From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>,
syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 22/49] loop: Don't change loop device under exclusive opener
Date: Sat, 8 Jun 2019 07:42:03 -0400 [thread overview]
Message-ID: <20190608114232.8731-22-sashal@kernel.org> (raw)
In-Reply-To: <20190608114232.8731-1-sashal@kernel.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 ]
Loop module allows calling LOOP_SET_FD while there are other openers of
the loop device. Even exclusive ones. This can lead to weird
consequences such as kernel deadlocks like:
mount_bdev() lo_ioctl()
udf_fill_super()
udf_load_vrs()
sb_set_blocksize() - sets desired block size B
udf_tread()
sb_bread()
__bread_gfp(bdev, block, B)
loop_set_fd()
set_blocksize()
- now __getblk_slow() indefinitely loops because B != bdev
block size
Fix the problem by disallowing LOOP_SET_FD ioctl when there are
exclusive openers of a loop device.
[Deliberately chosen not to CC stable as a user with priviledges to
trigger this race has other means of taking the system down and this
has a potential of breaking some weird userspace setup]
Reported-and-tested-by: syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/loop.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index f1e63eb7cbca..a443910f5d6f 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -920,9 +920,20 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
if (!file)
goto out;
+ /*
+ * If we don't hold exclusive handle for the device, upgrade to it
+ * here to avoid changing device under exclusive owner.
+ */
+ if (!(mode & FMODE_EXCL)) {
+ bdgrab(bdev);
+ error = blkdev_get(bdev, mode | FMODE_EXCL, loop_set_fd);
+ if (error)
+ goto out_putf;
+ }
+
error = mutex_lock_killable(&loop_ctl_mutex);
if (error)
- goto out_putf;
+ goto out_bdev;
error = -EBUSY;
if (lo->lo_state != Lo_unbound)
@@ -986,10 +997,15 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
mutex_unlock(&loop_ctl_mutex);
if (partscan)
loop_reread_partitions(lo, bdev);
+ if (!(mode & FMODE_EXCL))
+ blkdev_put(bdev, mode | FMODE_EXCL);
return 0;
out_unlock:
mutex_unlock(&loop_ctl_mutex);
+out_bdev:
+ if (!(mode & FMODE_EXCL))
+ blkdev_put(bdev, mode | FMODE_EXCL);
out_putf:
fput(file);
out:
--
2.20.1
next prev parent reply other threads:[~2019-06-08 11:44 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-08 11:41 [PATCH AUTOSEL 4.19 01/49] iio: dac: ds4422/ds4424 fix chip verification Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 02/49] iio: adc: ti-ads8688: fix timestamp is not updated in buffer Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 03/49] Staging: vc04_services: Fix a couple error codes Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 04/49] perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 05/49] netfilter: nf_queue: fix reinject verdict handling Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 06/49] ipvs: Fix use-after-free in ip_vs_in Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 07/49] selftests: netfilter: missing error check when setting up veth interface Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 08/49] clk: ti: clkctrl: Fix clkdm_clk handling Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 09/49] powerpc/powernv: Return for invalid IMC domain Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 10/49] usb: xhci: Fix a potential null pointer dereference in xhci_debugfs_create_endpoint() Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 11/49] mISDN: make sure device name is NUL terminated Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 12/49] x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 13/49] perf/ring_buffer: Fix exposing a temporarily decreased data_head Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 14/49] perf/ring_buffer: Add ordering to rb->nest increment Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 15/49] perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page data Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 16/49] gpio: fix gpio-adp5588 build errors Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 17/49] efi/x86/Add missing error handling to old_memmap 1:1 mapping code Sasha Levin
2019-06-09 18:14 ` Ard Biesheuvel
2019-06-19 20:58 ` Sasha Levin
2019-06-08 11:41 ` [PATCH AUTOSEL 4.19 18/49] net: stmmac: update rx tail pointer register to fix rx dma hang issue Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 19/49] net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE() Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 20/49] ACPI/PCI: PM: Add missing wakeup.flags.valid checks Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 21/49] PCI: PM: Avoid possible suspend-to-idle issue Sasha Levin
2019-06-08 11:42 ` Sasha Levin [this message]
2019-06-10 9:00 ` [PATCH AUTOSEL 4.19 22/49] loop: Don't change loop device under exclusive opener Jan Kara
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 23/49] drm/etnaviv: lock MMU while dumping core Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 24/49] net: aquantia: tx clean budget logic error Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 25/49] net: aquantia: fix LRO with FCS error Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 26/49] i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 27/49] i2c: mlxcpld: Fix wrong initialization order in probe Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 28/49] ALSA: hda - Force polling mode on CNL for fixing codec communication Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 29/49] configfs: Fix use-after-free when accessing sd->s_dentry Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 30/49] perf data: Fix 'strncat may truncate' build failure with recent gcc Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 31/49] perf namespace: Protect reading thread's namespace Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 32/49] perf record: Fix s390 missing module symbol and warning for non-root users Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 33/49] ia64: fix build errors by exporting paddr_to_nid() Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 34/49] xen/pvcalls: Remove set but not used variable Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 35/49] xenbus: Avoid deadlock during suspend due to open transactions Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 36/49] KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 37/49] KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu Sasha Levin
2019-06-08 11:42 ` [PATCH AUTOSEL 4.19 38/49] arm64: fix syscall_fn_t type Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190608114232.8731-22-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).