Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp2117645rdg; Sun, 13 Aug 2023 09:57:45 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEuyNzagm8z6a46gchVJ+7DMyL7/KDaigu4Kdqcaw7wdAJ0/ji5MBW41GtnD79pYLKrwWvL X-Received: by 2002:a17:907:7608:b0:99c:180a:ea61 with SMTP id jx8-20020a170907760800b0099c180aea61mr5562008ejc.32.1691945865676; Sun, 13 Aug 2023 09:57:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691945865; cv=none; d=google.com; s=arc-20160816; b=JSB7b8GqQxiF6G4/OXc66kV+kb7FYV7mRatvIbKVx93S5NeOwAG2rZCLg9xBv3PNaJ 3ALLwXHW13FOeuTlKn7AOt9nCsiZM5mPSMGuAb7KhKiawu3F21U31XAsO6+YvreRZZfa +59gS0jIxiVlxAGL5iIF1i0/OnKqUYxgmJeaOV0xTj0nfWFyN/1R5H+ouqoU45ihxOsH giN8sQ7OPhj9AEAdxDtnM7c6vAsA1D0yBlzDYbgLhrKLKQ8ozy9wignSEyy/Lx4h3jOK TyXf15VVyZoKaDpLFg/dn/pDj1sK0/VDZJvTrFQ2X4007MaaY+Pwoz/Vixh3hhAT8H8U lYfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=FZBPoi4PWV9bnIkJCrVFJ2ufTLK2ZgBjyZqUkjggUxI=; fh=OaHN/XDWqE7UqtKyoOkHDveAbovftsMZOVwXT6q7zbU=; b=JpnLaMrrmOYKfC96K0mbUv5WcbgCCVpcQguY6mT96NmVtBs0Y3DyD8cQsKJ1vWc0Td V2ALvqe/AwPUqGxSiOMW+O23HrB1kzzbhzDEBh2KNgA6IzbbkusdigGBB/A8iZ3/VIH5 gY3CjmQNB/4OWk9qey9+aXBm+yEwWFpddGVaw3Fq9kxCPg3WY71hnS+1oX+yqpT/gmf8 5IhdzEKr0cCz+cDzcQgQmcwC4qwq4wynvbh0Q785GBrB9c1zwkWQQ0ccNr2kVgyzH4kv 6Gy+oGam4u8gbMzRzm3shXcpnHnJriSgEuHRwKeNz+Q3GFL90o2v66BQjPA7IX8BeKCq mEAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=j4ry2pHT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id us11-20020a170906bfcb00b0098e266c9592si6324754ejb.262.2023.08.13.09.57.22; Sun, 13 Aug 2023 09:57:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=j4ry2pHT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233407AbjHMQQK (ORCPT + 99 others); Sun, 13 Aug 2023 12:16:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233345AbjHMQPd (ORCPT ); Sun, 13 Aug 2023 12:15:33 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A9AC35BC; Sun, 13 Aug 2023 09:14:57 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id BC45F63C6F; Sun, 13 Aug 2023 16:14:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E149C433CB; Sun, 13 Aug 2023 16:14:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1691943255; bh=A8rtalkaPUp0X1lMS7FHkQvW3kE/qLjRYzEHtmgMgUA=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=j4ry2pHT86rbgwvRJzBOYt8EXrQjmzMO80yQJvtESgn1PLhHlnKsTj5LmyUQsxscb eTE9M5ZiiZfEyLVr4BRi7BduZHOJMfn/Uv84cHt4eSkPBcsDRetlQlKwYpid6oJviO iY1mXQAmCA7BOrU8QNLK3Mp7hZfsadvnHXfJ+Ew8CSC1dPJXFKao5BaTAwWhG4JkV1 zlBKmQnyTMxxrukXAHhGGs6dm2oFnfNxWLPjyk3Tn70iSrZI+okcErU/rjSCobIuZ8 tCzN5aNFs0Sx3OC5AYgsr854NhQ3dz1CLdYOvZx/mCy7j7GJLEUf+r4eQCpkOujzxg cXDUMA8HJ8jsw== Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-4fe934c4decso4558021e87.1; Sun, 13 Aug 2023 09:14:15 -0700 (PDT) X-Gm-Message-State: AOJu0Yy9fGn8QK3GijQcA1TyWjU9nHfEy5QYNrI2OjnSSu4p4IcSUl3k im2gSrkCJZpOi4W4lCSJnFRfg+KIQ6DwZLraTJI= X-Received: by 2002:ac2:55ab:0:b0:4f8:7568:e948 with SMTP id y11-20020ac255ab000000b004f87568e948mr4287013lfg.51.1691943253215; Sun, 13 Aug 2023 09:14:13 -0700 (PDT) MIME-Version: 1.0 References: <52ddb065-e778-53d0-9679-7a6879e8a8e9@huaweicloud.com> In-Reply-To: <52ddb065-e778-53d0-9679-7a6879e8a8e9@huaweicloud.com> From: Song Liu Date: Sun, 13 Aug 2023 20:13:59 +0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] md: raid1: fix potential OOB in raid1_remove_disk() To: Yu Kuai Cc: Zhang Shurong , linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org, "yukuai (C)" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 31, 2023 at 5:08=E2=80=AFAM Yu Kuai w= rote: > > Hi, > > =E5=9C=A8 2023/07/29 18:49, Song Liu =E5=86=99=E9=81=93: > > On Mon, Jul 24, 2023 at 10:12=E2=80=AFAM Yu Kuai wrote: > >> > >> =E5=9C=A8 2023/07/22 15:53, Zhang Shurong =E5=86=99=E9=81=93: > >>> If rddev->raid_disk is greater than mddev->raid_disks, there will be > >>> an out-of-bounds in raid1_remove_disk(). We have already found > >>> similar reports as follows: > >>> > >>> 1) commit d17f744e883b ("md-raid10: fix KASAN warning") > >>> 2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_d= isk") > >>> > >>> Fix this bug by checking whether the "number" variable is > >>> valid. > >> > >> LGTM > >> > >> Reviewed-by: Yu Kuai > >>> > >>> Signed-off-by: Zhang Shurong > >>> --- > >>> Changes in v2: > >>> - Using conf->raid_disks instead of mddev->raid_disks. > >>> > >>> drivers/md/raid1.c | 4 ++++ > >>> 1 file changed, 4 insertions(+) > >>> > >>> diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c > >>> index dd25832eb045..80aeee63dfb7 100644 > >>> --- a/drivers/md/raid1.c > >>> +++ b/drivers/md/raid1.c > >>> @@ -1829,6 +1829,10 @@ static int raid1_remove_disk(struct mddev *mdd= ev, struct md_rdev *rdev) > >>> struct r1conf *conf =3D mddev->private; > >>> int err =3D 0; > >>> int number =3D rdev->raid_disk; > >>> + > >>> + if (unlikely(number >=3D conf->raid_disks)) > >>> + goto abort; > > > > We need err =3D -EINVAL here. > > I think return 0 is right here, so that caller can remove this rdev > from array successfully, this only need to return error for the case > -EBUSY. Ah, that's right. Applied to md-next. Thanks, Song