On Sat, Jun 20, 2026 at 04:41:31PM -0500, Bryam Vargas via B4 Relay wrote: > From: Bryam Vargas <[email protected]> > > The BTT info block's nfree field, the number of reserve free blocks, is > read from the medium without validation. btt_freelist_init() and > btt_rtt_init() size the per-lane freelist[] and rtt[] arrays by nfree, > but the I/O path indexes them by the lane from nd_region_acquire_lane(), > which is bounded by nd_region->num_lanes (ND_MAX_LANES), not by nfree. > A crafted or foreign arena whose nfree is below the lane count makes > freelist[lane]/rtt[lane] run past the allocation: an out-of-bounds write. > > btt.rst documents the nlanes = min(nfree, num_cpus) invariant, which the > code does not currently honor: num_lanes is ND_MAX_LANES regardless of > nfree. Reject an arena whose nfree is below num_lanes at discovery, > before the per-lane arrays are allocated, enforcing that invariant. > > Fixes: 5212e11fde4d ("nd_btt: atomic sector updates") > Cc: [email protected] > Signed-off-by: Bryam Vargas <[email protected]>
Hi Bryam, Thanks for the patch. I reviewed and tested this against this branch, which has a few other BTT fixups that'll land before this patch: https://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm.git/log/?h=libnvdimm-for-next All merged fine. It did lead me to create a testcase so I won't ask you for that. I'll copy you when I post the test patch for review. Reviewed-by: Alison Schofield <[email protected]> Tested-by: Alison Schofield <[email protected]> --Alison
