Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp133768pxb; Thu, 7 Apr 2022 00:59:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCcSXkW7aNKXnv4fOTn08/n/kQnZM59D2QNr8YK1FIQzIJPYILSypnT5A84EYRrrZxpPtz X-Received: by 2002:a05:6402:1906:b0:418:ff14:62b8 with SMTP id e6-20020a056402190600b00418ff1462b8mr12993330edz.40.1649318396135; Thu, 07 Apr 2022 00:59:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649318396; cv=none; d=google.com; s=arc-20160816; b=p+pKPQSgvLcw3RMpz6ts0CTr/Gu5aOCHxnL+wvHAtvFi6qYaCcNg4y+nvK59nRQTyS F0QTiHv3Y9B0kx+Ghd+Mo9eXqT7YNnfMN/atN9gEMnCtLbySkj1P2mZ0vzbAGjKyeVFT MTZ+uh0YJ1kHPYG3BdHff25szlvmScM9Hkib0OU/kGCZGtgA/3xDcur3W/PCW8g52cGE iOpDBOIFQK4UuDqL+5dVrmfdD+iSaR1bhpFYzkuvaz8BNBMOf9El4utnIZAHlRQcTgYa StNoQRa9dP5LhXJ48r4dLypLoQkf4eBOgdGWkfwyrWolLch4L8phfoSMH0JPv4120gwD 8KlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=25lvFKd/SeIhzjaU4+KtgL11fM9gWhKBB/ohX+k58z8=; b=DlLo3tUL21zeGd4nXgwNkobkGzVJSy5SfEDYQWyskqNuhvy5iInb/rkiNiHVnye6fZ IrcP48+2sryql4G9uygX6YPnCj+mB1HN0fW47DBREES5e8p3lcGM0jZcibEHoCVDa6e+ PvXzoeNQManc2nHusIN3TMQy0ppFl+uURP35cM6jqa9+s+5GXnQAJfeP/LRgokZHLlV3 RvRV0zo1AGeGqW0wupEyr+weBU8QmVWHTibADgF8l10jZ8TL7hRB3QXb6bXw+E3+CBSb OQ57umGwu44EUlBYMZiA86/T7SlxijyRVFqUJ2woz7iphX6s+OaSIGpUz2pbIGMSRLni TDeQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w7-20020a509d87000000b00419014273b3si13156294ede.354.2022.04.07.00.59.31; Thu, 07 Apr 2022 00:59:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239771AbiDGDMb (ORCPT + 99 others); Wed, 6 Apr 2022 23:12:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233995AbiDGDM3 (ORCPT ); Wed, 6 Apr 2022 23:12:29 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B662228AAF; Wed, 6 Apr 2022 20:10:30 -0700 (PDT) Received: from kwepemi500016.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KYmYR1DzczgYNL; Thu, 7 Apr 2022 11:08:43 +0800 (CST) Received: from localhost.localdomain (10.175.127.227) by kwepemi500016.china.huawei.com (7.221.188.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 7 Apr 2022 11:10:27 +0800 From: Zhang Wensheng To: , CC: , , Subject: [PATCH -next v2] nbd: fix possible overflow on 'first_minor' in nbd_dev_add() Date: Thu, 7 Apr 2022 11:25:05 +0800 Message-ID: <20220407032505.3797948-1-zhangwensheng5@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemi500016.china.huawei.com (7.221.188.220) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()") Signed-off-by: Zhang Wensheng --- v1->v2: - add the line "disk->first_minor = index << part_shift;" which has been deleted by mistake in v1. drivers/block/nbd.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 5a1f98494ddd..9448aacbcf0f 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1800,17 +1800,7 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs) refcount_set(&nbd->refs, 0); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; - - /* Too big first_minor can cause duplicate creation of - * sysfs files/links, since index << part_shift might overflow, or - * MKDEV() expect that the max bits of first_minor is 20. - */ disk->first_minor = index << part_shift; - if (disk->first_minor < index || disk->first_minor > MINORMASK) { - err = -EINVAL; - goto out_free_work; - } - disk->minors = 1 << part_shift; disk->fops = &nbd_fops; disk->private_data = nbd; @@ -1915,8 +1905,19 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) if (!netlink_capable(skb, CAP_SYS_ADMIN)) return -EPERM; - if (info->attrs[NBD_ATTR_INDEX]) + if (info->attrs[NBD_ATTR_INDEX]) { index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]); + + /* + * Too big first_minor can cause duplicate creation of + * sysfs files/links, since index << part_shift might overflow, or + * MKDEV() expect that the max bits of first_minor is 20. + */ + if (index < 0 || index > MINORMASK >> part_shift) { + printk(KERN_ERR "nbd: illegal input index %d\n", index); + return -EINVAL; + } + } if (!info->attrs[NBD_ATTR_SOCKETS]) { printk(KERN_ERR "nbd: must specify at least one socket\n"); return -EINVAL; -- 2.31.1