From: Mike Snitzer <snitzer@redhat.com>
To: tang.junhui@zte.com.cn
Cc: zhang.kai16@zte.com.cn, dm-devel@redhat.com, agk@redhat.com
Subject: Re: dm mpath: add check for count of groups to avoid wild pointer access
Date: Thu, 3 Nov 2016 11:24:37 -0400 [thread overview]
Message-ID: <20161103152436.GB21719@redhat.com> (raw)
In-Reply-To: <1478170170-4748-1-git-send-email-tang.junhui@zte.com.cn>
On Thu, Nov 03 2016 at 6:49am -0400,
tang.junhui@zte.com.cn <tang.junhui@zte.com.cn> wrote:
> From: "tang.junhui" <tang.junhui@zte.com.cn>
>
> pg is not assigned to a group address when count of multipath groups
> is zero in bypass_pg_num(), then it is used in bypass_pg(), which may
> cause wild pointer access.
>
> Signed-off-by: tang.junhui <tang.junhui@zte.com.cn>
> ---
> drivers/md/dm-mpath.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
> index d376dc8..8c1359c 100644
> --- a/drivers/md/dm-mpath.c
> +++ b/drivers/md/dm-mpath.c
> @@ -1084,7 +1084,7 @@ static int switch_pg_num(struct multipath *m, const char *pgstr)
> char dummy;
>
> if (!pgstr || (sscanf(pgstr, "%u%c", &pgnum, &dummy) != 1) || !pgnum ||
> - (pgnum > m->nr_priority_groups)) {
> + !m->nr_priority_groups || (pgnum > m->nr_priority_groups)) {
> DMWARN("invalid PG number supplied to switch_pg_num");
> return -EINVAL;
> }
> --
> 2.8.1.windows.1
>
>
You mention bypass_pg_num() going on to hit a NULL/"wild" pointer. Not
immediately seeing the relation between switch_pg_num() and
bypass_pg_num(). But shouldn't bypass_pg_num() have improved bounds
checking (and/or NULL pointer checks) too?
Maybe your patch was applied with an offset and it modified
switch_pg_num() when you really meant to modify bypass_pg_num()?
next prev parent reply other threads:[~2016-11-03 15:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-03 10:49 [PATCH] dm mpath: add check for count of groups to avoid wild pointer access tang.junhui
2016-11-03 15:24 ` Mike Snitzer [this message]
2016-11-04 4:11 ` 答复: " tang.junhui
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161103152436.GB21719@redhat.com \
--to=snitzer@redhat.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=tang.junhui@zte.com.cn \
--cc=zhang.kai16@zte.com.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.