Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5311rwd; Fri, 19 May 2023 14:23:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ66oCyMjI9us/DeFEFUzLqdAQafqAwmy7NcCpCoDNNxnjG2FMscCrSmdOQQVj/nOxLygTFZ X-Received: by 2002:a05:6a20:438f:b0:109:c216:bc82 with SMTP id i15-20020a056a20438f00b00109c216bc82mr3163755pzl.44.1684531423953; Fri, 19 May 2023 14:23:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684531423; cv=none; d=google.com; s=arc-20160816; b=qYv2O8ABN4fQFDJXYzSOujEkuBGlsC0WdyREffhD6vnJheo5GRYhg2sMY2ML+x1Pjv KQUJV5u55neNvI1OAIrQ1vVPXgWl5XjSNmBOJKcr1xfaAShKOrZUtA2j0VThzWh/KXxP 2DZZT8CIZfBNKmE1oZbouqeJwMMrFozG9g0pmHbXzLB+MGPRyqOXz/GFzDZdabVrQVRJ 8IU2kg6yqZcYPqkTweY9UvzTAUMrJL1H1ncWNzSa+Mho45mHW3d644nMOMO+5yUPduWq 8u0jWdy2uvlcNjKurgoyp2IlOJDKZhxakIksL+oSyYFH8D1Y/uTr9zNLiIMj3dJRULvW Mddg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Yhe47CBoZkyx6ih5yAXrwa0Wff6ysQzAaLBtgrmk7jQ=; b=be7j9s9MLyuWnUn6Q5s2rcQYuxtCW1AMdm9g0a3WaCJYvaErs54w+cbPodBQPQMD7S b1BJIwkZW4y24UVFZbXeDfov36V1PFXy1zHhKWeug/aghe/9MHKQSF4CqUw+TyF/w6CX cjwGOIGdRzIqv9z0w54h8ISgsce5QWoIMJNTd+g1VK4QvSjE5J6aq70t9cGujfGYln5I t7ZtLbB1m0nVUJGKsNjtX30GmE46MWfrMYOuvX3docz6H9CODoPHCTMSm8Dd58SyIhY5 Kp0Jq9lYHkAxu5YmSIai2XKY+SCpy3HdMgmR0yLyZMXEV3zzaZ+sauCwS121+JYESxNr sWDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E2OoWc4m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k185-20020a636fc2000000b005348dd43155si222369pgc.283.2023.05.19.14.23.07; Fri, 19 May 2023 14:23:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E2OoWc4m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229955AbjESVVB (ORCPT + 99 others); Fri, 19 May 2023 17:21:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50292 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231172AbjESVU7 (ORCPT ); Fri, 19 May 2023 17:20:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8846719A5; Fri, 19 May 2023 14:20:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 08B5665B4A; Fri, 19 May 2023 21:20:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21D9FC433A0; Fri, 19 May 2023 21:20:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1684531226; bh=Hx9YxDvnmiuLLsAPDd2ZBc/YZmExH97fLGn0ryg0wbA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=E2OoWc4mFCxQs4OOViJWKQUvGuPvRpSTW5QO1LpeR90qzptifJZzz0cGtAKeWlrEq CSKpRr4rmcU1QNucIDXe7aYEOw9a4ZUkqoRpseNHQnp1owGs6Dv+2JU0ctwd/7tokk 8wK9o9JH9S+mJOsTg3FPtcvroyLY1Wzdq0Ef2CjP+cYTDFuUSEdZoMhnVjnLMiQBjj vi5NwBxAgMwedDj7y9LWv7XgDxH13BkwFqYSdwlpW+FPWfvJwStj7DWqNg8p4k2hDf Fo9LZr7EoCgQAgeRMaCg3hlXA26ftcDxy5IHSWuhdLGUzXNu8teOkXM87rkjOVYaSS plUKLVyj9yrIg== Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-4f00d41df22so1614980e87.1; Fri, 19 May 2023 14:20:25 -0700 (PDT) X-Gm-Message-State: AC+VfDzWreugUqGoEo4HYRIi9WIhLPh4Tc4UAAwcP+7QmwvHot/IOi0E MpBU+oT3yL3fpkBEzc6TcuYWDDGrq3K55n84eKw= X-Received: by 2002:a05:6512:3ca3:b0:4f3:7889:7603 with SMTP id h35-20020a0565123ca300b004f378897603mr1355316lfv.24.1684531223886; Fri, 19 May 2023 14:20:23 -0700 (PDT) MIME-Version: 1.0 References: <20230515134808.3936750-1-linan666@huaweicloud.com> <20230515134808.3936750-2-linan666@huaweicloud.com> In-Reply-To: <20230515134808.3936750-2-linan666@huaweicloud.com> From: Song Liu Date: Fri, 19 May 2023 14:20:11 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH OLK-5.10 v3 1/4] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter To: linan666@huaweicloud.com Cc: neilb@suse.de, Rob.Becker@riverbed.com, linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, linan122@huawei.com, yukuai3@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 15, 2023 at 6:49=E2=80=AFAM wrote: > > From: Li Nan > > If we write a large number to md/bitmap_set_bits, md_bitmap_checkpage() > will return -EINVAL because 'page >=3D bitmap->pages', but the return val= ue > was not checked immediately in md_bitmap_get_counter() in order to set > *blocks value and slab-out-of-bounds occurs. > > Move check of 'page >=3D bitmap->pages' to md_bitmap_get_counter() and > return directly if true. > > Fixes: ef4256733506 ("md/bitmap: optimise scanning of empty bitmaps.") > Signed-off-by: Li Nan > Reviewed-by: Yu Kuai > --- > drivers/md/md-bitmap.c | 17 +++++++++-------- > 1 file changed, 9 insertions(+), 8 deletions(-) > > diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c > index 920bb68156d2..e122b19c124d 100644 > --- a/drivers/md/md-bitmap.c > +++ b/drivers/md/md-bitmap.c > @@ -46,6 +46,7 @@ static inline char *bmname(struct bitmap *bitmap) > * > * if we find our page, we increment the page's refcount so that it stay= s > * allocated while we're using it > + * the caller must make sure 'page < bimap->pages' > */ I removed this comment, and added WARN_ON_ONCE(). Thanks, Song > static int md_bitmap_checkpage(struct bitmap_counts *bitmap, > unsigned long page, int create, int no_hij= ack) > @@ -54,14 +55,6 @@ __acquires(bitmap->lock) > { > unsigned char *mappage; > > - if (page >=3D bitmap->pages) { > - /* This can happen if bitmap_start_sync goes beyond > - * End-of-device while looking for a whole page. > - * It is harmless. > - */ > - return -EINVAL; > - } > - > if (bitmap->bp[page].hijacked) /* it's hijacked, don't try to all= oc */ > return 0; > > @@ -1387,6 +1380,14 @@ __acquires(bitmap->lock) > sector_t csize; > int err; > > + if (page >=3D bitmap->pages) { > + /* > + * This can happen if bitmap_start_sync goes beyond > + * End-of-device while looking for a whole page or > + * user set a huge number to sysfs bitmap_set_bits. > + */ > + return NULL; > + } > err =3D md_bitmap_checkpage(bitmap, page, create, 0); > > if (bitmap->bp[page].hijacked || > -- > 2.31.1 >