hulk inclusion category: bugfix bugzilla: 189922, https://gitee.com/openeuler/kernel/issues/I9PXKA CVE: NA
--------------------------------
The current implimentation of partitions for loop has several issues. 'loop_device' is at the gendisk level, but it uses 'lo_device' to store block_device. A gendisk can have multiple block_devices, and 'lo_device' can be set to anyone of them through loop_configure().
This usage can lead to a null-ptr-deref issue. If 'lo_device' is set to a block_device of partition, this partition is closed and 'bd_openers' is dec to 0, the 'bd_disk' of that block_device will be set to NULL in __blkdev_put(). In this case, Accessing 'lo_device->bd_disk' will trigger the issue. The problem can be reproduced as follows: 1. create loop device loop0 and create a partition loop0p1. 2. submit the ioctl LOOP_CLR_FD by loop0. 3. submit the ioctl LOOP_SET_FD by loop0p1. 4. submit ioctl such as LOOP_SET_STATUS by loop0.
Fix it by using 'lo->lo_disk' instead of 'lo->lo_device->bd_disk' for kobject_uevent().
Fixes: c01a21b77722 ("loop: Fix occasional uevent drop") Fixes: c3473c63542d ("generate "change" uevent for loop device") Signed-off-by: Li Nan linan122@huawei.com --- drivers/block/loop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c index c64b22ce2bec..8eefd1462c3f 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -243,7 +243,7 @@ static void loop_set_size(struct loop_device *lo, loff_t size) bd_set_nr_sectors(bdev, size);
if (!set_capacity_revalidate_and_notify(lo->lo_disk, size, false)) - kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE); + kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); }
static inline int @@ -1250,7 +1250,7 @@ static int __loop_clr_fd(struct loop_device *lo, bool release) if (bdev) { bd_set_nr_sectors(bdev, 0); /* let user-space know about this change */ - kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE); + kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE); } mapping_set_gfp_mask(filp->f_mapping, gfp); /* This is safe: open() is still holding a reference. */
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/7729 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/U...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/7729 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/U...