From 5f254d2a693e3844eb22c1be588f588818677555 Mon Sep 17 00:00:00 2001
From: Li Nan <linan122@huawei.com>
Date: Tue, 28 Feb 2023 10:44:14 +0800
Subject: [PATCH] md/raid10: fix slab-out-of-bounds in md_bitmap_get_counter

hulk inclusion
category: bugfix
bugzilla: 188270, https://gitee.com/openeuler/kernel/issues/I6ECES
CVE: NA

--------------------------------

There is a bug if we write a large number to md/bitmap_set_bits.
md_bitmap_checkpage() returned -EINVAL if "page >= bitmap->pages", but the
return value was not checked immediately in md_bitmap_get_counter() in
order to set *blocks value. fix it by checking page before operate
bitmap.

Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
---
 drivers/md/md-bitmap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index d377ea060925..4201d68b60f2 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -1365,6 +1365,9 @@ __acquires(bitmap->lock)
 	sector_t csize;
 	int err;
 
+	if (page >= bitmap->pages)
+		return NULL;
+
 	err = md_bitmap_checkpage(bitmap, page, create, 0);
 
 	if (bitmap->bp[page].hijacked ||
-- 
GitLab