diff options
| author | Johannes Thumshirn <johannes.thumshirn@wdc.com> | 2020-08-04 18:25:01 +0900 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2020-08-04 16:31:12 -0400 |
| commit | a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d (patch) | |
| tree | b654fb3bc10227350f6dd79b519b2deda5a0b83c | |
| parent | 4cb6f22612511ff2aba4c33fb0f281cae7c23772 (diff) | |
| download | linux-a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d.tar.bz2 | |
dm: don't call report zones for more than the user requested
Don't call report zones for more zones than the user actually requested,
otherwise this can lead to out-of-bounds accesses in the callback
functions.
Such a situation can happen if the target's ->report_zones() callback
function returns 0 because we've reached the end of the target and then
restart the report zones on the second target.
We're again calling into ->report_zones() and ultimately into the user
supplied callback function but when we're not subtracting the number of
zones already processed this may lead to out-of-bounds accesses in the
user callbacks.
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Fixes: d41003513e61 ("block: rework zone reporting")
Cc: stable@vger.kernel.org # v5.5+
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
| -rw-r--r-- | drivers/md/dm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/md/dm.c b/drivers/md/dm.c index 52449afd58eb..937a4194442f 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -503,7 +503,8 @@ static int dm_blk_report_zones(struct gendisk *disk, sector_t sector, } args.tgt = tgt; - ret = tgt->type->report_zones(tgt, &args, nr_zones); + ret = tgt->type->report_zones(tgt, &args, + nr_zones - args.zone_idx); if (ret < 0) goto out; } while (args.zone_idx < nr_zones && |