nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

md: raid1: fix potential OOB in raid1_remove_disk()

Browse source 
If rddev->raid_disk is greater than mddev->raid_disks, there will be
an out-of-bounds in raid1_remove_disk(). We have already found
similar reports as follows:

1) commit d17f744e88 ("md-raid10: fix KASAN warning")
2) commit 1ebc2cec0b ("dm raid: fix KASAN warning in raid5_remove_disk")

Fix this bug by checking whether the "number" variable is
valid.

Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/tencent_0D24426FAC6A21B69AC0C03CE4143A508F09@qq.com
Signed-off-by: Song Liu <song@kernel.org>
This commit is contained in:
Zhang Shurong 2023-07-22 15:53:53 +08:00 committed by Song Liu
parent a705b11b35
commit 8b0472b50b
1 changed files with 4 additions and 0 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

4
drivers/md/raid1.c
View file

@ -1837,6 +1837,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
struct r1conf *conf = mddev->private; struct r1conf *conf = mddev->private;
int err = 0; int err = 0;
int number = rdev->raid_disk; int number = rdev->raid_disk;
if (unlikely(number >= conf->raid_disks))
goto abort;
struct raid1_info *p = conf->mirrors + number; struct raid1_info *p = conf->mirrors + number;
if (rdev != p->rdev) if (rdev != p->rdev)