* [PATCH AUTOSEL 4.19 22/49] loop: Don't change loop device under exclusive opener
[not found] <20190608114232.8731-1-sashal@kernel.org>
@ 2019-06-08 11:42 ` Sasha Levin
2019-06-10 9:00 ` Jan Kara
0 siblings, 1 reply; 2+ messages in thread
From: Sasha Levin @ 2019-06-08 11:42 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jan Kara, syzbot+10007d66ca02b08f0e60, Jens Axboe, Sasha Levin,
linux-block
From: Jan Kara <jack@suse.cz>
[ Upstream commit 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 ]
Loop module allows calling LOOP_SET_FD while there are other openers of
the loop device. Even exclusive ones. This can lead to weird
consequences such as kernel deadlocks like:
mount_bdev() lo_ioctl()
udf_fill_super()
udf_load_vrs()
sb_set_blocksize() - sets desired block size B
udf_tread()
sb_bread()
__bread_gfp(bdev, block, B)
loop_set_fd()
set_blocksize()
- now __getblk_slow() indefinitely loops because B != bdev
block size
Fix the problem by disallowing LOOP_SET_FD ioctl when there are
exclusive openers of a loop device.
[Deliberately chosen not to CC stable as a user with priviledges to
trigger this race has other means of taking the system down and this
has a potential of breaking some weird userspace setup]
Reported-and-tested-by: syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/loop.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index f1e63eb7cbca..a443910f5d6f 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -920,9 +920,20 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
if (!file)
goto out;
+ /*
+ * If we don't hold exclusive handle for the device, upgrade to it
+ * here to avoid changing device under exclusive owner.
+ */
+ if (!(mode & FMODE_EXCL)) {
+ bdgrab(bdev);
+ error = blkdev_get(bdev, mode | FMODE_EXCL, loop_set_fd);
+ if (error)
+ goto out_putf;
+ }
+
error = mutex_lock_killable(&loop_ctl_mutex);
if (error)
- goto out_putf;
+ goto out_bdev;
error = -EBUSY;
if (lo->lo_state != Lo_unbound)
@@ -986,10 +997,15 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
mutex_unlock(&loop_ctl_mutex);
if (partscan)
loop_reread_partitions(lo, bdev);
+ if (!(mode & FMODE_EXCL))
+ blkdev_put(bdev, mode | FMODE_EXCL);
return 0;
out_unlock:
mutex_unlock(&loop_ctl_mutex);
+out_bdev:
+ if (!(mode & FMODE_EXCL))
+ blkdev_put(bdev, mode | FMODE_EXCL);
out_putf:
fput(file);
out:
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH AUTOSEL 4.19 22/49] loop: Don't change loop device under exclusive opener
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 22/49] loop: Don't change loop device under exclusive opener Sasha Levin
@ 2019-06-10 9:00 ` Jan Kara
0 siblings, 0 replies; 2+ messages in thread
From: Jan Kara @ 2019-06-10 9:00 UTC (permalink / raw)
To: Sasha Levin
Cc: linux-kernel, stable, Jan Kara, syzbot+10007d66ca02b08f0e60,
Jens Axboe, linux-block
On Sat 08-06-19 07:42:03, Sasha Levin wrote:
> From: Jan Kara <jack@suse.cz>
>
> [ Upstream commit 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 ]
The same as for 5.1 - please don't merge to stable.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-10 9:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20190608114232.8731-1-sashal@kernel.org>
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 22/49] loop: Don't change loop device under exclusive opener Sasha Levin
2019-06-10 9:00 ` Jan Kara
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).