From: Yu Kuai <yukuai3@huawei.com> hulk inclusion category: bugfix bugzilla: 182920, https://gitee.com/openeuler/kernel/issues/I4GLNX CVE: NA --------------------------- When user pass 0x100000 as index, nbd will end up create sysfs dir "/sys/block/43:0": nbd_dev_add disk->first_minor = index << part_shift -> default part_shift is 5, 0x100000 << 5 = 0x2000000 device_add_disk blk_alloc_devt MKDEV(disk->major, disk->first_minor + part->partno) -> (0x2b << 20) | (0x2000000) = 0x2b00000 register_disk device_add device_create_sys_dev_entry format_dev_t MAJOR(devt) -> 0x2b00000 >> 20 = 0x2b MINOR(devt) -> 0x2b00000 & 0xfffff = 0 sysfs_create_link -> /sys/block/43:0 If nbd created device with index 0 aready, then sysfs will compalin about dumplicated creation. On the other hand, the similar dumplicated creation will happen if "index << part_shift" over flow to a value that is less than MINORMASK. Thus fix the problem by adding sanity check for first_minor. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Jason Yan <yanaijie@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/block/nbd.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 2a3794801704a..33a52be762d24 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1755,7 +1755,18 @@ static int nbd_dev_add(int index) refcount_set(&nbd->refs, 1); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; + + /* + * Too big index can cause duplicate creation of sysfs files/links, + * because MKDEV() expect that the max first minor is MINORMASK, or + * index << part_shift can overflow. + */ disk->first_minor = index << part_shift; + if (disk->first_minor < index || disk->first_minor > MINORMASK) { + err = -EINVAL; + goto out_free_tags; + } + disk->fops = &nbd_fops; disk->private_data = nbd; sprintf(disk->disk_name, "nbd%d", index); -- 2.25.1