Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1440001pxp; Thu, 10 Mar 2022 05:37:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJyjhPHXM4/ywh1lZUklmJl2If5j1wBLHWgloU57dik/CY4BwGc8XOewbDFdyxgUTbwbjgKC X-Received: by 2002:aa7:cb8b:0:b0:410:9aaf:2974 with SMTP id r11-20020aa7cb8b000000b004109aaf2974mr4406209edt.173.1646919436129; Thu, 10 Mar 2022 05:37:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646919436; cv=none; d=google.com; s=arc-20160816; b=ym293dWg4EXMtbKgRqvUkNr4NQMn/BmBNxRnA4HiFs5Opu4YoYChC0fOozwOhBUdFA oXXctHrpEMKaANt7+/TfMoNKMF7qTkMOaNuqjQiaif+8aXCL6ZrUyjHSqZ7SpHqzUBJG iKiMYz61L9at763dVMcVUGtPqyuDAx9G9tEMufnxjgap9uxg9zFwT2DjjAIjemcxp5MR I4YwIAw/NyfxsU2dAefULIYj0BS90TKqDhzLBwBCsDUZkGxmSkY/9Qru2oUhBiSGKQyP ve+FB7c3eXsi+m4jht9f13Tb0+mn1fgWFNcAlqlXbhZg2foLeSVkg22mfNEMiKrJ5OMm SmnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=uqG8uLLrYzbctTPzZr2eaNmy2SVTdEPC0c2kc83E9Mg=; b=WtUgO6C6jW81r5cmCyszsKxbCwrezBSkVS0bDa92ar8mljBbCYrgfO1vLX39H8chRI LJVsDPjodFpTtdeOaIUq9Sc/rNHni2bLZJEBx8t2JOkyKBptxB5PL6P1i6EYdhKO0YtH saSqk+q3/R/QWuSCrP19Qh5asWVx6yirs/+ldea/3gOfICCs92AbgX7oS7glyp4Q34kQ anUnbQUuTWqBku4nu7uLfcV4nBmxDrLqgPaXF7Bo5LI6chGDjhUQSly444QBNNdokeSU SXmLT6nP1Noo9nV/bbrHw/Ht0STCSNwBduroisIlmw03+ClTZCp9Z4UJovsqtgjAzyNN ru3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i11-20020a50fd0b000000b00415a1ff479asi2934228eds.61.2022.03.10.05.36.51; Thu, 10 Mar 2022 05:37:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240654AbiCJJSN (ORCPT + 99 others); Thu, 10 Mar 2022 04:18:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231701AbiCJJSM (ORCPT ); Thu, 10 Mar 2022 04:18:12 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 226291390F2; Thu, 10 Mar 2022 01:17:12 -0800 (PST) Received: from dggeme756-chm.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KDk1t5xVwzfYkq; Thu, 10 Mar 2022 17:15:46 +0800 (CST) Received: from localhost.localdomain (10.175.127.227) by dggeme756-chm.china.huawei.com (10.3.19.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.21; Thu, 10 Mar 2022 17:17:09 +0800 From: Zhang Wensheng To: , CC: , , , , Subject: [PATCH -next] nbd: fix possible overflow on 'first_minor' in nbd_dev_add() Date: Thu, 10 Mar 2022 17:32:24 +0800 Message-ID: <20220310093224.4002895-1-zhangwensheng5@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To dggeme756-chm.china.huawei.com (10.3.19.102) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()") Signed-off-by: Zhang Wensheng --- drivers/block/nbd.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 5a1f98494ddd..b3cdfc0ffb98 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1800,17 +1800,6 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs) refcount_set(&nbd->refs, 0); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; - - /* Too big first_minor can cause duplicate creation of - * sysfs files/links, since index << part_shift might overflow, or - * MKDEV() expect that the max bits of first_minor is 20. - */ - disk->first_minor = index << part_shift; - if (disk->first_minor < index || disk->first_minor > MINORMASK) { - err = -EINVAL; - goto out_free_work; - } - disk->minors = 1 << part_shift; disk->fops = &nbd_fops; disk->private_data = nbd; @@ -1915,8 +1904,19 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) if (!netlink_capable(skb, CAP_SYS_ADMIN)) return -EPERM; - if (info->attrs[NBD_ATTR_INDEX]) + if (info->attrs[NBD_ATTR_INDEX]) { index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]); + + /* + * Too big first_minor can cause duplicate creation of + * sysfs files/links, since index << part_shift might overflow, or + * MKDEV() expect that the max bits of first_minor is 20. + */ + if (index < 0 || index > MINORMASK >> part_shift) { + printk(KERN_ERR "nbd: illegal input index %d\n", index); + return -EINVAL; + } + } if (!info->attrs[NBD_ATTR_SOCKETS]) { printk(KERN_ERR "nbd: must specify at least one socket\n"); return -EINVAL; -- 2.31.1