4.9-stable patches

added patches:
	loop-fix-concurrent-lo_open-lo_release.patch

diff --git a/queue-4.9/loop-fix-concurrent-lo_open-lo_release.patch b/queue-4.9/loop-fix-concurrent-lo_open-lo_release.patch
new file mode 100644 (file)
index 0000000..b57d9dd
--- /dev/null
+++ b/queue-4.9/loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,57 @@
+From ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 5 Jan 2018 16:26:00 -0800
+Subject: loop: fix concurrent lo_open/lo_release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.
+
+范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
+The reason is due to insufficient serialization in lo_release(), which
+will continue to use the loop device even after it has decremented the
+lo_refcnt to zero.
+
+In the meantime, another process can come in, open the loop device
+again as it is being shut down. Confusion ensues.
+
+Reported-by: 范龙飞 <long7573@126.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1558,9 +1558,8 @@ out:
+       return err;
+ }
+ 
+-static void lo_release(struct gendisk *disk, fmode_t mode)
++static void __lo_release(struct loop_device *lo)
+ {
+-      struct loop_device *lo = disk->private_data;
+       int err;
+ 
+       if (atomic_dec_return(&lo->lo_refcnt))
+@@ -1586,6 +1585,13 @@ static void lo_release(struct gendisk *d
+       mutex_unlock(&lo->lo_ctl_mutex);
+ }
+ 
++static void lo_release(struct gendisk *disk, fmode_t mode)
++{
++      mutex_lock(&loop_index_mutex);
++      __lo_release(disk->private_data);
++      mutex_unlock(&loop_index_mutex);
++}
++
+ static const struct block_device_operations lo_fops = {
+       .owner =        THIS_MODULE,
+       .open =         lo_open,