From nobody Fri Jun 19 07:22:26 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 079F1C433F5 for ; Thu, 7 Apr 2022 03:11:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239794AbiDGDMb (ORCPT ); Wed, 6 Apr 2022 23:12:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233995AbiDGDM3 (ORCPT ); Wed, 6 Apr 2022 23:12:29 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B662228AAF; Wed, 6 Apr 2022 20:10:30 -0700 (PDT) Received: from kwepemi500016.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4KYmYR1DzczgYNL; Thu, 7 Apr 2022 11:08:43 +0800 (CST) Received: from localhost.localdomain (10.175.127.227) by kwepemi500016.china.huawei.com (7.221.188.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 7 Apr 2022 11:10:27 +0800 From: Zhang Wensheng To: , CC: , , Subject: [PATCH -next v2] nbd: fix possible overflow on 'first_minor' in nbd_dev_add() Date: Thu, 7 Apr 2022 11:25:05 +0800 Message-ID: <20220407032505.3797948-1-zhangwensheng5@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemi500016.china.huawei.com (7.221.188.220) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_d= ev_add()") Signed-off-by: Zhang Wensheng --- v1->v2: - add the line "disk->first_minor =3D index << part_shift;" which has been deleted by mistake in v1. drivers/block/nbd.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 5a1f98494ddd..9448aacbcf0f 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1800,17 +1800,7 @@ static struct nbd_device *nbd_dev_add(int index, uns= igned int refs) refcount_set(&nbd->refs, 0); INIT_LIST_HEAD(&nbd->list); disk->major =3D NBD_MAJOR; - - /* Too big first_minor can cause duplicate creation of - * sysfs files/links, since index << part_shift might overflow, or - * MKDEV() expect that the max bits of first_minor is 20. - */ disk->first_minor =3D index << part_shift; - if (disk->first_minor < index || disk->first_minor > MINORMASK) { - err =3D -EINVAL; - goto out_free_work; - } - disk->minors =3D 1 << part_shift; disk->fops =3D &nbd_fops; disk->private_data =3D nbd; @@ -1915,8 +1905,19 @@ static int nbd_genl_connect(struct sk_buff *skb, str= uct genl_info *info) if (!netlink_capable(skb, CAP_SYS_ADMIN)) return -EPERM; =20 - if (info->attrs[NBD_ATTR_INDEX]) + if (info->attrs[NBD_ATTR_INDEX]) { index =3D nla_get_u32(info->attrs[NBD_ATTR_INDEX]); + + /* + * Too big first_minor can cause duplicate creation of + * sysfs files/links, since index << part_shift might overflow, or + * MKDEV() expect that the max bits of first_minor is 20. + */ + if (index < 0 || index > MINORMASK >> part_shift) { + printk(KERN_ERR "nbd: illegal input index %d\n", index); + return -EINVAL; + } + } if (!info->attrs[NBD_ATTR_SOCKETS]) { printk(KERN_ERR "nbd: must specify at least one socket\n"); return -EINVAL; --=20 2.31.1