1 files changed, 63 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch b/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch
new file mode 100644
index 0000000..4e9bd40
--- /dev/null
+++ b/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,63 @@
+From d5e06a1867210049bbfe27864ee0a40cfd9b1e9b Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 5 Jan 2018 16:26:00 -0800
+Subject: [PATCH] loop: fix concurrent lo_open/lo_release
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.
+范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
+The reason is due to insufficient serialization in lo_release(), which
+will continue to use the loop device even after it has decremented the
+lo_refcnt to zero.
+In the meantime, another process can come in, open the loop device
+again as it is being shut down. Confusion ensues.
+CVE: CVE-2018-5344
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d5e06a1867210049bbfe27864ee0a40cfd9b1e9b]
+Reported-by: 范龙飞 <long7573@126.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ drivers/block/loop.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 85de67334695..a2a0dce5114e 100644
+--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
+@@ -1576,9 +1576,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
+        return err;
+ }
+ 
+-static void lo_release(struct gendisk *disk, fmode_t mode)
+static void __lo_release(struct loop_device *lo)
+ {
+-       struct loop_device *lo = disk->private_data;
+        int err;
+ 
+        if (atomic_dec_return(&lo->lo_refcnt))
+@@ -1605,6 +1604,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
+        mutex_unlock(&lo->lo_ctl_mutex);
+ }
+ 
+static void lo_release(struct gendisk *disk, fmode_t mode)
+{
+       mutex_lock(&loop_index_mutex);
+       __lo_release(disk->private_data);
+       mutex_unlock(&loop_index_mutex);
+}
+
+ static const struct block_device_operations lo_fops = {
+        .owner =        THIS_MODULE,
+        .open =         lo_open,
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch b/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch new file mode 100644 index 0000000..4e9bd40 --- /dev/null +++ b/patches/cve/CVE-2018-5344-loop-fix-concurrent-lo_open-lo_release.patch
@@ -0,0 +1,63 @@
	1	From d5e06a1867210049bbfe27864ee0a40cfd9b1e9b Mon Sep 17 00:00:00 2001
	2	From: Linus Torvalds <torvalds@linux-foundation.org>
	3	Date: Fri, 5 Jan 2018 16:26:00 -0800
	4	Subject: [PATCH] loop: fix concurrent lo_open/lo_release
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.
	10
	11	范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
	12	The reason is due to insufficient serialization in lo_release(), which
	13	will continue to use the loop device even after it has decremented the
	14	lo_refcnt to zero.
	15
	16	In the meantime, another process can come in, open the loop device
	17	again as it is being shut down. Confusion ensues.
	18
	19	CVE: CVE-2018-5344
	20	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=d5e06a1867210049bbfe27864ee0a40cfd9b1e9b]
	21
	22	Reported-by: 范龙飞 <long7573@126.com>
	23	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	24	Signed-off-by: Jens Axboe <axboe@kernel.dk>
	25	Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	28	---
	29	drivers/block/loop.c \| 10 ++++++++--
	30	1 file changed, 8 insertions(+), 2 deletions(-)
	31
	32	diff --git a/drivers/block/loop.c b/drivers/block/loop.c
	33	index 85de67334695..a2a0dce5114e 100644
	34	--- a/drivers/block/loop.c
	35	+++ b/drivers/block/loop.c
	36	@@ -1576,9 +1576,8 @@ static int lo_open(struct block_device *bdev, fmode_t mode)
	37	return err;
	38	}
	39
	40	-static void lo_release(struct gendisk *disk, fmode_t mode)
	41	+static void __lo_release(struct loop_device *lo)
	42	{
	43	- struct loop_device *lo = disk->private_data;
	44	int err;
	45
	46	if (atomic_dec_return(&lo->lo_refcnt))
	47	@@ -1605,6 +1604,13 @@ static void lo_release(struct gendisk *disk, fmode_t mode)
	48	mutex_unlock(&lo->lo_ctl_mutex);
	49	}
	50
	51	+static void lo_release(struct gendisk *disk, fmode_t mode)
	52	+{
	53	+ mutex_lock(&loop_index_mutex);
	54	+ __lo_release(disk->private_data);
	55	+ mutex_unlock(&loop_index_mutex);
	56	+}
	57	+
	58	static const struct block_device_operations lo_fops = {
	59	.owner = THIS_MODULE,
	60	.open = lo_open,
	61	--
	62	2.20.1
	63