From: Zhong Jinghua zhongjinghua@huawei.com

hulk inclusion category: bugfix bugzilla: 188413, https://gitee.com/openeuler/kernel/issues/I6GWYG CVE: NA

----------------------------------------

A panic error is like below:

nbd_genl_connect nbd_dev_add first_minor = index << part_shift; // index =-1 ... __device_add_disk blk_alloc_devt *devt = MKDEV(disk->major, disk->first_minor + part->partno); // part->partno = 0， first_minor = 11...110000 major is covered

There, index < 0 will reassign an index, but here disk->first_minor is assigned -1 << part_shift.

This causes to the creation of the device with the same major and minor device numbers each time the incoming index<0, and this will lead to creation of kobject failed: Warning: kobject_add_internal failed for 4095:1048544 with -EEXIST, don't try to register things with the same name in the same directory.

Fix it by moving the first_minor assignment down to after getting the new index.

Fixes: 01f7594e62e9 ("nbd: Fix use-after-free in blk_mq_free_rqs") Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com Reviewed-by: Yu Kuai yukuai3@huawei.com Reviewed-by: Hou Tao houtao1@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- drivers/block/nbd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 8dbbd676d275..551b2f7da8ef 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1706,7 +1706,6 @@ static int nbd_dev_add(int index) struct gendisk *disk; struct request_queue *q; int err = -ENOMEM; - int first_minor = index << part_shift;

nbd = kzalloc(sizeof(struct nbd_device), GFP_KERNEL); if (!nbd) @@ -1770,7 +1769,7 @@ static int nbd_dev_add(int index) refcount_set(&nbd->refs, 1); INIT_LIST_HEAD(&nbd->list); disk->major = NBD_MAJOR; - disk->first_minor = first_minor; + disk->first_minor = index << part_shift; disk->fops = &nbd_fops; disk->private_data = nbd; sprintf(disk->disk_name, "nbd%d", index);