Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Subject: Re: [PATCH] md: raid1: fix potential OOB in raid1_remove_disk()
To:     Zhang Shurong <zhang_shurong@foxmail.com>, song@kernel.org
Cc:     linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org,
        "yukuai (C)" <yukuai3@huawei.com>
References: <tencent_59C6505725F46EF26BE7B6E8C0363C2A1509@qq.com>
From:   Yu Kuai <yukuai1@huaweicloud.com>
Message-ID: <84626f1f-d8ae-4d60-81f1-9e4656f8dcf6@huaweicloud.com>
Date:   Mon, 17 Jul 2023 09:10:45 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <tencent_59C6505725F46EF26BE7B6E8C0363C2A1509@qq.com>
Content-Type: text/plain; charset=gbk; format=flowed
Content-Transfer-Encoding: 8bit
Precedence: bulk

Hi,

?? 2023/07/16 0:11, Zhang Shurong д??:
> If rddev->raid_disk is greater than mddev->raid_disks, there will be
> an out-of-bounds in raid1_remove_disk(). We have already found
> similar reports as follows:
> 
> 1) commit d17f744e883b ("md-raid10: fix KASAN warning")
> 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")
> 
> Fix this bug by checking whether the "number" variable is
> valid.
> 
> Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
> ---
>   drivers/md/raid1.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
> index dd25832eb045..3e294dc408fa 100644
> --- a/drivers/md/raid1.c
> +++ b/drivers/md/raid1.c
> @@ -1829,6 +1829,10 @@ static int raid1_remove_disk(struct mddev *mddev, struct md_rdev *rdev)
>   	struct r1conf *conf = mddev->private;
>   	int err = 0;
>   	int number = rdev->raid_disk;
> +
> +	if (unlikely(number >= mddev->raid_disks))
> +		goto abort;
> +
This looks correct, but I prefer to use conf->raid_disks directly.

Thanks,
Kuai

>   	struct raid1_info *p = conf->mirrors + number;
>   
>   	if (rdev != p->rdev)
>