1 From 310ca162d779efee8a2dc3731439680f3e9c1e86 Mon Sep 17 00:00:00 2001
2 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
3 Date: Thu, 8 Nov 2018 14:01:02 +0100
4 Subject: block/loop: Use global lock for ioctl() operation.
6 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
8 commit 310ca162d779efee8a2dc3731439680f3e9c1e86 upstream.
10 syzbot is reporting NULL pointer dereference [1] which is caused by
11 race condition between ioctl(loop_fd, LOOP_CLR_FD, 0) versus
12 ioctl(other_loop_fd, LOOP_SET_FD, loop_fd) due to traversing other
13 loop devices at loop_validate_file() without holding corresponding
14 lo->lo_ctl_mutex locks.
16 Since ioctl() request on loop devices is not frequent operation, we don't
17 need fine grained locking. Let's use global lock in order to allow safe
18 traversal at loop_validate_file().
20 Note that syzbot is also reporting circular locking dependency between
21 bdev->bd_mutex and lo->lo_ctl_mutex [2] which is caused by calling
22 blkdev_reread_part() with lock held. This patch does not address it.
24 [1] https://syzkaller.appspot.com/bug?id=f3cfe26e785d85f9ee259f385515291d21bd80a3
25 [2] https://syzkaller.appspot.com/bug?id=bf154052f0eea4bc7712499e4569505907d15889
27 Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
28 Reported-by: syzbot <syzbot+bf89c128e05dd6c62523@syzkaller.appspotmail.com>
29 Reviewed-by: Jan Kara <jack@suse.cz>
30 Signed-off-by: Jan Kara <jack@suse.cz>
31 Signed-off-by: Jens Axboe <axboe@kernel.dk>
32 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
35 drivers/block/loop.c | 42 +++++++++++++++++++++---------------------
36 drivers/block/loop.h | 1 -
37 2 files changed, 21 insertions(+), 22 deletions(-)
39 --- a/drivers/block/loop.c
40 +++ b/drivers/block/loop.c
43 static DEFINE_IDR(loop_index_idr);
44 static DEFINE_MUTEX(loop_index_mutex);
45 +static DEFINE_MUTEX(loop_ctl_mutex);
48 static int part_shift;
49 @@ -1044,7 +1045,7 @@ static int loop_clr_fd(struct loop_devic
51 if (atomic_read(&lo->lo_refcnt) > 1) {
52 lo->lo_flags |= LO_FLAGS_AUTOCLEAR;
53 - mutex_unlock(&lo->lo_ctl_mutex);
54 + mutex_unlock(&loop_ctl_mutex);
58 @@ -1093,12 +1094,12 @@ static int loop_clr_fd(struct loop_devic
60 lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN;
61 loop_unprepare_queue(lo);
62 - mutex_unlock(&lo->lo_ctl_mutex);
63 + mutex_unlock(&loop_ctl_mutex);
65 - * Need not hold lo_ctl_mutex to fput backing file.
66 - * Calling fput holding lo_ctl_mutex triggers a circular
67 + * Need not hold loop_ctl_mutex to fput backing file.
68 + * Calling fput holding loop_ctl_mutex triggers a circular
69 * lock dependency possibility warning as fput can take
70 - * bd_mutex which is usually taken before lo_ctl_mutex.
71 + * bd_mutex which is usually taken before loop_ctl_mutex.
75 @@ -1361,7 +1362,7 @@ static int lo_ioctl(struct block_device
76 struct loop_device *lo = bdev->bd_disk->private_data;
79 - mutex_lock_nested(&lo->lo_ctl_mutex, 1);
80 + mutex_lock_nested(&loop_ctl_mutex, 1);
83 err = loop_set_fd(lo, mode, bdev, arg);
84 @@ -1370,7 +1371,7 @@ static int lo_ioctl(struct block_device
85 err = loop_change_fd(lo, bdev, arg);
88 - /* loop_clr_fd would have unlocked lo_ctl_mutex on success */
89 + /* loop_clr_fd would have unlocked loop_ctl_mutex on success */
90 err = loop_clr_fd(lo);
93 @@ -1406,7 +1407,7 @@ static int lo_ioctl(struct block_device
95 err = lo->ioctl ? lo->ioctl(lo, cmd, arg) : -EINVAL;
97 - mutex_unlock(&lo->lo_ctl_mutex);
98 + mutex_unlock(&loop_ctl_mutex);
102 @@ -1539,16 +1540,16 @@ static int lo_compat_ioctl(struct block_
105 case LOOP_SET_STATUS:
106 - mutex_lock(&lo->lo_ctl_mutex);
107 + mutex_lock(&loop_ctl_mutex);
108 err = loop_set_status_compat(
109 lo, (const struct compat_loop_info __user *) arg);
110 - mutex_unlock(&lo->lo_ctl_mutex);
111 + mutex_unlock(&loop_ctl_mutex);
113 case LOOP_GET_STATUS:
114 - mutex_lock(&lo->lo_ctl_mutex);
115 + mutex_lock(&loop_ctl_mutex);
116 err = loop_get_status_compat(
117 lo, (struct compat_loop_info __user *) arg);
118 - mutex_unlock(&lo->lo_ctl_mutex);
119 + mutex_unlock(&loop_ctl_mutex);
121 case LOOP_SET_CAPACITY:
123 @@ -1592,7 +1593,7 @@ static void __lo_release(struct loop_dev
124 if (atomic_dec_return(&lo->lo_refcnt))
127 - mutex_lock(&lo->lo_ctl_mutex);
128 + mutex_lock(&loop_ctl_mutex);
129 if (lo->lo_flags & LO_FLAGS_AUTOCLEAR) {
131 * In autoclear mode, stop the loop thread
132 @@ -1609,7 +1610,7 @@ static void __lo_release(struct loop_dev
136 - mutex_unlock(&lo->lo_ctl_mutex);
137 + mutex_unlock(&loop_ctl_mutex);
140 static void lo_release(struct gendisk *disk, fmode_t mode)
141 @@ -1655,10 +1656,10 @@ static int unregister_transfer_cb(int id
142 struct loop_device *lo = ptr;
143 struct loop_func_table *xfer = data;
145 - mutex_lock(&lo->lo_ctl_mutex);
146 + mutex_lock(&loop_ctl_mutex);
147 if (lo->lo_encryption == xfer)
148 loop_release_xfer(lo);
149 - mutex_unlock(&lo->lo_ctl_mutex);
150 + mutex_unlock(&loop_ctl_mutex);
154 @@ -1820,7 +1821,6 @@ static int loop_add(struct loop_device *
156 disk->flags |= GENHD_FL_NO_PART_SCAN;
157 disk->flags |= GENHD_FL_EXT_DEVT;
158 - mutex_init(&lo->lo_ctl_mutex);
159 atomic_set(&lo->lo_refcnt, 0);
161 spin_lock_init(&lo->lo_lock);
162 @@ -1933,19 +1933,19 @@ static long loop_control_ioctl(struct fi
163 ret = loop_lookup(&lo, parm);
166 - mutex_lock(&lo->lo_ctl_mutex);
167 + mutex_lock(&loop_ctl_mutex);
168 if (lo->lo_state != Lo_unbound) {
170 - mutex_unlock(&lo->lo_ctl_mutex);
171 + mutex_unlock(&loop_ctl_mutex);
174 if (atomic_read(&lo->lo_refcnt) > 0) {
176 - mutex_unlock(&lo->lo_ctl_mutex);
177 + mutex_unlock(&loop_ctl_mutex);
180 lo->lo_disk->private_data = NULL;
181 - mutex_unlock(&lo->lo_ctl_mutex);
182 + mutex_unlock(&loop_ctl_mutex);
183 idr_remove(&loop_index_idr, lo->lo_number);
186 --- a/drivers/block/loop.h
187 +++ b/drivers/block/loop.h
188 @@ -55,7 +55,6 @@ struct loop_device {
192 - struct mutex lo_ctl_mutex;
193 struct kthread_worker worker;
194 struct task_struct *worker_task;
projects / thirdparty / kernel / stable-queue.git / blob