Commit 56974c07 authored by Mike Christie's avatar Mike Christie Committed by Jens Axboe
Browse files

ublk: Limit dev_id/ub_number values 



The dev_id/ub_number is used for the ublk dev's char device's minor
number so it has to fit into MINORMASK. This patch adds checks to prevent
userspace from passing a number that's too large and limits what can be
allocated by the ublk_index_idr for the case where userspace has the
kernel allocate the dev_id/ub_number.

Signed-off-by: default avatarMike Christie <michael.christie@oracle.com>
Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20231012150600.6198-2-michael.christie@oracle.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent d451fdd0

drivers/block/ublk_drv.c

+9 −1
Original line number Diff line number Diff line
@@ -470,6 +470,7 @@ static DEFINE_MUTEX(ublk_ctl_mutex); 
 * It can be extended to one per-user limit in future or even controlled

 * by cgroup.

 */

#define UBLK_MAX_UBLKS UBLK_MINORS

static unsigned int ublks_max = 64;

static unsigned int ublks_added;	/* protected by ublk_ctl_mutex */
@@ -2026,7 +2027,8 @@ static int ublk_alloc_dev_number(struct ublk_device *ub, int idx) 
		if (err == -ENOSPC)

			err = -EEXIST;

	} else {

		err = idr_alloc(&ublk_index_idr, ub, 0, 0, GFP_NOWAIT);

		err = idr_alloc(&ublk_index_idr, ub, 0, UBLK_MAX_UBLKS,

				GFP_NOWAIT);

	}

	spin_unlock(&ublk_idr_lock);
@@ -2305,6 +2307,12 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) 
		return -EINVAL;

	}



	if (header->dev_id != U32_MAX && header->dev_id >= UBLK_MAX_UBLKS) {

		pr_warn("%s: dev id is too large. Max supported is %d\n",

			__func__, UBLK_MAX_UBLKS - 1);

		return -EINVAL;

	}



	ublk_dump_dev_info(&info);



	ret = mutex_lock_killable(&ublk_ctl_mutex);