From patchwork Mon Jan 29 16:16:11 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
X-Patchwork-Id: 867188
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3zVZQ143x1z9s83;
	Tue, 30 Jan 2018 03:16:25 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1egC6W-0001gY-AO; Mon, 29 Jan 2018 16:16:20 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <kleber.souza@canonical.com>)
	id 1egC6U-0001fS-Sp
	for kernel-team@lists.ubuntu.com; Mon, 29 Jan 2018 16:16:18 +0000
Received: from mail-wm0-f70.google.com ([74.125.82.70])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <kleber.souza@canonical.com>)
	id 1egC6U-0005HV-LO
	for kernel-team@lists.ubuntu.com; Mon, 29 Jan 2018 16:16:18 +0000
Received: by mail-wm0-f70.google.com with SMTP id t14so9773121wmc.5
	for <kernel-team@lists.ubuntu.com>;
	Mon, 29 Jan 2018 08:16:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=f2GygCH4b2mrxSGt1r3v/gm0vFMAkyosyXzLjbaWt+4=;
	b=gpINs6Byzas5dkR9K3Pm4p/5LJDEfD6vQDRQdNMI4sYr4E6dbp3LyLlzdjFskGz4/M
	DZVxA5bic9QEbhd7c+Dx6rHu6rBn31KfY5E1yUgVYJjUmnn0GUj7S63ifXGmF6Pm8FOs
	XoSxg88wx8fdN9B9P+mEINOwH6Hmjrid16IxxeOfZU5TPrbvUDXtWsJzCsIOMiypPwxe
	JIXbY7Cos+H02OSgBpKhp6w6Ucb4y+OzSXyhsEwNOywYEYPu53GxQAZzNOBdSF+HUTqF
	cZRVDA4UC64QOV+DNDXPIv1CEYG6qLBfhUOi4YQkDRRuhJ2GxVwn6V6RsZwHealsnHCX
	EDLA==
X-Gm-Message-State: AKwxytcVLRs26a0uVnKsMKN+PqtHeeR/M/I0de6nFA+7uQmx5bbPz3XT
	ICfIqkhQzL95abz4l10I3O25XP/UPf9eFsWTlr5tGMas0RHscqUJObunSwIkCM0I0Tj2z8V+j9K
	PL4IZfI3PwycYS4wR+6ixOhL/OxwRuyCEGpptFyHo5w==
X-Received: by 10.28.144.197 with SMTP id s188mr19530111wmd.51.1517242578038;
	Mon, 29 Jan 2018 08:16:18 -0800 (PST)
X-Google-Smtp-Source: 
 AH8x2243YAVD8tweq8FK78r37Rn7ZnsMr57AsmPXrIICAA5dZY74zlalVRkOyHFUYcNOpbtfcUfcwA==
X-Received: by 10.28.144.197 with SMTP id s188mr19530091wmd.51.1517242577795;
	Mon, 29 Jan 2018 08:16:17 -0800 (PST)
Received: from localhost ([2a02:8109:98c0:1604:e0bc:dea5:ede9:cfef])
	by smtp.gmail.com with ESMTPSA id
	c24sm12937172wre.10.2018.01.29.08.16.16
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 29 Jan 2018 08:16:17 -0800 (PST)
From: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][X][A][B][PATCH 1/1] loop: fix concurrent lo_open/lo_release
Date: Mon, 29 Jan 2018 17:16:11 +0100
Message-Id: <20180129161611.11275-3-kleber.souza@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180129161611.11275-1-kleber.souza@canonical.com>
References: <20180129161611.11275-1-kleber.souza@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Linus Torvalds <torvalds@linux-foundation.org>

CVE-2018-5344

范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
The reason is due to insufficient serialization in lo_release(), which
will continue to use the loop device even after it has decremented the
lo_refcnt to zero.

In the meantime, another process can come in, open the loop device
again as it is being shut down. Confusion ensues.

Reported-by: 范龙飞 <long7573@126.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---
 drivers/block/loop.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index bc8e61506968..d5fe720cf149 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1581,9 +1581,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
 	return err;
 }
 
-static void lo_release(struct gendisk *disk, fmode_t mode)
+static void __lo_release(struct loop_device *lo)
 {
-	struct loop_device *lo = disk->private_data;
 	int err;
 
 	if (atomic_dec_return(&lo->lo_refcnt))
@@ -1610,6 +1609,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
 	mutex_unlock(&lo->lo_ctl_mutex);
 }
 
+static void lo_release(struct gendisk *disk, fmode_t mode)
+{
+	mutex_lock(&loop_index_mutex);
+	__lo_release(disk->private_data);
+	mutex_unlock(&loop_index_mutex);
+}
+
 static const struct block_device_operations lo_fops = {
 	.owner =	THIS_MODULE,
 	.open =		lo_open,