From patchwork Wed Jan 31 16:48:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Benjamin M Romer X-Patchwork-Id: 868019 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zWq1n6nHzz9s75; Thu, 1 Feb 2018 03:48:13 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1egvYP-0004Kn-Nd; Wed, 31 Jan 2018 16:48:09 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1egvYM-0004IC-3v for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 16:48:06 +0000 Received: from mail-qt0-f197.google.com ([209.85.216.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1egvYL-0000Ql-QV for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 16:48:05 +0000 Received: by mail-qt0-f197.google.com with SMTP id a21so14264191qtd.6 for ; Wed, 31 Jan 2018 08:48:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4KYFxoOnbw3j6JkODj6+z4mhbP9m6M6tPLSX5EHQbdM=; b=D3IpJOzKs24cCzltP5wUnrZrD/96+8jrE8c0H06dKTBjsGjw53qEirE3y9MuRJnTk3 rNodjHlBBG5t4+G7/gBum7vk/Y+wJM3mCIfebFEmWJxSXwN0jOPCTHS3+YJAuMLRJQBx 5SGC5tNIKVyK6NaA/9H2v0xK0D1WPTmUQuyHco5+zXJjBtqXyVP6pxvz5/TNrEZBKTb7 Ub+XLWI/yzRs0P54ahgV+vsdmq8bGYHrJEIgAgZXxTS1Ka6bPmH19MdyQNLs/WwnpxAf CwN7nufCp5cvETy/Zfd2nw9HEp3VyTg3en5K0ysAPn4nbhN572ZMDLrSbfxKAl0Ll9KN SNEQ== X-Gm-Message-State: AKwxytfsEUVjm+yFWSYXEDQ/ZRTEEBgRFVnmDtDeb5qJo5ow+xlMF+Cz 8KtuqARHQx5ds81nKYb5XQZVAcigcCwS+MQRcIj797gt8w2VXo/QR/OMdZG8mtzx/Wuzc2zuSJ5 BKPpvH1N8FMU1NrBvv7Pp7a4DEUzVSGlLqYoblGpi4w== X-Received: by 10.55.21.168 with SMTP id 40mr5559664qkv.171.1517417284705; Wed, 31 Jan 2018 08:48:04 -0800 (PST) X-Google-Smtp-Source: AH8x227N9PxoyRnZI1Qs2mIEgjhoSPXOpcdzwANq0fb/LD1815JIWuqrJ+9ybyvBia209/6xUZmkLw== X-Received: by 10.55.21.168 with SMTP id 40mr5559648qkv.171.1517417284392; Wed, 31 Jan 2018 08:48:04 -0800 (PST) Received: from beast (c-68-80-13-9.hsd1.pa.comcast.net. [68.80.13.9]) by smtp.gmail.com with ESMTPSA id r62sm11258810qkc.52.2018.01.31.08.48.01 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 31 Jan 2018 08:48:01 -0800 (PST) Received: from ben by beast with local (Exim 4.89) (envelope-from ) id 1egvYG-0005EE-D5 for kernel-team@lists.ubuntu.com; Wed, 31 Jan 2018 11:48:00 -0500 From: Benjamin M Romer To: kernel-team@lists.ubuntu.com Subject: [t x z a b][PATCH 1/1] loop: fix concurrent lo_open/lo_release Date: Wed, 31 Jan 2018 11:48:00 -0500 Message-Id: <20180131164800.20056-2-benjamin.romer@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180131164800.20056-1-benjamin.romer@canonical.com> References: <20180131164800.20056-1-benjamin.romer@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Linus Torvalds 范龙飞 reports that KASAN can report a use-after-free in __lock_acquire. The reason is due to insufficient serialization in lo_release(), which will continue to use the loop device even after it has decremented the lo_refcnt to zero. In the meantime, another process can come in, open the loop device again as it is being shut down. Confusion ensues. Reported-by: 范龙飞 Signed-off-by: Linus Torvalds Signed-off-by: Jens Axboe CVE-2018-5344 (cherry picked from commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5) Signed-off-by: Benjamin M Romer --- drivers/block/loop.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 7cfc35ef879f..5e643357dbe4 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -1624,9 +1624,8 @@ out: return err; } -static void lo_release(struct gendisk *disk, fmode_t mode) +static void __lo_release(struct loop_device *lo) { - struct loop_device *lo = disk->private_data; int err; if (atomic_dec_return(&lo->lo_refcnt)) @@ -1652,6 +1651,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode) mutex_unlock(&lo->lo_ctl_mutex); } +static void lo_release(struct gendisk *disk, fmode_t mode) +{ + mutex_lock(&loop_index_mutex); + __lo_release(disk->private_data); + mutex_unlock(&loop_index_mutex); +} + static const struct block_device_operations lo_fops = { .owner = THIS_MODULE, .open = lo_open,