* [PATCH] dm: don't call report zones for more than the user requested
@ 2020-08-04 9:25 Johannes Thumshirn
2020-08-04 10:17 ` Damien Le Moal
0 siblings, 1 reply; 4+ messages in thread
From: Johannes Thumshirn @ 2020-08-04 9:25 UTC (permalink / raw)
To: Mike Snitzer
Cc: dm-devel, linux-block, Damien Le Moal, Naohiro Aota,
Johannes Thumshirn
Don't call report zones for more zones than the user actually requested,
otherwise this can lead to out-of-bounds accesses in the callback
functions.
Such a situation can happen if the target's ->report_zones() callback
function returns 0 because we've reached the end of the target and then
restart the report zones on the second target.
We're again calling into ->report_zones() and ultimately into the user
supplied callback function but when we're not subtracting the number of
zones already processed this may lead to out-of-bounds accesses in the
user callbacks.
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
---
drivers/md/dm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index 5b9de2f71bb0..88b391ff9bea 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -504,7 +504,8 @@ static int dm_blk_report_zones(struct gendisk *disk, sector_t sector,
}
args.tgt = tgt;
- ret = tgt->type->report_zones(tgt, &args, nr_zones);
+ ret = tgt->type->report_zones(tgt, &args,
+ nr_zones - args.zone_idx);
if (ret < 0)
goto out;
} while (args.zone_idx < nr_zones &&
--
2.26.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] dm: don't call report zones for more than the user requested
2020-08-04 9:25 [PATCH] dm: don't call report zones for more than the user requested Johannes Thumshirn
@ 2020-08-04 10:17 ` Damien Le Moal
2020-08-04 11:26 ` Johannes Thumshirn
0 siblings, 1 reply; 4+ messages in thread
From: Damien Le Moal @ 2020-08-04 10:17 UTC (permalink / raw)
To: Johannes Thumshirn, Mike Snitzer
Cc: dm-devel@redhat.com, linux-block@vger.kernel.org, Naohiro Aota
On 2020/08/04 18:25, Johannes Thumshirn wrote:
> Don't call report zones for more zones than the user actually requested,
> otherwise this can lead to out-of-bounds accesses in the callback
> functions.
>
> Such a situation can happen if the target's ->report_zones() callback
> function returns 0 because we've reached the end of the target and then
> restart the report zones on the second target.
>
> We're again calling into ->report_zones() and ultimately into the user
> supplied callback function but when we're not subtracting the number of
> zones already processed this may lead to out-of-bounds accesses in the
> user callbacks.
>
> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> ---
> drivers/md/dm.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
> index 5b9de2f71bb0..88b391ff9bea 100644
> --- a/drivers/md/dm.c
> +++ b/drivers/md/dm.c
> @@ -504,7 +504,8 @@ static int dm_blk_report_zones(struct gendisk *disk, sector_t sector,
> }
>
> args.tgt = tgt;
> - ret = tgt->type->report_zones(tgt, &args, nr_zones);
> + ret = tgt->type->report_zones(tgt, &args,
> + nr_zones - args.zone_idx);
> if (ret < 0)
> goto out;
> } while (args.zone_idx < nr_zones &&
>
Looks good. I think this needs a Cc: stable.
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-04 14:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-04 9:25 [PATCH] dm: don't call report zones for more than the user requested Johannes Thumshirn
2020-08-04 10:17 ` Damien Le Moal
2020-08-04 11:26 ` Johannes Thumshirn
2020-08-04 14:36 ` Mike Snitzer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.