[PATCH 5.15 760/917] nbd: fix max value for first_minor

From: Greg Kroah-Hartman
Date: Mon Nov 15 2021 - 19:46:46 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.15 750/917] scsi: qla2xxx: edif: Fix app start fail"
Previous message: Greg Kroah-Hartman: "[PATCH 5.15 756/917] dmaengine: idxd: fix resource leak on dmaengine driver disable"
In reply to: Greg Kroah-Hartman: "[PATCH 5.15 756/917] dmaengine: idxd: fix resource leak on dmaengine driver disable"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.15 750/917] scsi: qla2xxx: edif: Fix app start fail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yu Kuai <yukuai3@xxxxxxxxxx>

[ Upstream commit e4c4871a73944353ea23e319de27ef73ce546623 ]

commit b1a811633f73 ("block: nbd: add sanity check for first_minor")
checks that 'first_minor' should not be greater than 0xff, which is
wrong. Whitout the commit, the details that when user pass 0x100000,
it ends up create sysfs dir "/sys/block/43:0" are as follows:

nbd_dev_add
disk->first_minor = index << part_shift
-> default part_shift is 5, first_minor is 0x2000000
device_add_disk
ddev->devt = MKDEV(disk->major, disk->first_minor)
-> (0x2b << 20) | (0x2000000) = 0x2b00000
device_add
device_create_sys_dev_entry
format_dev_t
sprintf(buffer, "%u:%u", MAJOR(dev), MINOR(dev));
-> got 43:0
sysfs_create_link -> /sys/block/43:0

By the way, with the wrong fix, when part_shift is the default value,
only 8 ndb devices can be created since 8 << 5 is greater than 0xff.

Since the max bits for 'first_minor' should be the same as what
MKDEV() does, which is 20. Change the upper bound of 'first_minor'
from 0xff to 0xfffff.

Fixes: b1a811633f73 ("block: nbd: add sanity check for first_minor")
Signed-off-by: Yu Kuai <yukuai3@xxxxxxxxxx>
Reviewed-by: Josef Bacik <josef@xxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20211102015237.2309763-2-yebin10@xxxxxxxxxx
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/block/nbd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 4f1b591c3a555..0d820c4dec176 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1749,11 +1749,11 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs)
disk->major = NBD_MAJOR;

/* Too big first_minor can cause duplicate creation of
- * sysfs files/links, since first_minor will be truncated to
- * byte in __device_add_disk().
+ * sysfs files/links, since MKDEV() expect that the max bits of
+ * first_minor is 20.
*/
disk->first_minor = index << part_shift;
- if (disk->first_minor > 0xff) {
+ if (disk->first_minor > MINORMASK) {
err = -EINVAL;
goto out_free_idr;
}
--
2.33.0

Next message: Greg Kroah-Hartman: "[PATCH 5.15 750/917] scsi: qla2xxx: edif: Fix app start fail"
Previous message: Greg Kroah-Hartman: "[PATCH 5.15 756/917] dmaengine: idxd: fix resource leak on dmaengine driver disable"
In reply to: Greg Kroah-Hartman: "[PATCH 5.15 756/917] dmaengine: idxd: fix resource leak on dmaengine driver disable"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.15 750/917] scsi: qla2xxx: edif: Fix app start fail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]