Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1116975pxb;
        Wed, 6 Apr 2022 09:06:35 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwa4EyiE6jX47zg+Uv4K+XPgIhYvEKR9ex8wPsY2vTEezH65bkgX43e1kHM4jFksA2yQVyO
X-Received: by 2002:a92:ae02:0:b0:2c6:798d:2be with SMTP id s2-20020a92ae02000000b002c6798d02bemr4202171ilh.18.1649261195014;
        Wed, 06 Apr 2022 09:06:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649261195; cv=none;
        d=google.com; s=arc-20160816;
        b=bhYmoYEtLTUKi4hiVQXAyJkvDN25q61VuJXHD/OohtDIOH5WpBzpwq2WDQjBjbZboE
         3Bf4NkFuof2flLiSjiOIPOSDDGcHR/+jOvHfhtQ3J5vsnWmdw+2RZqC7NS3M96SQIwUh
         EmB1DAGD1tE7SkxIbD9cK/tYxqeg8OlqTrewFpNyO+L/GeFi0qC5ehJ4FpAPM1zWDZmF
         TRzmM7Q5fD/OEBTeE2k+YnzQm0lVd8W0TJIiQpftQoDn3RDbzQEQ3JQ5078qx0D+MBQx
         UmKaY5H4XotFg+b+v/5OOACVbT2SjUa+25BTzbc1mip+yRlf5HMwj76wCE1He1hWJAk2
         Sy6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=hqefB1UbYIf1njYSsjlm+OwFOxauxUo91e+ViFgCFlY=;
        b=RYtu+PGwr6VdzBZdj4xI7lZDRRGKPQw4glpzlL2b+QKkWGTwBnmiH+q0CLkEMKaKNM
         eC0mX5SQ07u1bTnDu8V78Yf3yFocpCpoDSor6rA+PWhkq59wKdMGva1GDrjqNiSGNoq5
         0O6gftHcaqn6jN19wGhT28MeLivWgZgWoLlv7L4R+NzPdb9YX0Oz1TNciJA/CQ4J16rG
         B0uwXXL3Fa59QXT0vcgs+nZjFg4GdDfIZBsy1nSPPdGMDUJGuAv2qX3YE7wya/vTGzwX
         e76FYBss++nGWYyhmdyxkc42+RS2BOyZewuSjyHQkB3oytPPEJXUe/aw1PmgYDY+eJaH
         b3RQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id i1-20020a02c601000000b0031a7589f078si7851190jan.103.2022.04.06.09.06.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 09:06:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id B8CE913CCEA;
	Wed,  6 Apr 2022 07:42:48 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234835AbiDFOoZ (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Wed, 6 Apr 2022 10:44:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54026 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235095AbiDFOnq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Apr 2022 10:43:46 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C8CB35D0D3E;
        Wed,  6 Apr 2022 04:10:13 -0700 (PDT)
Received: from kwepemi500016.china.huawei.com (unknown [172.30.72.56])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KYMDm6WYWz4wmT;
        Wed,  6 Apr 2022 19:07:52 +0800 (CST)
Received: from localhost.localdomain (10.175.127.227) by
 kwepemi500016.china.huawei.com (7.221.188.220) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Wed, 6 Apr 2022 19:10:11 +0800
From:   Zhang Wensheng <zhangwensheng5@huawei.com>
To:     <josef@toxicpanda.com>, <axboe@kernel.dk>
CC:     <linux-block@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <nbd@other.debian.org>
Subject: [PATCH -next] nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
Date:   Wed, 6 Apr 2022 19:24:49 +0800
Message-ID: <20220406112449.2203191-1-zhangwensheng5@huawei.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.175.127.227]
X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To
 kwepemi500016.china.huawei.com (7.221.188.220)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE,
	SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When 'index' is a big numbers, it may become negative which forced
to 'int'. then 'index << part_shift' might overflow to a positive
value that is not greater than '0xfffff', then sysfs might complains
about duplicate creation. Because of this, move the 'index' judgment
to the front will fix it and be better.

Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()")
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
---
 drivers/block/nbd.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 5a1f98494ddd..9448aacbcf0f 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1800,17 +1800,7 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs)
 	refcount_set(&nbd->refs, 0);
 	INIT_LIST_HEAD(&nbd->list);
 	disk->major = NBD_MAJOR;
-
-	/* Too big first_minor can cause duplicate creation of
-	 * sysfs files/links, since index << part_shift might overflow, or
-	 * MKDEV() expect that the max bits of first_minor is 20.
-	 */
 	disk->first_minor = index << part_shift;
-	if (disk->first_minor < index || disk->first_minor > MINORMASK) {
-		err = -EINVAL;
-		goto out_free_work;
-	}
-
 	disk->minors = 1 << part_shift;
 	disk->fops = &nbd_fops;
 	disk->private_data = nbd;
@@ -1915,8 +1905,19 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
 	if (!netlink_capable(skb, CAP_SYS_ADMIN))
 		return -EPERM;
 
-	if (info->attrs[NBD_ATTR_INDEX])
+	if (info->attrs[NBD_ATTR_INDEX]) {
 		index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
+
+		/*
+		 * Too big first_minor can cause duplicate creation of
+		 * sysfs files/links, since index << part_shift might overflow, or
+		 * MKDEV() expect that the max bits of first_minor is 20.
+		 */
+		if (index < 0 || index > MINORMASK >> part_shift) {
+			printk(KERN_ERR "nbd: illegal input index %d\n", index);
+			return -EINVAL;
+		}
+	}
 	if (!info->attrs[NBD_ATTR_SOCKETS]) {
 		printk(KERN_ERR "nbd: must specify at least one socket\n");
 		return -EINVAL;
-- 
2.31.1