From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Zhang Wensheng <zhangwensheng5@huawei.com>,
Yu Kuai <yukuai3@huawei.com>, Josef Bacik <josef@toxicpanda.com>,
Jens Axboe <axboe@kernel.dk>,
Wen Yang <wenyang.linux@foxmail.com>
Subject: [PATCH 5.10 21/25] nbd: fix possible overflow on first_minor in nbd_dev_add()
Date: Thu, 23 Feb 2023 14:06:38 +0100 [thread overview]
Message-ID: <20230223130427.743152940@linuxfoundation.org> (raw)
In-Reply-To: <20230223130426.817998725@linuxfoundation.org>
From: Zhang Wensheng <zhangwensheng5@huawei.com>
commit 858f1bf65d3d9c00b5e2d8ca87dc79ed88267c98 upstream.
When 'index' is a big numbers, it may become negative which forced
to 'int'. then 'index << part_shift' might overflow to a positive
value that is not greater than '0xfffff', then sysfs might complains
about duplicate creation. Because of this, move the 'index' judgment
to the front will fix it and be better.
Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()")
Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20220521073749.3146892-6-yukuai3@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Wen Yang <wenyang.linux@foxmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/nbd.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1771,17 +1771,7 @@ static int nbd_dev_add(int index)
refcount_set(&nbd->refs, 1);
INIT_LIST_HEAD(&nbd->list);
disk->major = NBD_MAJOR;
-
- /* Too big first_minor can cause duplicate creation of
- * sysfs files/links, since index << part_shift might overflow, or
- * MKDEV() expect that the max bits of first_minor is 20.
- */
disk->first_minor = index << part_shift;
- if (disk->first_minor < index || disk->first_minor > MINORMASK) {
- err = -EINVAL;
- goto out_free_idr;
- }
-
disk->fops = &nbd_fops;
disk->private_data = nbd;
sprintf(disk->disk_name, "nbd%d", index);
@@ -1875,8 +1865,19 @@ static int nbd_genl_connect(struct sk_bu
if (!netlink_capable(skb, CAP_SYS_ADMIN))
return -EPERM;
- if (info->attrs[NBD_ATTR_INDEX])
+ if (info->attrs[NBD_ATTR_INDEX]) {
index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
+
+ /*
+ * Too big first_minor can cause duplicate creation of
+ * sysfs files/links, since index << part_shift might overflow, or
+ * MKDEV() expect that the max bits of first_minor is 20.
+ */
+ if (index < 0 || index > MINORMASK >> part_shift) {
+ printk(KERN_ERR "nbd: illegal input index %d\n", index);
+ return -EINVAL;
+ }
+ }
if (!info->attrs[NBD_ATTR_SOCKETS]) {
printk(KERN_ERR "nbd: must specify at least one socket\n");
return -EINVAL;
next prev parent reply other threads:[~2023-02-23 13:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-23 13:06 [PATCH 5.10 00/25] 5.10.170-rc1 review Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 01/25] drm/etnaviv: dont truncate physical page address Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 02/25] wifi: rtl8xxxu: gen2: Turn on the rate control Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 03/25] clk: mxl: Switch from direct readl/writel based IO to regmap based IO Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 04/25] clk: mxl: Remove redundant spinlocks Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 05/25] clk: mxl: Add option to override gate clks Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 06/25] clk: mxl: Fix a clk entry by adding relevant flags Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 07/25] powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 08/25] clk: mxl: syscon_node_to_regmap() returns error pointers Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 09/25] random: always mix cycle counter in add_latent_entropy() Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 10/25] KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 11/25] KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isnt valid Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 12/25] KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 13/25] can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 14/25] powerpc: dts: t208x: Disable 10G on MAC1 and MAC2 Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 15/25] drm/i915/gvt: fix double free bug in split_2MB_gtt_entry Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 16/25] mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 17/25] uaccess: Add speculation barrier to copy_from_user() Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 18/25] Revert "Revert "block: nbd: add sanity check for first_minor"" Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 19/25] nbd: fix max value for first_minor Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 20/25] nbd: fix possible overflow for first_minor in nbd_dev_add() Greg Kroah-Hartman
2023-02-23 13:06 ` Greg Kroah-Hartman [this message]
2023-02-23 13:06 ` [PATCH 5.10 22/25] wifi: mwifiex: Add missing compatible string for SD8787 Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 23/25] audit: update the mailing list in MAINTAINERS Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 24/25] ext4: Fix function prototype mismatch for ext4_feat_ktype Greg Kroah-Hartman
2023-02-23 13:06 ` [PATCH 5.10 25/25] Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230223130427.743152940@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=josef@toxicpanda.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=wenyang.linux@foxmail.com \
--cc=yukuai3@huawei.com \
--cc=zhangwensheng5@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).