If rddev->raid_disk is greater than mddev->raid_disks, there will be
an out-of-bounds in multipath_remove_disk. We have already found
similar reports as follows:
1) commit d17f744e883b ("md-raid10: fix KASAN warning")
2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
Fix this bug by checking whether the "number" variable is
valid.
Signed-off-by: Zhang Shurong <zhang_shurong@xxxxxxxxxxx>
---
drivers/md/md-multipath.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/md/md-multipath.c b/drivers/md/md-multipath.c
index 92c45be203d7..7b6aadd8c1fb 100644
--- a/drivers/md/md-multipath.c
+++ b/drivers/md/md-multipath.c
@@ -245,7 +245,11 @@ static int multipath_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
struct mpconf *conf = mddev->private;
int err = 0;
int number = rdev->raid_disk;
- struct multipath_info *p = conf->multipaths + number;
+ struct multipath_info *p;
+
+ if (unlikely(number >= mddev->raid_disks))
+ return 0;
+ p = conf->multipaths + number;
print_multipath_conf(conf);
--
2.30.2
