[PATCH OLK-5.10 01/42] nbd: Reorganize the messy commit log about the first_minor check
From: Zhong Jinghua <zhongjinghua@huawei.com> hulk inclusion category: bugfix bugzilla: 188217 ---------------------------------------- Commits on our branch with check issues on first_minor had serious confusion, resulting in duplicate checks in nbd_dev_add and nbd_genl_connect. So I revert the messy commit, backport lts patch. Revert 881885f30261 [Backport] nbd: fix max value for 'first_minor' Revert 4d759cee3f18 [Backport] Revert "Revert "block: nbd: add sanity check for first_minor"" Revert b95487500a4f [Huawei] nbd: fix assignment error for first_minor in nbd_dev_add Revert 93c4218b2f4d [Backport] nbd: fix possible overflow on 'first_minor' in nbd_dev_add() Revert 60141517d289 nbd: Fix use-after-free in blk_mq_free_rqs Revert 98d3ad1d2589 nbd: add sanity check for first_minor Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/block/nbd.c | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index fa08f380f5be..29884a0f1fca 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1875,17 +1875,7 @@ static int nbd_dev_add(int index) refcount_set(&nbd->refs, 1); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; - - /* Too big first_minor can cause duplicate creation of - * sysfs files/links, since index << part_shift might overflow, or - * MKDEV() expect that the max bits of first_minor is 20. - */ disk->first_minor = index << part_shift; - if (disk->first_minor < index || disk->first_minor > MINORMASK) { - err = -EINVAL; - goto out_free_idr; - } - disk->fops = &nbd_fops; disk->private_data = nbd; sprintf(disk->disk_name, "nbd%d", index); @@ -1972,20 +1962,8 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) if (!netlink_capable(skb, CAP_SYS_ADMIN)) return -EPERM; - if (info->attrs[NBD_ATTR_INDEX]) { + if (info->attrs[NBD_ATTR_INDEX]) index = nla_get_u32(info->attrs[NBD_ATTR_INDEX]); - - /* - * Too big first_minor can cause duplicate creation of - * sysfs files/links, since index << part_shift might - * overflow, or MKDEV() expect that the max bits of - * first_minor is 20. - */ - if (index < 0 || index > MINORMASK >> part_shift) { - printk(KERN_ERR "nbd: illegal input index %d\n", index); - return -EINVAL; - } - } if (!info->attrs[NBD_ATTR_SOCKETS]) { printk(KERN_ERR "nbd: must specify at least one socket\n"); return -EINVAL; -- 2.39.2
From: Wen Yang <wenyang.linux@foxmail.com> stable inclusion from stable-v5.10.170 commit f3f6b33b77bac0bd27f1f1bec05ab58a54948fc9 category: bugfix bugzilla: 188217 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ---------------------------------------- This reverts commit 0daa75bf750c400af0a0127fae37cd959d36dee7. These problems such as: https://lore.kernel.org/all/CACPK8XfUWoOHr-0RwRoYoskia4fbAbZ7DYf5wWBnv6qUnGq... It was introduced by introduced by commit b1a811633f73 ("block: nbd: add sanity check for first_minor") and has been have been fixed by commit e4c4871a7394 ("nbd: fix max value for 'first_minor'"). Cc: Joel Stanley <joel@jms.id.au> Cc: Christoph Hellwig <hch@lst.de> Cc: Pavel Skripkin <paskripkin@gmail.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Sasha Levin <sashal@kernel.org> Cc: stable@vger.kernel.org # v5.10+ Signed-off-by: Wen Yang <wenyang.linux@foxmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/block/nbd.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 29884a0f1fca..7f26571a8ca0 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1875,7 +1875,17 @@ static int nbd_dev_add(int index) refcount_set(&nbd->refs, 1); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; + + /* Too big first_minor can cause duplicate creation of + * sysfs files/links, since first_minor will be truncated to + * byte in __device_add_disk(). + */ disk->first_minor = index << part_shift; + if (disk->first_minor > 0xff) { + err = -EINVAL; + goto out_free_idr; + } + disk->fops = &nbd_fops; disk->private_data = nbd; sprintf(disk->disk_name, "nbd%d", index); -- 2.39.2
From: Yu Kuai <yukuai3@huawei.com> stable inclusion from stable-v5.10.170 commit fd8107206a672f5a529a819e8930bf81fb54ae0f category: bugfix bugzilla: 188217 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ---------------------------------------- commit e4c4871a73944353ea23e319de27ef73ce546623 upstream. commit b1a811633f73 ("block: nbd: add sanity check for first_minor") checks that 'first_minor' should not be greater than 0xff, which is wrong. Whitout the commit, the details that when user pass 0x100000, it ends up create sysfs dir "/sys/block/43:0" are as follows: nbd_dev_add disk->first_minor = index << part_shift -> default part_shift is 5, first_minor is 0x2000000 device_add_disk ddev->devt = MKDEV(disk->major, disk->first_minor) -> (0x2b << 20) | (0x2000000) = 0x2b00000 device_add device_create_sys_dev_entry format_dev_t sprintf(buffer, "%u:%u", MAJOR(dev), MINOR(dev)); -> got 43:0 sysfs_create_link -> /sys/block/43:0 By the way, with the wrong fix, when part_shift is the default value, only 8 ndb devices can be created since 8 << 5 is greater than 0xff. Since the max bits for 'first_minor' should be the same as what MKDEV() does, which is 20. Change the upper bound of 'first_minor' from 0xff to 0xfffff. Fixes: b1a811633f73 ("block: nbd: add sanity check for first_minor") Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Link: https://lore.kernel.org/r/20211102015237.2309763-2-yebin10@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Wen Yang <wenyang.linux@foxmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/block/nbd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 7f26571a8ca0..626e83fc0d81 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1877,11 +1877,11 @@ static int nbd_dev_add(int index) disk->major = NBD_MAJOR; /* Too big first_minor can cause duplicate creation of - * sysfs files/links, since first_minor will be truncated to - * byte in __device_add_disk(). + * sysfs files/links, since MKDEV() expect that the max bits of + * first_minor is 20. */ disk->first_minor = index << part_shift; - if (disk->first_minor > 0xff) { + if (disk->first_minor > MINORMASK) { err = -EINVAL; goto out_free_idr; } -- 2.39.2
From: Yu Kuai <yukuai3@huawei.com> stable inclusion from stable-v5.10.170 commit 2e0c3e43ebb99c2b495229f8fade4c043fbd06a5 category: bugfix bugzilla: 188217 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ---------------------------------------- commit 940c264984fd1457918393c49674f6b39ee16506 upstream. If 'part_shift' is not zero, then 'index << part_shift' might overflow to a value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Link: https://lore.kernel.org/r/20211102015237.2309763-3-yebin10@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Wen Yang <wenyang.linux@foxmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/block/nbd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 626e83fc0d81..8290c1ac2e4f 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1877,11 +1877,11 @@ static int nbd_dev_add(int index) disk->major = NBD_MAJOR; /* Too big first_minor can cause duplicate creation of - * sysfs files/links, since MKDEV() expect that the max bits of - * first_minor is 20. + * sysfs files/links, since index << part_shift might overflow, or + * MKDEV() expect that the max bits of first_minor is 20. */ disk->first_minor = index << part_shift; - if (disk->first_minor > MINORMASK) { + if (disk->first_minor < index || disk->first_minor > MINORMASK) { err = -EINVAL; goto out_free_idr; } -- 2.39.2
participants (1)
-
Li Nan