Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4679688pxj; Wed, 12 May 2021 10:43:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzkvoO94teFD9Q52GbayXL14Zw3QwxBKOsDJDgwIcoCqvTfjNBGBEYaJCNAkaeGVMVRIrs/ X-Received: by 2002:a05:6402:1c07:: with SMTP id ck7mr45195680edb.149.1620841391518; Wed, 12 May 2021 10:43:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620841391; cv=none; d=google.com; s=arc-20160816; b=TfiD2/9JaTIWD9npmbpjbVaprAj5z//52AsxgNah75l0jwFDp/Yi61dT/Kwb3T4+m2 7rxFGTWPTlVZB7YyE9zd5WKs4aXW+Ibjwjsk3/Fwr/d9W6g2gAVlWqyYTBxyD6p+cjf/ VNwrRff1PCy3R/W3IE+PR3CkiwNobt09ouWdSUjGAJBwTI6n0mROyCBE2Ya436SnSEu9 oUMmkEAcp/kSKvHPBoWHFm0dymE8gb/HNLjRrZCe/7irmZUMbXmW12hZcngH289PdNe4 hlPHfUK+2vVuYZHGsc+eW/ebJ0eks/FcCcmUuwLWPmyGTW0sFV0WUi7YzUvZctqzkDdC fG1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=QpOtay6Y88j2/Bmin6TpCgxqcvJ5VP2A5ER8MQFNmNg=; b=XBztequkgAQwA5Y7eX8VHRj3xIsT8W6y/jIrp5N6UPrV5K+MkEDeesURnxzxvieK6v JJo1+rtA1qZueSo8Mzs4bP4r4EZEH/Q0F4De/AyXdScouujchsICVD4dFOd8pQIPMjLQ modvDq4gV79v5M1JxtpZPo7ryCL037GEUx4F/+MGIEwHfO5sFXzeoSyhhWRSzR7IFgUr QaWelYC2H7REQRvlp5DYQfknREeC5S4ND6J4+Mze/qXnTbnjySIrq+zsOuX92drR1GAK 7hNUbx4zRPs8oOebqIYESdBUh7xGlibHJp7XDmIJGFP4ox7YemDBPkSF7ewwXspiti4c 9jIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HmZIARPN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mr1si563430ejc.510.2021.05.12.10.42.44; Wed, 12 May 2021 10:43:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HmZIARPN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348680AbhELRiW (ORCPT + 99 others); Wed, 12 May 2021 13:38:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:38982 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235875AbhELQLW (ORCPT ); Wed, 12 May 2021 12:11:22 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D99CB61D42; Wed, 12 May 2021 15:40:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620834042; bh=tqHUNvc8a8XupP10MTLcTLfCepQE+wTuWBqFI5Vme6o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HmZIARPNs946gjJfQdIDrWwvytb+tnRGbVL+LKiUz8sOjTGqut7aTGuGFMRJtKlho Bht7c6oeu9iAth/0OsmpOuEuPFty5DqixkNLdgTqM7nHTkGQVS1zgrfOJMJcP6qzNe O0473KJfLRHGNxwE9rxl1D7k3sX7C/BYTDEGzUcY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , Dan Carpenter , Christoph Hellwig , Jens Axboe , Sasha Levin Subject: [PATCH 5.11 386/601] ataflop: potential out of bounds in do_format() Date: Wed, 12 May 2021 16:47:43 +0200 Message-Id: <20210512144840.505988507@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144827.811958675@linuxfoundation.org> References: <20210512144827.811958675@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit 1ffec389a6431782a8a28805830b6fae9bf00af1 ] The function uses "type" as an array index: q = unit[drive].disk[type]->queue; Unfortunately the bounds check on "type" isn't done until later in the function. Fix this by moving the bounds check to the start. Fixes: bf9c0538e485 ("ataflop: use a separate gendisk for each media format") Reported-by: kernel test robot Signed-off-by: Dan Carpenter Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- drivers/block/ataflop.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c index 104b713f4055..aed2c2a4f4ea 100644 --- a/drivers/block/ataflop.c +++ b/drivers/block/ataflop.c @@ -729,8 +729,12 @@ static int do_format(int drive, int type, struct atari_format_descr *desc) unsigned long flags; int ret; - if (type) + if (type) { type--; + if (type >= NUM_DISK_MINORS || + minor2disktype[type].drive_types > DriveType) + return -EINVAL; + } q = unit[drive].disk[type]->queue; blk_mq_freeze_queue(q); @@ -742,11 +746,6 @@ static int do_format(int drive, int type, struct atari_format_descr *desc) local_irq_restore(flags); if (type) { - if (type >= NUM_DISK_MINORS || - minor2disktype[type].drive_types > DriveType) { - ret = -EINVAL; - goto out; - } type = minor2disktype[type].index; UDT = &atari_disk_type[type]; } -- 2.30.2