[PATCH 5.8 099/232] dm: dont call report zones for more than the user requested
From: Greg Kroah-Hartman
Date: Thu Aug 20 2020 - 09:47:59 EST
From: Johannes Thumshirn <johannes.thumshirn@xxxxxxx>
commit a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d upstream.
Don't call report zones for more zones than the user actually requested,
otherwise this can lead to out-of-bounds accesses in the callback
functions.
Such a situation can happen if the target's ->report_zones() callback
function returns 0 because we've reached the end of the target and then
restart the report zones on the second target.
We're again calling into ->report_zones() and ultimately into the user
supplied callback function but when we're not subtracting the number of
zones already processed this may lead to out-of-bounds accesses in the
user callbacks.
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@xxxxxxx>
Reviewed-by: Damien Le Moal <damien.lemoal@xxxxxxx>
Fixes: d41003513e61 ("block: rework zone reporting")
Cc: stable@xxxxxxxxxxxxxxx # v5.5+
Signed-off-by: Mike Snitzer <snitzer@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/md/dm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -504,7 +504,8 @@ static int dm_blk_report_zones(struct ge
}
args.tgt = tgt;
- ret = tgt->type->report_zones(tgt, &args, nr_zones);
+ ret = tgt->type->report_zones(tgt, &args,
+ nr_zones - args.zone_idx);
if (ret < 0)
goto out;
} while (args.zone_idx < nr_zones &&