From nobody Fri Jun 19 23:49:05 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D07DC433FE for ; Sun, 27 Mar 2022 11:18:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233358AbiC0LUD (ORCPT ); Sun, 27 Mar 2022 07:20:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229692AbiC0LUA (ORCPT ); Sun, 27 Mar 2022 07:20:00 -0400 Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3973735A96 for ; Sun, 27 Mar 2022 04:18:22 -0700 (PDT) Received: from pop-os.home ([90.126.236.122]) by smtp.orange.fr with ESMTPA id YQuZno4PVvjW4YQuZnulRo; Sun, 27 Mar 2022 13:18:20 +0200 X-ME-Helo: pop-os.home X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Sun, 27 Mar 2022 13:18:20 +0200 X-ME-IP: 90.126.236.122 From: Christophe JAILLET To: Greg Kroah-Hartman , =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Hridya Valsaraju , Suren Baghdasaryan Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET , Todd Kjos Subject: [PATCH] binderfs: Fix the maximum minor value in binderfs_binder_device_create() and binderfs_binder_ctl_create() Date: Sun, 27 Mar 2022 13:18:17 +0200 Message-Id: X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" ida_alloc_max(..., max, ...) returns values from 0 to max, inclusive. So, BINDERFS_MAX_MINOR is a valid value for 'minor'. BINDERFS_MAX_MINOR is '1U << MINORBITS' and we have: #define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi)) So, When this value is used in MKDEV() and it will overflow. Fixes: 3ad20fe393b3 ("binder: implement binderfs") Signed-off-by: Christophe JAILLET --- This patch is completely speculative. The 'BINDERFS_MAX_MINOR_CAPPED - 1' is here only for symmetry with the BINDERFS_MAX_MINOR case. I'm not sure at all that is is needed and, more importantly, that it is correct. --- drivers/android/binderfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c index e3605cdd4335..47df1f381150 100644 --- a/drivers/android/binderfs.c +++ b/drivers/android/binderfs.c @@ -130,8 +130,8 @@ static int binderfs_binder_device_create(struct inode *= ref_inode, mutex_lock(&binderfs_minors_mutex); if (++info->device_count <=3D info->mount_opts.max) minor =3D ida_alloc_max(&binderfs_minors, - use_reserve ? BINDERFS_MAX_MINOR : - BINDERFS_MAX_MINOR_CAPPED, + use_reserve ? BINDERFS_MAX_MINOR - 1: + BINDERFS_MAX_MINOR_CAPPED - 1, GFP_KERNEL); else minor =3D -ENOSPC; @@ -433,8 +433,8 @@ static int binderfs_binder_ctl_create(struct super_bloc= k *sb) /* Reserve a new minor number for the new device. */ mutex_lock(&binderfs_minors_mutex); minor =3D ida_alloc_max(&binderfs_minors, - use_reserve ? BINDERFS_MAX_MINOR : - BINDERFS_MAX_MINOR_CAPPED, + use_reserve ? BINDERFS_MAX_MINOR - 1 : + BINDERFS_MAX_MINOR_CAPPED - 1, GFP_KERNEL); mutex_unlock(&binderfs_minors_mutex); if (minor < 0) { --=20 2.32.0