diff options
authorMing Lei <>2021-03-27 15:13:09 +0800
committerJens Axboe <>2021-03-27 09:22:18 -0600
commite82fc7855749aa197740a60ef22c492c41ea5d5f (patch)
parent7de55b7d6f09a2865279d3c41c0fbdbfdb87486a (diff)
block: don't create too many partitionsblock-5.12-2021-03-27
Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops the check on max supported number of partitionsr, and allows partition with bigger partition numbers to be added. However, ->bd_partno is defined as u8, so partition index of xarray table may not match with ->bd_partno. Then delete_partition() may delete one unmatched partition, and caused use-after-free. Reviewed-by: Bart Van Assche <> Reported-by: Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") Signed-off-by: Ming Lei <> Signed-off-by: Jens Axboe <>
1 files changed, 7 insertions, 0 deletions
diff --git a/block/partitions/core.c b/block/partitions/core.c
index 1a7558917c47..46f055bc7ecb 100644
--- a/block/partitions/core.c
+++ b/block/partitions/core.c
@@ -323,6 +323,13 @@ static struct block_device *add_partition(struct gendisk *disk, int partno,
int err;
+ * disk_max_parts() won't be zero, either GENHD_FL_EXT_DEVT is set
+ * or 'minors' is passed to alloc_disk().
+ */
+ if (partno >= disk_max_parts(disk))
+ return ERR_PTR(-EINVAL);
+ /*
* Partitions are not supported on zoned block devices that are used as
* such.