On 8/12/21 3:15 AM, Pavel Skripkin wrote: > Syzbot hit WARNING in internal_create_group(). The problem was in > too big disk->first_minor. > > disk->first_minor is initialized by value, which comes from userspace > and there wasn't any sanity checks about value correctness. It can cause > duplicate creation of sysfs files/links, because disk->first_minor will > be passed to MKDEV() which causes truncation to byte. Since maximum > minor value is 0xff, let's check if first_minor is correct minor number. > > NOTE: the root case of the reported warning was in wrong error handling > in register_disk(), but we can avoid passing knowingly wrong values to > sysfs API, because sysfs error messages can confuse users. For example: > user passed 1048576 as index, but sysfs complains about duplicate > creation of /dev/block/43:0. It's not obvious how 1048576 becomes 0. > Log and reproducer for above example can be found on syzkaller bug > report page. Applied, thanks. -- Jens Axboe
