Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp133768pxb;
        Thu, 7 Apr 2022 00:59:56 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwCcSXkW7aNKXnv4fOTn08/n/kQnZM59D2QNr8YK1FIQzIJPYILSypnT5A84EYRrrZxpPtz
X-Received: by 2002:a05:6402:1906:b0:418:ff14:62b8 with SMTP id e6-20020a056402190600b00418ff1462b8mr12993330edz.40.1649318396135;
        Thu, 07 Apr 2022 00:59:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649318396; cv=none;
        d=google.com; s=arc-20160816;
        b=p+pKPQSgvLcw3RMpz6ts0CTr/Gu5aOCHxnL+wvHAtvFi6qYaCcNg4y+nvK59nRQTyS
         F0QTiHv3Y9B0kx+Ghd+Mo9eXqT7YNnfMN/atN9gEMnCtLbySkj1P2mZ0vzbAGjKyeVFT
         MTZ+uh0YJ1kHPYG3BdHff25szlvmScM9Hkib0OU/kGCZGtgA/3xDcur3W/PCW8g52cGE
         iOpDBOIFQK4UuDqL+5dVrmfdD+iSaR1bhpFYzkuvaz8BNBMOf9El4utnIZAHlRQcTgYa
         StNoQRa9dP5LhXJ48r4dLypLoQkf4eBOgdGWkfwyrWolLch4L8phfoSMH0JPv4120gwD
         8KlA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=25lvFKd/SeIhzjaU4+KtgL11fM9gWhKBB/ohX+k58z8=;
        b=DlLo3tUL21zeGd4nXgwNkobkGzVJSy5SfEDYQWyskqNuhvy5iInb/rkiNiHVnye6fZ
         IrcP48+2sryql4G9uygX6YPnCj+mB1HN0fW47DBREES5e8p3lcGM0jZcibEHoCVDa6e+
         PvXzoeNQManc2nHusIN3TMQy0ppFl+uURP35cM6jqa9+s+5GXnQAJfeP/LRgokZHLlV3
         RvRV0zo1AGeGqW0wupEyr+weBU8QmVWHTibADgF8l10jZ8TL7hRB3QXb6bXw+E3+CBSb
         OQ57umGwu44EUlBYMZiA86/T7SlxijyRVFqUJ2woz7iphX6s+OaSIGpUz2pbIGMSRLni
         TDeQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w7-20020a509d87000000b00419014273b3si13156294ede.354.2022.04.07.00.59.31;
        Thu, 07 Apr 2022 00:59:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239771AbiDGDMb (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Wed, 6 Apr 2022 23:12:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51820 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233995AbiDGDM3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Apr 2022 23:12:29 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B662228AAF;
        Wed,  6 Apr 2022 20:10:30 -0700 (PDT)
Received: from kwepemi500016.china.huawei.com (unknown [172.30.72.56])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KYmYR1DzczgYNL;
        Thu,  7 Apr 2022 11:08:43 +0800 (CST)
Received: from localhost.localdomain (10.175.127.227) by
 kwepemi500016.china.huawei.com (7.221.188.220) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Thu, 7 Apr 2022 11:10:27 +0800
From:   Zhang Wensheng <zhangwensheng5@huawei.com>
To:     <josef@toxicpanda.com>, <axboe@kernel.dk>
CC:     <linux-block@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <nbd@other.debian.org>
Subject: [PATCH -next v2] nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
Date:   Thu, 7 Apr 2022 11:25:05 +0800
Message-ID: <20220407032505.3797948-1-zhangwensheng5@huawei.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [10.175.127.227]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 kwepemi500016.china.huawei.com (7.221.188.220)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
        RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When 'index' is a big numbers, it may become negative which forced
to 'int'. then 'index << part_shift' might overflow to a positive
value that is not greater than '0xfffff', then sysfs might complains
about duplicate creation. Because of this, move the 'index' judgment
to the front will fix it and be better.

Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()")
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
---
v1->v2:
- add the line "disk->first_minor = index << part_shift;" which has
been deleted by mistake in v1.

 drivers/block/nbd.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 5a1f98494ddd..9448aacbcf0f 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1800,17 +1800,7 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs)
 	refcount_set(&nbd->refs, 0);
 	INIT_LIST_HEAD(&nbd->list);
 	disk->major = NBD_MAJOR;
-
-	/* Too big first_minor can cause duplicate creation of
-	 * sysfs files/links, since index << part_shift might overflow, or
-	 * MKDEV() expect that the max bits of first_minor is 20.
-	 */
 	disk->first_minor = index << part_shift;
-	if (disk->first_minor < index || disk->first_minor > MINORMASK) {
-		err = -EINVAL;
-		goto out_free_work;
-	}
-
 	disk->minors = 1 << part_shift;
 	disk->fops = &nbd_fops;
 	disk->private_data = nbd;
@@ -1915,8 +1905,19 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
 	if (!netlink_capable(skb, CAP_SYS_ADMIN))
 		return -EPERM;
 
-	if (info->attrs[NBD_ATTR_INDEX])
+	if (info->attrs[NBD_ATTR_INDEX]) {
 		index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
+
+		/*
+		 * Too big first_minor can cause duplicate creation of
+		 * sysfs files/links, since index << part_shift might overflow, or
+		 * MKDEV() expect that the max bits of first_minor is 20.
+		 */
+		if (index < 0 || index > MINORMASK >> part_shift) {
+			printk(KERN_ERR "nbd: illegal input index %d\n", index);
+			return -EINVAL;
+		}
+	}
 	if (!info->attrs[NBD_ATTR_SOCKETS]) {
 		printk(KERN_ERR "nbd: must specify at least one socket\n");
 		return -EINVAL;
-- 
2.31.1