From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 31 Jan 2018 16:49:32 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.115~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cea261c7ce0548e8461ff5c8e009084fb709ae99;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	loop-fix-concurrent-lo_open-lo_release.patch
---

diff --git a/queue-4.14/loop-fix-concurrent-lo_open-lo_release.patch b/queue-4.14/loop-fix-concurrent-lo_open-lo_release.patch
new file mode 100644
index 00000000000..f5577433c3e
--- /dev/null
+++ b/queue-4.14/loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,57 @@
+From ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 5 Jan 2018 16:26:00 -0800
+Subject: loop: fix concurrent lo_open/lo_release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.
+
+范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
+The reason is due to insufficient serialization in lo_release(), which
+will continue to use the loop device even after it has decremented the
+lo_refcnt to zero.
+
+In the meantime, another process can come in, open the loop device
+again as it is being shut down. Confusion ensues.
+
+Reported-by: 范龙飞 <long7573@126.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1576,9 +1576,8 @@ out:
+ 	return err;
+ }
+ 
+-static void lo_release(struct gendisk *disk, fmode_t mode)
++static void __lo_release(struct loop_device *lo)
+ {
+-	struct loop_device *lo = disk->private_data;
+ 	int err;
+ 
+ 	if (atomic_dec_return(&lo->lo_refcnt))
+@@ -1605,6 +1604,13 @@ static void lo_release(struct gendisk *d
+ 	mutex_unlock(&lo->lo_ctl_mutex);
+ }
+ 
++static void lo_release(struct gendisk *disk, fmode_t mode)
++{
++	mutex_lock(&loop_index_mutex);
++	__lo_release(disk->private_data);
++	mutex_unlock(&loop_index_mutex);
++}
++
+ static const struct block_device_operations lo_fops = {
+ 	.owner =	THIS_MODULE,
+ 	.open =		lo_open,