github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
08e136ebd1
linux/drivers/block
History
Raphael Pinsonneault-Thibeault 08e136ebd1 loop: don't change loop device under exclusive opener in loop_set_status 
loop_set_status() is allowed to change the loop device while there
are other openers of the device, even exclusive ones.

In this case, it causes a KASAN: slab-out-of-bounds Read in
ext4_search_dir(), since when looking for an entry in an inlined
directory, e_value_offs is changed underneath the filesystem by
loop_set_status().

Fix the problem by forbidding loop_set_status() from modifying the loop
device while there are exclusive openers of the device. This is similar
to the fix in loop_configure() by commit 33ec3e53e7 ("loop: Don't
change loop device under exclusive opener") alongside commit ecbe6bc000
("block: use bd_prepare_to_claim directly in the loop driver").

Reported-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ee481e21fd75e14c397
Tested-by: syzbot+3ee481e21fd75e14c397@syzkaller.appspotmail.com
Tested-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-01-06 05:30:18 -07:00
..
aoe Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
drbd for-6.19/block-20251201 2025-12-03 19:26:18 -08:00
mtip32xx block: switch ->getgeo() to struct gendisk 2025-08-13 02:59:29 -04:00
null_blk null_blk: fix zone read length beyond write pointer 2025-11-12 10:02:56 -07:00
rnbd block: rnbd-clt: Fix signedness bug in init_dev() 2025-12-20 12:56:48 -07:00
rnull for-6.19/block-20251201 2025-12-03 19:26:18 -08:00
xen-blkback xen/blkback: convert timeouts to secs_to_jiffies() 2025-01-12 20:21:03 -08:00
zram Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
amiflop.c block: switch ->getgeo() to struct gendisk 2025-08-13 02:59:29 -04:00
ataflop.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
brd.c brd: use page reference to protect page lifetime 2025-09-01 08:37:29 -06:00
floppy.c floppy: fix for PAGE_SIZE != 4KB 2025-11-17 08:22:00 -07:00
Kconfig rnull: move driver to separate directory 2025-09-02 05:23:56 -06:00
loop.c loop: don't change loop device under exclusive opener in loop_set_status 2026-01-06 05:30:18 -07:00
Makefile rnull: move driver to separate directory 2025-09-02 05:23:56 -06:00
n64cart.c block: move the nonrot flag to queue_limits 2024-06-19 07:58:28 -06:00
nbd.c for-6.19/block-20251201 2025-12-03 19:26:18 -08:00
ps3disk.c ps3disk: use memcpy_{from,to}_bvec index 2025-11-14 09:10:16 -07:00
ps3vram.c block: pass a queue_limits argument to blk_alloc_disk 2024-02-19 16:58:23 -07:00
rbd_types.h
rbd.c drivers/block: WQ_PERCPU added to alloc_workqueue users 2025-09-09 09:11:31 -06:00
sunvdc.c drivers/block: WQ_PERCPU added to alloc_workqueue users 2025-09-09 09:11:31 -06:00
swim_asm.S
swim.c block: switch ->getgeo() to struct gendisk 2025-08-13 02:59:29 -04:00
swim3.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ublk_drv.c ublk: scan partition in async way 2025-12-28 09:25:26 -07:00
virtio_blk.c virtio_blk: NULL out vqs to avoid double free on failed resume 2025-11-06 16:32:58 -07:00
xen-blkfront.c block: switch ->getgeo() to struct gendisk 2025-08-13 02:59:29 -04:00
z2ram.c block: remove BLK_MQ_F_SHOULD_MERGE 2024-12-23 08:17:23 -07:00
zloop.c zloop: use READ_ONCE() to read lo->lo_state in queue_rq path 2025-12-15 09:32:42 -07:00