[4.19.y,3/9] loop: Remove sector_t truncation checks

Message ID	20240301013028.2293831-4-zhanggenjian@126.com (mailing list archive)
State	New, archived
Headers	show Received: from m16.mail.126.com (m16.mail.126.com [117.135.210.7]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2A24138DC3; Fri, 1 Mar 2024 01:33:09 +0000 (UTC) From: Genjian <zhanggenjian@126.com> To: stable@vger.kernel.org Cc: axboe@kernel.dk, stable@kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhanggenjian123@gmail.com, Martijn Coenen <maco@android.com>, Christoph Hellwig <hch@lst.de>, Genjian Zhang <zhanggenjian@kylinos.cn> Subject: [PATCH 4.19.y 3/9] loop: Remove sector_t truncation checks Date: Fri, 1 Mar 2024 09:30:22 +0800 Message-Id: <20240301013028.2293831-4-zhanggenjian@126.com> In-Reply-To: <20240301013028.2293831-1-zhanggenjian@126.com> References: <20240301013028.2293831-1-zhanggenjian@126.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix the UAF issue caused by the loop driver \| expand [4.19.y,0/9] Fix the UAF issue caused by the loop driver [4.19.y,1/9] Revert "loop: Check for overflow while configuring loop" [4.19.y,2/9] loop: Call loop_config_discard() only after new config is applied [4.19.y,3/9] loop: Remove sector_t truncation checks [4.19.y,4/9] loop: Factor out setting loop device size [4.19.y,5/9] loop: Refactor loop_set_status() size calculation [4.19.y,6/9] loop: properly observe rotational flag of underlying device [4.19.y,7/9] loop: Factor out configuring loop from status [4.19.y,8/9] loop: Check for overflow while configuring loop [4.19.y,9/9] loop: loop_set_status_from_info() check before assignment

Message ID

20240301013028.2293831-4-zhanggenjian@126.com (mailing list archive)

State

New, archived

Headers

From: Genjian <zhanggenjian@126.com>
To: stable@vger.kernel.org
Cc: axboe@kernel.dk,
	stable@kernel.org,
	linux-block@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	zhanggenjian123@gmail.com,
	Martijn Coenen <maco@android.com>,
	Christoph Hellwig <hch@lst.de>,
	Genjian Zhang <zhanggenjian@kylinos.cn>
Subject: [PATCH 4.19.y 3/9] loop: Remove sector_t truncation checks
Date: Fri,  1 Mar 2024 09:30:22 +0800
Message-Id: <20240301013028.2293831-4-zhanggenjian@126.com>
In-Reply-To: <20240301013028.2293831-1-zhanggenjian@126.com>
References: <20240301013028.2293831-1-zhanggenjian@126.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix the UAF issue caused by the loop driver | expand

Commit Message

Genjian March 1, 2024, 1:30 a.m. UTC

From: Martijn Coenen <maco@android.com>

[ Upstream commit 083a6a50783ef54256eec3499e6575237e0e3d53 ]

sector_t is now always u64, so we don't need to check for truncation.

Signed-off-by: Martijn Coenen <maco@android.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
---
 drivers/block/loop.c | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index bd94406b90c9..281aefba2a6f 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -225,24 +225,20 @@  static void __loop_update_dio(struct loop_device *lo, bool dio)
 	blk_mq_unfreeze_queue(lo->lo_queue);
 }
 
-static int
+static void
 figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
 {
 	loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
-	sector_t x = (sector_t)size;
 	struct block_device *bdev = lo->lo_device;
 
-	if (unlikely((loff_t)x != size))
-		return -EFBIG;
 	if (lo->lo_offset != offset)
 		lo->lo_offset = offset;
 	if (lo->lo_sizelimit != sizelimit)
 		lo->lo_sizelimit = sizelimit;
-	set_capacity(lo->lo_disk, x);
+	set_capacity(lo->lo_disk, size);
 	bd_set_size(bdev, (loff_t)get_capacity(bdev->bd_disk) << 9);
 	/* let user-space know about the new size */
 	kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
-	return 0;
 }
 
 static inline int
@@ -972,10 +968,8 @@  static int loop_set_fd(struct loop_device *lo, fmode_t mode,
 	    !file->f_op->write_iter)
 		lo_flags |= LO_FLAGS_READ_ONLY;
 
-	error = -EFBIG;
 	size = get_loop_size(lo, file);
-	if ((loff_t)(sector_t)size != size)
-		goto out_unlock;
+
 	error = loop_prepare_queue(lo);
 	if (error)
 		goto out_unlock;
@@ -1280,10 +1274,7 @@  loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
 				lo->lo_device->bd_inode->i_mapping->nrpages);
 			goto out_unfreeze;
 		}
-		if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit)) {
-			err = -EFBIG;
-			goto out_unfreeze;
-		}
+		figure_loop_size(lo, info->lo_offset, info->lo_sizelimit);
 	}
 
 	memcpy(lo->lo_file_name, info->lo_file_name, LO_NAME_SIZE);
@@ -1486,7 +1477,9 @@  static int loop_set_capacity(struct loop_device *lo)
 	if (unlikely(lo->lo_state != Lo_bound))
 		return -ENXIO;
 
-	return figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
+	figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
+
+	return 0;
 }
 
 static int loop_set_dio(struct loop_device *lo, unsigned long arg)

[4.19.y,3/9] loop: Remove sector_t truncation checks

Commit Message

Patch