loop: reintroduce global lock for safe loop_validate_file() traversal

static DEFINE_IDR(loop_index_idr);

static DEFINE_MUTEX(loop_ctl_mutex);

static DEFINE_MUTEX(loop_validate_mutex);

/**

 * loop_global_lock_killable() - take locks for safe loop_validate_file() test

 *

 * @lo: struct loop_device

 * @global: true if @lo is about to bind another "struct loop_device", false otherwise

 *

 * Returns 0 on success, -EINTR otherwise.

 *

 * Since loop_validate_file() traverses on other "struct loop_device" if

 * is_loop_device() is true, we need a global lock for serializing concurrent

 * loop_configure()/loop_change_fd()/__loop_clr_fd() calls.

 */

static int loop_global_lock_killable(struct loop_device *lo, bool global)

{

	int err;

	if (global) {

		err = mutex_lock_killable(&loop_validate_mutex);

		if (err)

			return err;

	}

	err = mutex_lock_killable(&lo->lo_mutex);

	if (err && global)

		mutex_unlock(&loop_validate_mutex);

	return err;

}

/**

 * loop_global_unlock() - release locks taken by loop_global_lock_killable()

 *

 * @lo: struct loop_device

 * @global: true if @lo was about to bind another "struct loop_device", false otherwise

 */

static void loop_global_unlock(struct loop_device *lo, bool global)

{

	mutex_unlock(&lo->lo_mutex);

	if (global)

		mutex_unlock(&loop_validate_mutex);

}

static int max_part;

static int part_shift;

	while (is_loop_device(f)) {

		struct loop_device *l;

		lockdep_assert_held(&loop_validate_mutex);

		if (f->f_mapping->host->i_rdev == bdev->bd_dev)

			return -EBADF;

		l = I_BDEV(f->f_mapping->host)->bd_disk->private_data;

		if (l->lo_state != Lo_bound) {

		if (l->lo_state != Lo_bound)

			return -EINVAL;

		}

		/* Order wrt setting lo->lo_backing_file in loop_configure(). */

		rmb();

		f = l->lo_backing_file;

	}

	if (!S_ISREG(inode->i_mode) && !S_ISBLK(inode->i_mode))

static int loop_change_fd(struct loop_device *lo, struct block_device *bdev,

			  unsigned int arg)

{

	struct file	*file = NULL, *old_file;

	struct file *file = fget(arg);

	struct file *old_file;

	int error;

	bool partscan;

	bool is_loop;

	error = mutex_lock_killable(&lo->lo_mutex);

	if (!file)

		return -EBADF;

	is_loop = is_loop_device(file);

	error = loop_global_lock_killable(lo, is_loop);

	if (error)

		return error;

		goto out_putf;

	error = -ENXIO;

	if (lo->lo_state != Lo_bound)

		goto out_err;

	if (!(lo->lo_flags & LO_FLAGS_READ_ONLY))

		goto out_err;

	error = -EBADF;

	file = fget(arg);

	if (!file)

		goto out_err;

	error = loop_validate_file(file, bdev);

	if (error)

		goto out_err;

	loop_update_dio(lo);

	blk_mq_unfreeze_queue(lo->lo_queue);

	partscan = lo->lo_flags & LO_FLAGS_PARTSCAN;

	mutex_unlock(&lo->lo_mutex);

	loop_global_unlock(lo, is_loop);

	/*

	 * Flush loop_validate_file() before fput(), for l->lo_backing_file

	 * might be pointing at old_file which might be the last reference.

	 */

	if (!is_loop) {

		mutex_lock(&loop_validate_mutex);

		mutex_unlock(&loop_validate_mutex);

	}

	/*

	 * We must drop file reference outside of lo_mutex as dropping

	 * the file ref can take open_mutex which creates circular locking

	return 0;

out_err:

	mutex_unlock(&lo->lo_mutex);

	if (file)

	loop_global_unlock(lo, is_loop);

out_putf:

	fput(file);

	return error;

}

			  struct block_device *bdev,

			  const struct loop_config *config)

{

	struct file	*file;

	struct file *file = fget(config->fd);

	struct inode *inode;

	struct address_space *mapping;

	int error;

	loff_t size;

	bool partscan;

	unsigned short bsize;

	bool is_loop;

	if (!file)

		return -EBADF;

	is_loop = is_loop_device(file);

	/* This is safe, since we have a reference from open(). */

	__module_get(THIS_MODULE);

	error = -EBADF;

	file = fget(config->fd);

	if (!file)

		goto out;

	/*

	 * If we don't hold exclusive handle for the device, upgrade to it

	 * here to avoid changing device under exclusive owner.

			goto out_putf;

	}

	error = mutex_lock_killable(&lo->lo_mutex);

	error = loop_global_lock_killable(lo, is_loop);

	if (error)

		goto out_bdev;

	size = get_loop_size(lo, file);

	loop_set_size(lo, size);

	/* Order wrt reading lo_state in loop_validate_file(). */

	wmb();

	lo->lo_state = Lo_bound;

	if (part_shift)

		lo->lo_flags |= LO_FLAGS_PARTSCAN;

	 * put /dev/loopXX inode. Later in __loop_clr_fd() we bdput(bdev).

	 */

	bdgrab(bdev);

	mutex_unlock(&lo->lo_mutex);

	loop_global_unlock(lo, is_loop);

	if (partscan)

		loop_reread_partitions(lo);

	if (!(mode & FMODE_EXCL))

	return 0;

out_unlock:

	mutex_unlock(&lo->lo_mutex);

	loop_global_unlock(lo, is_loop);

out_bdev:

	if (!(mode & FMODE_EXCL))

		bd_abort_claiming(bdev, loop_configure);

out_putf:

	fput(file);

out:

	/* This is safe: open() is still holding a reference. */

	module_put(THIS_MODULE);

	return error;

	int lo_number;

	struct loop_worker *pos, *worker;

	/*

	 * Flush loop_configure() and loop_change_fd(). It is acceptable for

	 * loop_validate_file() to succeed, for actual clear operation has not

	 * started yet.

	 */

	mutex_lock(&loop_validate_mutex);

	mutex_unlock(&loop_validate_mutex);

	/*

	 * loop_validate_file() now fails because l->lo_state != Lo_bound

	 * became visible.

	 */

	mutex_lock(&lo->lo_mutex);

	if (WARN_ON_ONCE(lo->lo_state != Lo_rundown)) {

		err = -ENXIO;