!1210 [sync] PR-1185: nbd: validate the block size in nbd_set_size

Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1185 PR sync from: Zhong Jinghua <zhongjinghua@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4GPNRNM6BTL377CSMFTAKUUAS34YECTL/ nbd: validate the block size in nbd_set_size Christoph Hellwig (1): nbd: validate the block size in nbd_set_size Zhong Jinghua (1): nbd: fix incomplete validation of ioctl arg -- 2.31.1 Link:https://gitee.com/openeuler/kernel/pulls/1210 Reviewed-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

!1210 [sync] PR-1185: nbd: validate the block size in nbd_set_size
Merge Pull Request from: @openeuler-sync-bot Origin pull request: https://gitee.com/openeuler/kernel/pulls/1185 PR sync from: Zhong Jinghua <zhongjinghua@huawei.com> https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/4GPNRNM6BTL377CSMFTAKUUAS34YECTL/ nbd: validate the block size in nbd_set_size Christoph Hellwig (1): nbd: validate the block size in nbd_set_size Zhong Jinghua (1): nbd: fix incomplete validation of ioctl arg -- 2.31.1 Link:https://gitee.com/openeuler/kernel/pulls/1210 Reviewed-by: Hou Tao <houtao1@huawei.com> Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
42f5a282 · openeuler-ci-bot · Gitee · ff38a5f2 · 49e4348f · 42f5a282
隐藏空白更改
内联并排

Showing with 20 addition and 31 deletion

drivers/block/nbd.c drivers/block/nbd.c +20 -31

未找到文件。
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -301,16 +301,24 @@ static void nbd_size_clear(struct nbd_device *nbd)
 	}
 }
-static void nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
+static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
 		loff_t blksize)
 {
 	struct block_device *bdev;
+	if (!blksize)
+		blksize = NBD_DEF_BLKSIZE;
+	if (blksize < 512 || blksize > PAGE_SIZE || !is_power_of_2(blksize))
+		return -EINVAL;
+	if (bytesize < 0)
+		return -EINVAL;
 	nbd->config->bytesize = bytesize;
 	nbd->config->blksize = blksize;
 	if (!nbd->pid)
-		return;
+		return 0;
 	if (nbd->config->flags & NBD_FLAG_SEND_TRIM) {
 		nbd->disk->queue->limits.discard_granularity = blksize;
@@ -330,6 +338,7 @@ static void nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
 		bdput(bdev);
 	}
 	kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE);
+	return 0;
 }
 static void nbd_complete_rq(struct request *req)
@@ -1096,6 +1105,9 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
 	struct nbd_sock *nsock;
 	int err;
+	/* Arg will be cast to int, check it to avoid overflow */
+	if (arg > INT_MAX)
+		return -EINVAL;
 	sock = nbd_get_socket(nbd, arg, &err);
 	if (!sock)
 		return err;
@@ -1388,8 +1400,7 @@ static int nbd_start_device(struct nbd_device *nbd)
 		args->index = i;
 		queue_work(nbd->recv_workq, &args->work);
 	}
-	nbd_set_size(nbd, config->bytesize, config->blksize);
+	return nbd_set_size(nbd, config->bytesize, config->blksize);
-	return error;
 }
 static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *bdev)
@@ -1438,14 +1449,6 @@ static void nbd_clear_sock_ioctl(struct nbd_device *nbd,
 		nbd_config_put(nbd);
 }
-static bool nbd_is_valid_blksize(unsigned long blksize)
-{
-	if (!blksize || !is_power_of_2(blksize) || blksize < 512 ||
-	    blksize > PAGE_SIZE)
-		return false;
-	return true;
-}
 static void nbd_set_cmd_timeout(struct nbd_device *nbd, u64 timeout)
 {
 	nbd->tag_set.timeout = timeout * HZ;
@@ -1471,20 +1474,13 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
 	case NBD_SET_SOCK:
 		return nbd_add_socket(nbd, arg, false);
 	case NBD_SET_BLKSIZE:
-		if (!arg)
+		return nbd_set_size(nbd, config->bytesize, arg);
-			arg = NBD_DEF_BLKSIZE;
-		if (!nbd_is_valid_blksize(arg))
-			return -EINVAL;
-		nbd_set_size(nbd, config->bytesize, arg);
-		return 0;
 	case NBD_SET_SIZE:
-		nbd_set_size(nbd, arg, config->blksize);
+		return nbd_set_size(nbd, arg, config->blksize);
-		return 0;
 	case NBD_SET_SIZE_BLOCKS:
 		if (check_mul_overflow((loff_t)arg, config->blksize, &bytesize))
 			return -EINVAL;
-		nbd_set_size(nbd, bytesize, config->blksize);
+		return nbd_set_size(nbd, bytesize, config->blksize);
-		return 0;
 	case NBD_SET_TIMEOUT:
 		nbd_set_cmd_timeout(nbd, arg);
 		return 0;
@@ -1908,18 +1904,11 @@ static int nbd_genl_size_set(struct genl_info *info, struct nbd_device *nbd)
 	if (info->attrs[NBD_ATTR_SIZE_BYTES])
 		bytes = nla_get_u64(info->attrs[NBD_ATTR_SIZE_BYTES]);
-	if (info->attrs[NBD_ATTR_BLOCK_SIZE_BYTES]) {
+	if (info->attrs[NBD_ATTR_BLOCK_SIZE_BYTES])
 		bsize = nla_get_u64(info->attrs[NBD_ATTR_BLOCK_SIZE_BYTES]);
-		if (!bsize)
-			bsize = NBD_DEF_BLKSIZE;
-		if (!nbd_is_valid_blksize(bsize)) {
-			printk(KERN_ERR "Invalid block size %llu\n", bsize);
-			return -EINVAL;
-		}
-	}
 	if (bytes != config->bytesize || bsize != config->blksize)
-		nbd_set_size(nbd, bytes, bsize);
+		return nbd_set_size(nbd, bytes, bsize);
 	return 0;
 }