[PATCH openEuler-1.0-LTS 1/2] Revert "loop: loop_set_status_from_info() check before assignment"

19 Apr 2025

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IC2E65
CVE: NA

--------------------------------

This reverts commit 91a08b4503ba71c1835e3f3290ac5019a69b3de5.

This patch did not correctly fix the issue that the original community
patch was intended to address, and instead introduced a new UAF problem.

The patch should be reverted, and the community fix patch will be
reapplied in the next patch.

Fixes: 91a08b4503ba ("loop: loop_set_status_from_info() check before assignment")
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
---
 drivers/block/loop.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 692c63882686..d1d6aeaa81a7 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1283,15 +1283,13 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
 				lo->lo_device->bd_inode->i_mapping->nrpages);
 			goto out_unfreeze;
 		}
-
-		/* Avoid assigning overflow values */
-		if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX)
-			return -EOVERFLOW;
-
 		if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) {
 			err = -EFBIG;
 			goto out_unfreeze;
 		}
+		/* loff_t vars have been assigned __u64 */
+		if (lo->lo_offset < 0 || lo->lo_sizelimit < 0)
+			return -EOVERFLOW;
 	}
 
 	loop_config_discard(lo);
-- 
2.39.2

    