Hi!
> From: Zhang Shurong <zhang_shurong@xxxxxxxxxxx>
>
> [ Upstream commit 8b0472b50bcf0f19a5119b00a53b63579c8e1e4d ]
>
> If rddev->raid_disk is greater than mddev->raid_disks, there will be
> an out-of-bounds in raid1_remove_disk(). We have already found
> similar reports as follows:
>
> 1) commit d17f744e883b ("md-raid10: fix KASAN warning")
> 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
>
> Fix this bug by checking whether the "number" variable is
> valid.
> +++ b/drivers/md/raid1.c
> @@ -1775,6 +1775,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
> struct r1conf *conf = mddev->private;
> int err = 0;
> int number = rdev->raid_disk;
> +
> + if (unlikely(number >= conf->raid_disks))
> + goto abort;
> +
> struct raid1_info *p = conf->mirrors + number;
>
> if (rdev != p->rdev)
Wow. Mixing declarations and code. I'm pretty sure that's not ok
according to our coding style, and I'd be actually surprised if all
our compiler configurations allowed this.
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Attachment:
signature.asc
Description: PGP signature
