mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 05:44:11 +00:00
md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
[ Upstream commit301867b1c1
] If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() will return -EINVAL because 'page >= bitmap->pages', but the return value was not checked immediately in md_bitmap_get_counter() in order to set *blocks value and slab-out-of-bounds occurs. Move check of 'page >= bitmap->pages' to md_bitmap_get_counter() and return directly if true. Fixes:ef42567335
("md/bitmap: optimise scanning of empty bitmaps.") Signed-off-by: Li Nan <linan122@huawei.com> Reviewed-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Song Liu <song@kernel.org> Link: https://lore.kernel.org/r/20230515134808.3936750-2-linan666@huaweicloud.com Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
e1379e067b
commit
be1a3ec63a
1 changed files with 9 additions and 8 deletions
|
@ -54,14 +54,7 @@ __acquires(bitmap->lock)
|
|||
{
|
||||
unsigned char *mappage;
|
||||
|
||||
if (page >= bitmap->pages) {
|
||||
/* This can happen if bitmap_start_sync goes beyond
|
||||
* End-of-device while looking for a whole page.
|
||||
* It is harmless.
|
||||
*/
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
WARN_ON_ONCE(page >= bitmap->pages);
|
||||
if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to alloc */
|
||||
return 0;
|
||||
|
||||
|
@ -1364,6 +1357,14 @@ __acquires(bitmap->lock)
|
|||
sector_t csize;
|
||||
int err;
|
||||
|
||||
if (page >= bitmap->pages) {
|
||||
/*
|
||||
* This can happen if bitmap_start_sync goes beyond
|
||||
* End-of-device while looking for a whole page or
|
||||
* user set a huge number to sysfs bitmap_set_bits.
|
||||
*/
|
||||
return NULL;
|
||||
}
|
||||
err = md_bitmap_checkpage(bitmap, page, create, 0);
|
||||
|
||||
if (bitmap->bp[page].hijacked ||
|
||||
|
|
Loading…
Reference in a new issue