projects / linux-drm-fsl-dcu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 65803c2)
dm raid: fix a couple integer overflows
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 29 May 2014 08:23:23 +0000 (11:23 +0300)
committerMike Snitzer <snitzer@redhat.com>
Mon, 9 Feb 2015 18:06:48 +0000 (13:06 -0500)
My static checker complains that if "num_raid_params" is UINT_MAX then
the "if (num_raid_params + 1 > argc) {" check doesn't work as intended.

The other change is that I moved the "if (argc != (num_raid_devs * 2))"
condition forward a few lines so it was before the call to
context_alloc().  If we had an integer overflow inside that function
then it would lead to an immediate crash.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
drivers/md/dm-raid.c patch | blob | history

diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index 07c0fa0fa284fbdc9e86673c219f99cd07a35f77..41acc9dd7342f1ab3bc0a05a04fc2892ba372ba4 100644 (file)
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -1243,7 +1243,7 @@ static int raid_ctr(struct dm_target *ti, unsigned argc, char **argv)
        argv++;
 
        /* Skip over RAID params for now and find out # of devices */
-       if (num_raid_params + 1 > argc) {
+       if (num_raid_params >= argc) {
                ti->error = "Arguments do not agree with counts given";
                return -EINVAL;
        }
@@ -1254,6 +1254,12 @@ static int raid_ctr(struct dm_target *ti, unsigned argc, char **argv)
                return -EINVAL;
        }
 
+       argc -= num_raid_params + 1; /* +1: we already have num_raid_devs */
+       if (argc != (num_raid_devs * 2)) {
+               ti->error = "Supplied RAID devices does not match the count given";
+               return -EINVAL;
+       }
+
        rs = context_alloc(ti, rt, (unsigned)num_raid_devs);
        if (IS_ERR(rs))
                return PTR_ERR(rs);
@@ -1262,16 +1268,8 @@ static int raid_ctr(struct dm_target *ti, unsigned argc, char **argv)
        if (ret)
                goto bad;
 
-       ret = -EINVAL;
-
-       argc -= num_raid_params + 1; /* +1: we already have num_raid_devs */
        argv += num_raid_params + 1;
 
-       if (argc != (num_raid_devs * 2)) {
-               ti->error = "Supplied RAID devices does not match the count given";
-               goto bad;
-       }
-
        ret = dev_parms(rs, argv);
        if (ret)
                goto bad;
Freescale DCU DRM driver