Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops
check on max supported partitions number, and allows partition with
bigger partition number to be added. However, ->bd_partno is defined
as u8, so partition index of xarray table may not match with ->bd_partno.
Then delete_partition() may delete one unmatched partition, and caused
use-after-free.
Cc: Bart Van Assche <bvanassche@xxxxxxx>
Reported-by: syzbot+8fede7e30c7cee0de139@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl")
Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx>
---
Another fix is to define ->bd_partno as u32, not sure if we need to
support so many partitions.
block/partitions/core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/partitions/core.c b/block/partitions/core.c
index 1a7558917c47..933d47105b64 100644
--- a/block/partitions/core.c
+++ b/block/partitions/core.c
@@ -322,6 +322,10 @@ static struct block_device *add_partition(struct gendisk *disk, int partno,
const char *dname;
int err;
+ /* disk_max_parts() is zero during initialization, ignore if so */
+ if (disk_max_parts(disk) && (partno + 1) > disk_max_parts(disk))
+ return ERR_PTR(-EINVAL);
+
/*
* Partitions are not supported on zoned block devices that are used as
* such.
--
2.29.2
