From patchwork Sun Mar 27 11:06:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe JAILLET X-Patchwork-Id: 12792783 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1293C433FE for ; Sun, 27 Mar 2022 11:06:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231390AbiC0LIZ (ORCPT ); Sun, 27 Mar 2022 07:08:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232972AbiC0LIY (ORCPT ); Sun, 27 Mar 2022 07:08:24 -0400 Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6EDCB37BCA for ; Sun, 27 Mar 2022 04:06:44 -0700 (PDT) Received: from pop-os.home ([90.126.236.122]) by smtp.orange.fr with ESMTPA id YQj9no0PLvjW4YQj9nukfS; Sun, 27 Mar 2022 13:06:41 +0200 X-ME-Helo: pop-os.home X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Sun, 27 Mar 2022 13:06:41 +0200 X-ME-IP: 90.126.236.122 From: Christophe JAILLET To: "Md. Haris Iqbal" , Jack Wang , Jens Axboe , Bart Van Assche , Jason Gunthorpe , Danil Kipnis Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET , Jack Wang , linux-block@vger.kernel.org Subject: [PATCH] block/rnbd: Fix the maximum clt_device_id value in init_dev() Date: Sun, 27 Mar 2022 13:06:30 +0200 Message-Id: <42165d3f9dfc7abb54542d34a4e33ea8e83b101c.1648379172.git.christophe.jaillet@wanadoo.fr> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org ida_alloc_range(..., min, max, ...) returns values from min to max, inclusive. So, '1 << (MINORBITS - RNBD_PART_BITS)' is a valid value for ret, which is then saved in 'dev->clt_device_id'. This value is used in rnbd_client_setup_device() and passed to rnbd_clt_setup_gen_disk(). There we have: dev->gd->first_minor = idx << RNBD_PART_BITS So a possible value for 'gd->first_minor' is '1 << MINORBITS' This is an issue because: rnbd_clt_setup_gen_disk() --> add_disk(dev->gd) --> device_add_disk(NULL, disk, NULL) And there we have: ddev->devt = MKDEV(disk->major, disk->first_minor); So, should 'gd->first_minor' be '1 << MINORBITS', MKDEV() would overflow. Fixes: f7a7a5c228d4 ("block/rnbd: client: main functionality") Signed-off-by: Christophe JAILLET Acked-by: Jack Wang --- #define MKDEV(ma,mi) (((ma) << MINORBITS) | (mi)) This patch is completely speculative. I think that: if (disk->first_minor + disk->minors > MINORMASK + 1) return -EINVAL; in device_add_disk() handles this corner case. Anyway, if I'm correct, handling the error earlier can't hurt (at least I guess so :)). Signed-off-by: Christophe JAILLET --- drivers/block/rnbd/rnbd-clt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c index b66e8840b94b..db900c3786a3 100644 --- a/drivers/block/rnbd/rnbd-clt.c +++ b/drivers/block/rnbd/rnbd-clt.c @@ -1454,7 +1454,7 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess, goto out_alloc; } - ret = ida_alloc_max(&index_ida, 1 << (MINORBITS - RNBD_PART_BITS), + ret = ida_alloc_max(&index_ida, (1 << (MINORBITS - RNBD_PART_BITS)) - 1, GFP_KERNEL); if (ret < 0) { pr_err("Failed to initialize device '%s' from session %s, allocating idr failed, err: %d\n",