| Message ID | cc17199798312406b90834e433d2cefe8266823d.1648306232.git.christophe.jaillet@wanadoo.fr (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | block: Fix the maximum minor value is blk_alloc_ext_minor() | expand |
On Sat 26-03-22 15:50:46, Christophe JAILLET wrote: > ida_alloc_range(..., min, max, ...) returns values from min to max, > inclusive. > > So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor(). > > This is an issue because in device_add_disk(), this value is used in: > ddev->devt = MKDEV(disk->major, disk->first_minor); > and NR_EXT_DEVT is '(1 << MINORBITS)'. > > So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow. > > Fixes: 22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get") > Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Indeed. The patch looks good to me so feel free to add: Reviewed-by: Jan Kara <jack@suse.cz> > --- > #define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi)) > > This patch is completely speculative, but it seems that idr_alloc() and > ida_alloc_range() don't have the same semantic regarding the upper bound. > idr_alloc() looks exclusive, while ida_alloc_range() is inclusive. > > We changed from the first one to the other one in the commit in Fixes:. Yes, this difference is really a landmine. Matthew, why is the semantics of max parameter for idr_alloc() different from ida_alloc_range() or say idr_alloc_u32()? It is really easy to introduce subtle bugs with this... Honza > --- > block/genhd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/block/genhd.c b/block/genhd.c > index c9a4fc90d3e9..b8b6759d670f 100644 > --- a/block/genhd.c > +++ b/block/genhd.c > @@ -335,7 +335,7 @@ int blk_alloc_ext_minor(void) > { > int idx; > > - idx = ida_alloc_range(&ext_devt_ida, 0, NR_EXT_DEVT, GFP_KERNEL); > + idx = ida_alloc_range(&ext_devt_ida, 0, NR_EXT_DEVT - 1, GFP_KERNEL); > if (idx == -ENOSPC) > return -EBUSY; > return idx; > -- > 2.32.0 >
On Sat, 26 Mar 2022 15:50:46 +0100, Christophe JAILLET wrote: > ida_alloc_range(..., min, max, ...) returns values from min to max, > inclusive. > > So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor(). > > This is an issue because in device_add_disk(), this value is used in: > ddev->devt = MKDEV(disk->major, disk->first_minor); > and NR_EXT_DEVT is '(1 << MINORBITS)'. > > [...] Applied, thanks! [1/1] block: Fix the maximum minor value is blk_alloc_ext_minor() commit: d1868328dec5ae2cf210111025fcbc71f78dd5ca Best regards,
diff --git a/block/genhd.c b/block/genhd.c index c9a4fc90d3e9..b8b6759d670f 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -335,7 +335,7 @@ int blk_alloc_ext_minor(void) { int idx; - idx = ida_alloc_range(&ext_devt_ida, 0, NR_EXT_DEVT, GFP_KERNEL); + idx = ida_alloc_range(&ext_devt_ida, 0, NR_EXT_DEVT - 1, GFP_KERNEL); if (idx == -ENOSPC) return -EBUSY; return idx;
ida_alloc_range(..., min, max, ...) returns values from min to max, inclusive. So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor(). This is an issue because in device_add_disk(), this value is used in: ddev->devt = MKDEV(disk->major, disk->first_minor); and NR_EXT_DEVT is '(1 << MINORBITS)'. So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow. Fixes: 22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> --- #define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi)) This patch is completely speculative, but it seems that idr_alloc() and ida_alloc_range() don't have the same semantic regarding the upper bound. idr_alloc() looks exclusive, while ida_alloc_range() is inclusive. We changed from the first one to the other one in the commit in Fixes:. --- block/genhd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)