From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Date: Tue, 4 Aug 2020 09:25:01 +0000 (+0900)
Subject: dm: don't call report zones for more than the user requested
X-Git-Tag: v5.7.17~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb7ad9a06715cede4273075bb73b2f7c40558a3f;p=thirdparty%2Fkernel%2Fstable.git

dm: don't call report zones for more than the user requested

commit a9cb9f4148ef6bb8fabbdaa85c42b2171fbd5a0d upstream.

Don't call report zones for more zones than the user actually requested,
otherwise this can lead to out-of-bounds accesses in the callback
functions.

Such a situation can happen if the target's ->report_zones() callback
function returns 0 because we've reached the end of the target and then
restart the report zones on the second target.

We're again calling into ->report_zones() and ultimately into the user
supplied callback function but when we're not subtracting the number of
zones already processed this may lead to out-of-bounds accesses in the
user callbacks.

Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Fixes: d41003513e61 ("block: rework zone reporting")
Cc: stable@vger.kernel.org # v5.5+
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index fabcc51b468c9..8d952bf059bea 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -503,7 +503,8 @@ static int dm_blk_report_zones(struct gendisk *disk, sector_t sector,
 		}
 
 		args.tgt = tgt;
-		ret = tgt->type->report_zones(tgt, &args, nr_zones);
+		ret = tgt->type->report_zones(tgt, &args,
+					      nr_zones - args.zone_idx);
 		if (ret < 0)
 			goto out;
 	} while (args.zone_idx < nr_zones &&