diff options
author | Jan Kara | 2019-05-16 16:01:27 +0200 |
---|---|---|
committer | Jens Axboe | 2019-05-27 15:34:04 +0200 |
commit | 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 (patch) | |
tree | c6f6599a2a13a0bf456854d291a942cc5297e090 /drivers/memory/emif-asm-offsets.c | |
parent | io_uring: Fix __io_uring_register() false success (diff) | |
download | kernel-qcow2-linux-33ec3e53e7b1869d7851e59e126bdb0fe0bd1982.tar.gz kernel-qcow2-linux-33ec3e53e7b1869d7851e59e126bdb0fe0bd1982.tar.xz kernel-qcow2-linux-33ec3e53e7b1869d7851e59e126bdb0fe0bd1982.zip |
loop: Don't change loop device under exclusive opener
Loop module allows calling LOOP_SET_FD while there are other openers of
the loop device. Even exclusive ones. This can lead to weird
consequences such as kernel deadlocks like:
mount_bdev() lo_ioctl()
udf_fill_super()
udf_load_vrs()
sb_set_blocksize() - sets desired block size B
udf_tread()
sb_bread()
__bread_gfp(bdev, block, B)
loop_set_fd()
set_blocksize()
- now __getblk_slow() indefinitely loops because B != bdev
block size
Fix the problem by disallowing LOOP_SET_FD ioctl when there are
exclusive openers of a loop device.
[Deliberately chosen not to CC stable as a user with priviledges to
trigger this race has other means of taking the system down and this
has a potential of breaking some weird userspace setup]
Reported-and-tested-by: syzbot+10007d66ca02b08f0e60@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'drivers/memory/emif-asm-offsets.c')
0 files changed, 0 insertions, 0 deletions