+2
−2
Loading
loop: use lo->lo_disk for kobject_uevent
hulk inclusion category: bugfix bugzilla: 189922, https://gitee.com/openeuler/kernel/issues/I9PXKA CVE: NA -------------------------------- The current implimentation of partitions for loop has several issues. 'loop_device' is at the gendisk level, but it uses 'lo_device' to store block_device. A gendisk can have multiple block_devices, and 'lo_device' can be set to anyone of them through loop_configure(). This usage can lead to a null-ptr-deref issue. If 'lo_device' is set to a block_device of partition, this partition is closed and 'bd_openers' is dec to 0, the 'bd_disk' of that block_device will be set to NULL in __blkdev_put(). In this case, Accessing 'lo_device->bd_disk' will trigger the issue. The problem can be reproduced as follows: 1. create loop device loop0 and create a partition loop0p1. 2. submit the ioctl LOOP_CLR_FD by loop0. 3. submit the ioctl LOOP_SET_FD by loop0p1. 4. submit ioctl such as LOOP_SET_STATUS by loop0. Fix it by using 'lo->lo_disk' instead of 'lo->lo_device->bd_disk' for kobject_uevent(). Fixes: c01a21b7 ("loop: Fix occasional uevent drop") Fixes: c3473c63 ("generate "change" uevent for loop device") Signed-off-by:Li Nan <linan122@huawei.com>