On Fri, Mar 26, 2021 at 04:59:54PM +0800, Ming Lei wrote: > Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops > check on max supported partitions number, and allows partition with > bigger partition number to be added. However, ->bd_partno is defined > as u8, so partition index of xarray table may not match with ->bd_partno. > Then delete_partition() may delete one unmatched partition, and caused > use-after-free. > > Cc: Bart Van Assche <bvanassche@xxxxxxx> > Reported-by: syzbot+8fede7e30c7cee0de139@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") > Signed-off-by: Ming Lei <ming.lei@xxxxxxxxxx> > --- > Another fix is to define ->bd_partno as u32, not sure if we need to > support so many partitions. > > block/partitions/core.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/block/partitions/core.c b/block/partitions/core.c > index 1a7558917c47..933d47105b64 100644 > --- a/block/partitions/core.c > +++ b/block/partitions/core.c > @@ -322,6 +322,10 @@ static struct block_device *add_partition(struct gendisk *disk, int partno, > const char *dname; > int err; > > + /* disk_max_parts() is zero during initialization, ignore if so */ > + if (disk_max_parts(disk) && (partno + 1) > disk_max_parts(disk)) > + return ERR_PTR(-EINVAL); disk->minors is set in __alloc_disk_node, so AFAICS it can't ever be 0 when add_partition is called. So I think this should be just: if (partno >= disk_max_parts(disk)) return ERR_PTR(-EINVAL); otherwise this looks good.