From 98d3ad1d25894e2a81a5f22eeba65982a89c386a Mon Sep 17 00:00:00 2001
From: Yu Kuai <yukuai3@huawei.com>
Date: Mon, 15 Nov 2021 19:50:26 +0800
Subject: [PATCH] nbd: add sanity check for first_minor

hulk inclusion
category: bugfix
bugzilla: 182920 https://gitee.com/openeuler/kernel/issues/I4DDEL

---------------------------

When user pass 0x100000 as index, nbd will end up create sysfs dir
"/sys/block/43:0":

nbd_dev_add
 disk->first_minor = index << part_shift
 -> default part_shift is 5, 0x100000 << 5 = 0x2000000
  device_add_disk
   blk_alloc_devt
    MKDEV(disk->major, disk->first_minor + part->partno)
    -> (0x2b << 20) | (0x2000000) = 0x2b00000
   register_disk
    device_add
     device_create_sys_dev_entry
      format_dev_t
       MAJOR(devt) -> 0x2b00000 >> 20 = 0x2b
       MINOR(devt) -> 0x2b00000 & 0xfffff = 0
      sysfs_create_link -> /sys/block/43:0

If nbd created device with index 0 aready, then sysfs will compalin
about dumplicated creation.

On the other hand, the similar dumplicated creation will happen if
"index << part_shift" over flow to a value that is less than MINORMASK.

Thus fix the problem by adding sanity check for first_minor.

Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>

Signed-off-by: Chen Jun <chenjun102@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 drivers/block/nbd.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index bb50af20b284..cc9770936c67 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1821,7 +1821,18 @@ static int nbd_dev_add(int index)
 	refcount_set(&nbd->refs, 1);
 	INIT_LIST_HEAD(&nbd->list);
 	disk->major = NBD_MAJOR;
+
+	/*
+	 * Too big index can cause duplicate creation of sysfs files/links,
+	 * because MKDEV() expect that the max first minor is MINORMASK, or
+	 * index << part_shift can overflow.
+	 */
 	disk->first_minor = index << part_shift;
+	if (disk->first_minor < index || disk->first_minor > MINORMASK) {
+		err = -EINVAL;
+		goto out_free_tags;
+	}
+
 	disk->fops = &nbd_fops;
 	disk->private_data = nbd;
 	sprintf(disk->disk_name, "nbd%d", index);
-- 
GitLab