linux/drivers/block
Anatol Pomozov c1681bf8a7 loop: prevent bdev freeing while device in use
struct block_device lifecycle is defined by its inode (see fs/block_dev.c) -
block_device allocated first time we access /dev/loopXX and deallocated on
bdev_destroy_inode. When we create the device "losetup /dev/loopXX afile"
we want that block_device stay alive until we destroy the loop device
with "losetup -d".

But because we do not hold /dev/loopXX inode its counter goes 0, and
inode/bdev can be destroyed at any moment. Usually it happens at memory
pressure or when user drops inode cache (like in the test below). When later in
loop_clr_fd() we want to use bdev we have use-after-free error with following
stack:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000280
  bd_set_size+0x10/0xa0
  loop_clr_fd+0x1f8/0x420 [loop]
  lo_ioctl+0x200/0x7e0 [loop]
  lo_compat_ioctl+0x47/0xe0 [loop]
  compat_blkdev_ioctl+0x341/0x1290
  do_filp_open+0x42/0xa0
  compat_sys_ioctl+0xc1/0xf20
  do_sys_open+0x16e/0x1d0
  sysenter_dispatch+0x7/0x1a

To prevent use-after-free we need to grab the device in loop_set_fd()
and put it later in loop_clr_fd().

The issue is reprodusible on current Linus head and v3.3. Here is the test:

  dd if=/dev/zero of=loop.file bs=1M count=1
  while [ true ]; do
    losetup /dev/loop0 loop.file
    echo 2 > /proc/sys/vm/drop_caches
    losetup -d /dev/loop0
  done

[ Doing bdgrab/bput in loop_set_fd/loop_clr_fd is safe, because every
  time we call loop_set_fd() we check that loop_device->lo_state is
  Lo_unbound and set it to Lo_bound If somebody will try to set_fd again
  it will get EBUSY.  And if we try to loop_clr_fd() on unbound loop
  device we'll get ENXIO.

  loop_set_fd/loop_clr_fd (and any other loop ioctl) is called under
  loop_device->lo_ctl_mutex. ]

Signed-off-by: Anatol Pomozov <anatol.pomozov@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-04-01 15:48:47 -07:00
..
aoe aoe: reserve enough headroom on skbs 2013-03-28 14:29:47 -04:00
drbd drbd: convert to idr_alloc() 2013-02-27 19:10:15 -08:00
mtip32xx mtip32xx: fix error return code in mtip_pci_probe() 2013-03-22 08:58:23 -06:00
paride drivers/block/paride: remove depends on CONFIG_EXPERIMENTAL 2013-01-21 14:52:42 -08:00
rsxx rsxx: remove unused variable 2013-03-26 14:48:12 -06:00
xen-blkback xen-blkback: don't store dev_bus_addr 2013-03-19 12:50:00 -04:00
amiflop.c fs: move code out of buffer.c 2012-01-03 22:54:07 -05:00
ataflop.c
brd.c block: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:16 +08:00
cciss_cmd.h
cciss_scsi.c cciss: fix handling of protocol error 2012-09-18 11:57:08 +02:00
cciss_scsi.h
cciss.c cciss: fix invalid use of sizeof in cciss_find_cfgtables() 2013-03-22 12:22:49 -06:00
cciss.h
cpqarray.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
cpqarray.h
cryptoloop.c
DAC960.c Merge branch 'for-3.9/drivers' of git://git.kernel.dk/linux-block 2013-02-28 13:16:07 -08:00
DAC960.h
floppy.c floppy: destroy floppy workqueue before cleaning up the queue 2012-11-23 14:32:54 +01:00
hd.c Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
ida_cmd.h
ida_ioctl.h
Kconfig block: IBM RamSan 70/80 branding changes. 2013-03-11 19:53:55 +01:00
loop.c loop: prevent bdev freeing while device in use 2013-04-01 15:48:47 -07:00
Makefile Merge branch 'delete-xt-disk' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux into for-3.9/drivers 2013-02-14 16:29:34 +01:00
mg_disk.c mg_disk: fix error return code in mg_probe() 2013-03-28 09:43:43 -06:00
nbd.c nbd: fix sparse warning 2013-02-27 19:10:22 -08:00
nvme.c Merge git://git.infradead.org/users/willy/linux-nvme 2013-03-22 16:43:53 -07:00
osdblk.c block: Add bio_clone_bioset(), bio_clone_kmalloc() 2012-09-09 10:35:39 +02:00
pktcdvd.c pktcdvd: Switch to bio_kmalloc() 2012-09-09 10:35:39 +02:00
ps3disk.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
ps3vram.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
rbd_types.h rbd: get rid of RBD_MAX_SEG_NAME_LEN 2012-12-17 08:37:29 -06:00
rbd.c rbd: don't zero-fill non-image object requests 2013-03-29 11:32:07 -07:00
smart1,2.h
sunvdc.c sunvdc: Fix off-by-one in generic_request(). 2013-02-14 11:49:01 -08:00
swim3.c drivers/block/swim3.c: fix null pointer dereference 2013-02-22 10:42:46 +01:00
swim_asm.S
swim.c swim: Add missing spinlock init 2013-02-09 14:23:33 +01:00
sx8.c block, sx8: fix pointer math issue getting fw version 2012-03-03 19:44:39 +01:00
umem.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
umem.h
virtio_blk.c Various minor fixes, but a slightly more complex one to fix the per-cpu overload 2013-01-20 16:44:28 -08:00
xen-blkfront.c xen-blkfront: remove frame list from blk_shadow 2013-03-19 12:50:07 -04:00
xsysace.c Drivers: block: remove __dev* attributes. 2013-01-03 15:57:15 -08:00
z2ram.c