queue-4.19/loop-don-t-change-loop-device-under-exclusive-opener.patch

   1 From 2d0a678f24f1debfa1de9f64648876ac41e2cd25 Mon Sep 17 00:00:00 2001
   2 From: Jan Kara <jack@suse.cz>
   3 Date: Thu, 16 May 2019 16:01:27 +0200
   4 Subject: loop: Don't change loop device under exclusive opener
   5
   6 [ Upstream commit 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 ]
   7
   8 Loop module allows calling LOOP_SET_FD while there are other openers of
   9 the loop device. Even exclusive ones. This can lead to weird
  10 consequences such as kernel deadlocks like:
  11
  12 mount_bdev()                            lo_ioctl()
  13   udf_fill_super()
  14     udf_load_vrs()
  15       sb_set_blocksize() - sets desired block size B
  16       udf_tread()
  17         sb_bread()
  18           __bread_gfp(bdev, block, B)
  19                                           loop_set_fd()
  20                                             set_blocksize()
  21             - now __getblk_slow() indefinitely loops because B != bdev
  22               block size
  23
  24 Fix the problem by disallowing LOOP_SET_FD ioctl when there are
  25 exclusive openers of a loop device.
  26
  27 [Deliberately chosen not to CC stable as a user with priviledges to
  28 trigger this race has other means of taking the system down and this
  29 has a potential of breaking some weird userspace setup]
  30
  31 Reported-and-tested-by: syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com
  32 Signed-off-by: Jan Kara <jack@suse.cz>
  33 Signed-off-by: Jens Axboe <axboe@kernel.dk>
  34 Signed-off-by: Sasha Levin <sashal@kernel.org>
  35 ---
  36  drivers/block/loop.c | 18 +++++++++++++++++-
  37  1 file changed, 17 insertions(+), 1 deletion(-)
  38
  39 diff --git a/drivers/block/loop.c b/drivers/block/loop.c
  40 index f1e63eb7cbca..a443910f5d6f 100644
  41 --- a/drivers/block/loop.c
  42 +++ b/drivers/block/loop.c
  43 @@ -920,9 +920,20 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
  44         if (!file)
  45                 goto out;
  46
  47 +       /*
  48 +        * If we don't hold exclusive handle for the device, upgrade to it
  49 +        * here to avoid changing device under exclusive owner.
  50 +        */
  51 +       if (!(mode & FMODE_EXCL)) {
  52 +               bdgrab(bdev);
  53 +               error = blkdev_get(bdev, mode | FMODE_EXCL, loop_set_fd);
  54 +               if (error)
  55 +                       goto out_putf;
  56 +       }
  57 +
  58         error = mutex_lock_killable(&loop_ctl_mutex);
  59         if (error)
  60 -               goto out_putf;
  61 +               goto out_bdev;
  62
  63         error = -EBUSY;
  64         if (lo->lo_state != Lo_unbound)
  65 @@ -986,10 +997,15 @@ static int loop_set_fd(struct loop_device *lo, fmode_t mode,
  66         mutex_unlock(&loop_ctl_mutex);
  67         if (partscan)
  68                 loop_reread_partitions(lo, bdev);
  69 +       if (!(mode & FMODE_EXCL))
  70 +               blkdev_put(bdev, mode | FMODE_EXCL);
  71         return 0;
  72
  73  out_unlock:
  74         mutex_unlock(&loop_ctl_mutex);
  75 +out_bdev:
  76 +       if (!(mode & FMODE_EXCL))
  77 +               blkdev_put(bdev, mode | FMODE_EXCL);
  78  out_putf:
  79         fput(file);
  80  out:
  81 --
  82 2.20.1
  83