disk_zone_set_cond() accesses zones_cond[zno] without verifying that zno
is within the bounds of the zones_cond array. By contrast,
bdev_zone_is_seq() does perform this check:

    if (zones_cond && zno < disk->nr_zones)

If disk->nr_zones is reduced during device revalidation (e.g., after a
zone configuration change) between bio submission and bio completion, the
zno derived from bio->bi_iter.bi_sector in callers such as
blk_zone_reset_bio_endio() and blk_zone_finish_bio_endio() can exceed
the bounds of the reallocated zones_cond array, resulting in an
out-of-bounds write.

Add a bounds check consistent with bdev_zone_is_seq() to prevent this.

Fixes: 0bf0e2e46668 ("block: track zone conditions")
Signed-off-by: Adnan Jakati <adnanjackady@gmail.com>
---
 block/blk-zoned.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/blk-zoned.c b/block/blk-zoned.c
index 8000c9469..9638c6e0c 100644
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -163,6 +163,9 @@ static void disk_zone_set_cond(struct gendisk
*disk, sector_t sector,
  if (zones_cond) {
  unsigned int zno = disk_zone_no(disk, sector);

+ if (zno >= disk->nr_zones)
+ goto out;
+
  /*
  * The condition of a conventional, readonly and offline zones
  * never changes, so do nothing if the target zone is in one of
@@ -178,6 +181,7 @@ static void disk_zone_set_cond(struct gendisk
*disk, sector_t sector,
  break;
  }
  }
+out:
  rcu_read_unlock();
 }

--
2.39.5 (Apple Git-154)