On Sun, Mar 5, 2023 at 2:36 PM NeilBrown <neilb@xxxxxxx> wrote:
>
>
> slot_store() uses kstrtouint() to get a slot number, but stores the
> result in an "int" variable (by casting a pointer).
> This can result in a negative slot number if the unsigned int value is
> very large.
>
> A negative number means that the slot is empty, but setting a negative
> slot number this way will not remove the device from the array. I don't
> think this is a serious problem, but it could cause confusion and it is
> best to fix it.
>
> Reported-by: Dan Carpenter <error27@xxxxxxxxx>
> Signed-off-by: NeilBrown <neilb@xxxxxxx>
Applied to md-fixes. Thanks!
Song
> ---
> drivers/md/md.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/md/md.c b/drivers/md/md.c
> index 02b0240e7c71..d4bfa35fb20a 100644
> --- a/drivers/md/md.c
> +++ b/drivers/md/md.c
> @@ -3131,6 +3131,9 @@ slot_store(struct md_rdev *rdev, const char *buf, size_t len)
> err = kstrtouint(buf, 10, (unsigned int *)&slot);
> if (err < 0)
> return err;
> + if (slot < 0)
> + /* overflow */
> + return -ENOSPC;
> }
> if (rdev->mddev->pers && slot == -1) {
> /* Setting 'slot' on an active array requires also
> --
> 2.39.2
>
