From 2e88d5f1681a65bf634c705db265964c04dba47c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 14 Sep 2021 20:08:45 +0200 Subject: [PATCH] drop block-nbd-add-sanity-check-for-first_minor.patch from 4.14 and 4.19 --- ...nbd-add-sanity-check-for-first_minor.patch | 62 ------------------- queue-4.14/series | 1 - ...nbd-add-sanity-check-for-first_minor.patch | 62 ------------------- queue-4.19/series | 1 - 4 files changed, 126 deletions(-) delete mode 100644 queue-4.14/block-nbd-add-sanity-check-for-first_minor.patch delete mode 100644 queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch diff --git a/queue-4.14/block-nbd-add-sanity-check-for-first_minor.patch b/queue-4.14/block-nbd-add-sanity-check-for-first_minor.patch deleted file mode 100644 index 2dfd7899c14..00000000000 --- a/queue-4.14/block-nbd-add-sanity-check-for-first_minor.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 551ad7865ff8cccb874d7153265eff803b256ece Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Aug 2021 12:15:01 +0300 -Subject: block: nbd: add sanity check for first_minor - -From: Pavel Skripkin - -[ Upstream commit b1a811633f7321cf1ae2bb76a66805b7720e44c9 ] - -Syzbot hit WARNING in internal_create_group(). The problem was in -too big disk->first_minor. - -disk->first_minor is initialized by value, which comes from userspace -and there wasn't any sanity checks about value correctness. It can cause -duplicate creation of sysfs files/links, because disk->first_minor will -be passed to MKDEV() which causes truncation to byte. Since maximum -minor value is 0xff, let's check if first_minor is correct minor number. - -NOTE: the root case of the reported warning was in wrong error handling -in register_disk(), but we can avoid passing knowingly wrong values to -sysfs API, because sysfs error messages can confuse users. For example: -user passed 1048576 as index, but sysfs complains about duplicate -creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0. -Log and reproducer for above example can be found on syzkaller bug -report page. - -Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1 -Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") -Reported-by: syzbot+9937dc42271cd87d4b98@syzkaller.appspotmail.com -Reviewed-by: Christoph Hellwig -Signed-off-by: Pavel Skripkin -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/block/nbd.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 826b3877a157..9a8175c057a9 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -1668,7 +1668,17 @@ static int nbd_dev_add(int index) - refcount_set(&nbd->refs, 1); - INIT_LIST_HEAD(&nbd->list); - disk->major = NBD_MAJOR; -+ -+ /* Too big first_minor can cause duplicate creation of -+ * sysfs files/links, since first_minor will be truncated to -+ * byte in __device_add_disk(). -+ */ - disk->first_minor = index << part_shift; -+ if (disk->first_minor > 0xff) { -+ err = -EINVAL; -+ goto out_free_idr; -+ } -+ - disk->fops = &nbd_fops; - disk->private_data = nbd; - sprintf(disk->disk_name, "nbd%d", index); --- -2.30.2 - diff --git a/queue-4.14/series b/queue-4.14/series index ffe952ac8c9..b40a787749e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -47,7 +47,6 @@ m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch -block-nbd-add-sanity-check-for-first_minor.patch crypto-qat-use-proper-type-for-vf_mask.patch certs-trigger-creation-of-rsa-module-signing-key-if-.patch soc-rockchip-rockchip_grf-should-not-default-to-y-un.patch diff --git a/queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch b/queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch deleted file mode 100644 index 34f0b95a785..00000000000 --- a/queue-4.19/block-nbd-add-sanity-check-for-first_minor.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 00e00416181706229822e75c561f73c9ff792b43 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 12 Aug 2021 12:15:01 +0300 -Subject: block: nbd: add sanity check for first_minor - -From: Pavel Skripkin - -[ Upstream commit b1a811633f7321cf1ae2bb76a66805b7720e44c9 ] - -Syzbot hit WARNING in internal_create_group(). The problem was in -too big disk->first_minor. - -disk->first_minor is initialized by value, which comes from userspace -and there wasn't any sanity checks about value correctness. It can cause -duplicate creation of sysfs files/links, because disk->first_minor will -be passed to MKDEV() which causes truncation to byte. Since maximum -minor value is 0xff, let's check if first_minor is correct minor number. - -NOTE: the root case of the reported warning was in wrong error handling -in register_disk(), but we can avoid passing knowingly wrong values to -sysfs API, because sysfs error messages can confuse users. For example: -user passed 1048576 as index, but sysfs complains about duplicate -creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0. -Log and reproducer for above example can be found on syzkaller bug -report page. - -Link: https://syzkaller.appspot.com/bug?id=03c2ae9146416edf811958d5fd7acfab75b143d1 -Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") -Reported-by: syzbot+9937dc42271cd87d4b98@syzkaller.appspotmail.com -Reviewed-by: Christoph Hellwig -Signed-off-by: Pavel Skripkin -Signed-off-by: Jens Axboe -Signed-off-by: Sasha Levin ---- - drivers/block/nbd.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 81b955670b12..d50784ac3c3d 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -1685,7 +1685,17 @@ static int nbd_dev_add(int index) - refcount_set(&nbd->refs, 1); - INIT_LIST_HEAD(&nbd->list); - disk->major = NBD_MAJOR; -+ -+ /* Too big first_minor can cause duplicate creation of -+ * sysfs files/links, since first_minor will be truncated to -+ * byte in __device_add_disk(). -+ */ - disk->first_minor = index << part_shift; -+ if (disk->first_minor > 0xff) { -+ err = -EINVAL; -+ goto out_free_idr; -+ } -+ - disk->fops = &nbd_fops; - disk->private_data = nbd; - sprintf(disk->disk_name, "nbd%d", index); --- -2.30.2 - diff --git a/queue-4.19/series b/queue-4.19/series index 33505e60865..f3676946617 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -57,7 +57,6 @@ spi-spi-fsl-dspi-fix-issue-with-uninitialized-dma_sl.patch spi-spi-pic32-fix-issue-with-uninitialized-dma_slave.patch lib-mpi-use-kcalloc-in-mpi_resize.patch clocksource-drivers-sh_cmt-fix-wrong-setting-if-don-.patch -block-nbd-add-sanity-check-for-first_minor.patch crypto-qat-use-proper-type-for-vf_mask.patch certs-trigger-creation-of-rsa-module-signing-key-if-.patch spi-sprd-fix-the-wrong-wdg_load_val.patch -- 2.47.2