Skip to content

Commit 6d35d04

Browse files
Zhang Wenshengaxboe
Zhang Wensheng
authored and
axboe
committed
nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. Fixes: b0d9111 ("nbd: use an idr to keep track of nbd devices") Fixes: 940c264 ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()") Signed-off-by: Zhang Wensheng <zhangwensheng5@huawei.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Link: https://lore.kernel.org/r/20220310093224.4002895-1-zhangwensheng5@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent db0a155 commit 6d35d04

File tree

1 file changed

+12
-12
lines changed

1 file changed

+12
-12
lines changed

drivers/block/nbd.c

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1800,17 +1800,6 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs)
18001800
refcount_set(&nbd->refs, 0);
18011801
INIT_LIST_HEAD(&nbd->list);
18021802
disk->major = NBD_MAJOR;
1803-
1804-
/* Too big first_minor can cause duplicate creation of
1805-
* sysfs files/links, since index << part_shift might overflow, or
1806-
* MKDEV() expect that the max bits of first_minor is 20.
1807-
*/
1808-
disk->first_minor = index << part_shift;
1809-
if (disk->first_minor < index || disk->first_minor > MINORMASK) {
1810-
err = -EINVAL;
1811-
goto out_free_work;
1812-
}
1813-
18141803
disk->minors = 1 << part_shift;
18151804
disk->fops = &nbd_fops;
18161805
disk->private_data = nbd;
@@ -1915,8 +1904,19 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
19151904
if (!netlink_capable(skb, CAP_SYS_ADMIN))
19161905
return -EPERM;
19171906

1918-
if (info->attrs[NBD_ATTR_INDEX])
1907+
if (info->attrs[NBD_ATTR_INDEX]) {
19191908
index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]);
1909+
1910+
/*
1911+
* Too big first_minor can cause duplicate creation of
1912+
* sysfs files/links, since index << part_shift might overflow, or
1913+
* MKDEV() expect that the max bits of first_minor is 20.
1914+
*/
1915+
if (index < 0 || index > MINORMASK >> part_shift) {
1916+
printk(KERN_ERR "nbd: illegal input index %d\n", index);
1917+
return -EINVAL;
1918+
}
1919+
}
19201920
if (!info->attrs[NBD_ATTR_SOCKETS]) {
19211921
printk(KERN_ERR "nbd: must specify at least one socket\n");
19221922
return -EINVAL;

0 commit comments

Comments
 (0)