Received: by 2002:a05:6512:2355:0:0:0:0 with SMTP id p21csp206182lfu; Wed, 30 Mar 2022 20:56:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxiQ4vx8CQ+yQ+36d68KSK+48rk0NDnOzPu9ZFz3QS8sd52vZWnZZojYg4GHmbOXdiKnQnQ X-Received: by 2002:a63:9203:0:b0:386:3b37:76b5 with SMTP id o3-20020a639203000000b003863b3776b5mr9307747pgd.234.1648698991279; Wed, 30 Mar 2022 20:56:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648698991; cv=none; d=google.com; s=arc-20160816; b=hAzH4XDPFl81qG/3gEQbSrlbplNEslRwZwHk1yca6G6flhKBS+h6sIeTrgdr3s3QiR JHwTm5o5VBThWUm7iStmIgh/pjzE3NEH8YBFz9R861u0yl/aXglDl453AvM5G6B6UfPi PHsEMzRz9zWj/2UXf8qkT/WtNnX+o6p9lsfO4EBRF/y62VTUIgqmFQF7wzXu1I/ZEclh K61eMJjMob+6eQ/T9KCyxagSQc4Mt7RB9VaD13czW+d2+sJofk/dbW+4EHDsOLBt6LHI jxFQRRD56Bk1ltxdcr11aBFzPT353cwpXBGyjUVIzm8NU/T/w8wenZFQmiOrUtjoF9HF lHog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:subject:user-agent:mime-version:date:message-id; bh=JMBi9HqBt4nKwJSPKA8X5u9CMqKTJTMncyHBmGnJbLA=; b=agKuyRJGE0HbLzG4hXCmpmwnyY71m7dL1BokcrUcLmXHeNYFsqFPiUwprqJhFm6V43 /sM3b4DMmEhlkZtJBy0t80dfY+fU0DurXluxUQVRsmGX5F+NRnwlrR8c3YzHqd+f/BuV na63/tzJ18A5pgAXQDX+905E1+pRw/NO4uli/R3B/eeDlInulUsdDcrn0x8kZyJ2K6YV QMOUAfdlI0Q5ig7GhEiKMeUmD3lbhGKZIGD74Jk4Cke7gseIx8LxtkAGkXb/8xE0EzYv rbfbz+DdOAt7gfYVZPhErdzFM5pF/xqrSkhPV3j8PWCDZEIYjtfmurmaT9VZaxzxs14W NV9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id y1-20020a655a01000000b003982527600dsi19761495pgs.185.2022.03.30.20.56.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 20:56:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9FB8616CE6C; Wed, 30 Mar 2022 20:08:27 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1352129AbiCaArV (ORCPT + 99 others); Wed, 30 Mar 2022 20:47:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351584AbiCaArS (ORCPT ); Wed, 30 Mar 2022 20:47:18 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2795655BF3; Wed, 30 Mar 2022 17:45:32 -0700 (PDT) Received: from kwepemi500016.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KTPfq52lDzCqxX; Thu, 31 Mar 2022 08:43:15 +0800 (CST) Received: from [10.174.176.103] (10.174.176.103) by kwepemi500016.china.huawei.com (7.221.188.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Thu, 31 Mar 2022 08:45:28 +0800 Message-ID: <4f9e579e-1604-4bd4-f988-cb038e3ebdc3@huawei.com> Date: Thu, 31 Mar 2022 08:45:27 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Subject: Re: [PATCH -next] nbd: fix possible overflow on 'first_minor' in nbd_dev_add() From: "zhangwensheng (E)" To: , CC: , , , References: <20220310093224.4002895-1-zhangwensheng5@huawei.com> <0e5faf35-5adb-3ea1-9f7f-7c4f61a623b2@huawei.com> <8139ea99-09fa-eb84-e9ef-f1fb470b5b88@huawei.com> In-Reply-To: <8139ea99-09fa-eb84-e9ef-f1fb470b5b88@huawei.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.176.103] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To kwepemi500016.china.huawei.com (7.221.188.220) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org friendly ping... 在 2022/3/17 21:05, zhangwensheng (E) 写道: > friendly ping... > > 在 2022/3/11 10:43, zhangwensheng (E) 写道: >> friendly ping... >> >> 在 2022/3/10 17:32, Zhang Wensheng 写道: >>> When 'index' is a big numbers, it may become negative which forced >>> to 'int'. then 'index << part_shift' might overflow to a positive >>> value that is not greater than '0xfffff', then sysfs might complains >>> about duplicate creation. Because of this, move the 'index' judgment >>> to the front will fix it and be better. >>> >>> Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") >>> Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' >>> in nbd_dev_add()") >>> Signed-off-by: Zhang Wensheng >>> --- >>>   drivers/block/nbd.c | 24 ++++++++++++------------ >>>   1 file changed, 12 insertions(+), 12 deletions(-) >>> >>> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c >>> index 5a1f98494ddd..b3cdfc0ffb98 100644 >>> --- a/drivers/block/nbd.c >>> +++ b/drivers/block/nbd.c >>> @@ -1800,17 +1800,6 @@ static struct nbd_device *nbd_dev_add(int >>> index, unsigned int refs) >>>       refcount_set(&nbd->refs, 0); >>>       INIT_LIST_HEAD(&nbd->list); >>>       disk->major = NBD_MAJOR; >>> - >>> -    /* Too big first_minor can cause duplicate creation of >>> -     * sysfs files/links, since index << part_shift might overflow, or >>> -     * MKDEV() expect that the max bits of first_minor is 20. >>> -     */ >>> -    disk->first_minor = index << part_shift; >>> -    if (disk->first_minor < index || disk->first_minor > MINORMASK) { >>> -        err = -EINVAL; >>> -        goto out_free_work; >>> -    } >>> - >>>       disk->minors = 1 << part_shift; >>>       disk->fops = &nbd_fops; >>>       disk->private_data = nbd; >>> @@ -1915,8 +1904,19 @@ static int nbd_genl_connect(struct sk_buff >>> *skb, struct genl_info *info) >>>       if (!netlink_capable(skb, CAP_SYS_ADMIN)) >>>           return -EPERM; >>>   -    if (info->attrs[NBD_ATTR_INDEX]) >>> +    if (info->attrs[NBD_ATTR_INDEX]) { >>>           index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]); >>> + >>> +        /* >>> +         * Too big first_minor can cause duplicate creation of >>> +         * sysfs files/links, since index << part_shift might >>> overflow, or >>> +         * MKDEV() expect that the max bits of first_minor is 20. >>> +         */ >>> +        if (index < 0 || index > MINORMASK >> part_shift) { >>> +            printk(KERN_ERR "nbd: illegal input index %d\n", index); >>> +            return -EINVAL; >>> +        } >>> +    } >>>       if (!info->attrs[NBD_ATTR_SOCKETS]) { >>>           printk(KERN_ERR "nbd: must specify at least one socket\n"); >>>           return -EINVAL; >> . > .