripe.c
+++ b/drivers/md/dm-stripe.c
@@ -456,10 +456,13 @@ static void stripe_io_hints(struct dm_target *ti,
 			    struct queue_limits *limits)
 {
 	struct stripe_c *sc = ti->private;
-	unsigned int chunk_size = sc->chunk_size << SECTOR_SHIFT;
+	unsigned int io_min, io_opt;
 
-	blk_limits_io_min(limits, chunk_size);
-	blk_limits_io_opt(limits, chunk_size * sc->stripes);
+	if (!check_shl_overflow(sc->chunk_size, SECTOR_SHIFT, &io_min) &&
+		!check_mul_overflow(io_min, sc->stripes, &io_opt)) {
+			blk_limits_io_min(limits, io_min);
+			blk_limits_io_opt(limits, io_opt);
+	}
 }
 
 static struct target_type stripe_target = {
-- 
2.34.1

    