block: don't create too many partitions

Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops the
check on max supported number of partitionsr, and allows partition with
bigger partition numbers to be added. However, ->bd_partno is defined as
u8, so partition index of xarray table may not match with ->bd_partno.
Then delete_partition() may delete one unmatched partition, and caused
use-after-free.

Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com
Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/block/partitions/core.c b/block/partitions/core.c
index 1a7558917c47d66f0537b97d92e789013f906647..46f055bc7ecb38710a92023f8eb1668061f6c2f6 100644 (file)
--- a/block/partitions/core.c
+++ b/block/partitions/core.c
@@ -322,6 +322,13 @@ static struct block_device *add_partition(struct gendisk *disk, int partno,
        const char *dname;
        int err;
 
+       /*
+        * disk_max_parts() won't be zero, either GENHD_FL_EXT_DEVT is set
+        * or 'minors' is passed to alloc_disk().
+        */
+       if (partno >= disk_max_parts(disk))
+               return ERR_PTR(-EINVAL);
+
        /*
         * Partitions are not supported on zoned block devices that are used as
         * such.