Commit 3d49537d authored Nov 30, 2022 by Li Lingfeng Committed by Zheng Zengkai Nov 30, 2022

block: check flags of claimed slave bdev to fix uaf for bd_holder_dir

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I60QE9


CVE: NA

--------------------------------

As explained in 32c39e8a ("block: fix use after free for
bd_holder_dir"), we should make sure the "disk" is still live and
then grab a reference to 'bd_holder_dir'. However, the "disk"
should be "the claimed slave bdev" rather than "the holding disk".

Fixes: 32c39e8a ("block: fix use after free for bd_holder_dir")
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent c183e39f

fs/block_dev.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1269,7 +1269,7 @@ int bd_link_disk_holder(struct block_device bdev, struct gendisk disk)
		* the holder directory. Hold on to it.
		*/
		down_read(&bdev->bd_disk->lookup_sem);
		if (!(disk->flags & GENHD_FL_UP)) {
		if (!(bdev->bd_disk->flags & GENHD_FL_UP)) {
		up_read(&bdev->bd_disk->lookup_sem);
		return -ENODEV;
		}