4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
This reverts commit f92a3b0d003b9f7eb1f452598966a08802183f47, which
was commit 083a6a50783ef54256eec3499e6575237e0e3d53 upstream. In 4.19
there is still an option to use 32-bit sector_t on 32-bit
architectures, so we need to keep checking for truncation.
Since loop_set_status() was refactored by subsequent patches, this
reintroduces its truncation check in loop_set_status_from_info()
instead.
I tested that the loop ioctl operations have the expected behaviour on
x86_64, x86_32 with CONFIG_LBDAF=y, and (the special case) x86_32 with
CONFIG_LBDAF=n.
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/block/loop.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -243,12 +243,16 @@ static void loop_set_size(struct loop_de
kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
}
-static void
+static int
figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
{
loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
+ sector_t x = (sector_t)size;
+ if (unlikely((loff_t)x != size))
+ return -EFBIG;
loop_set_size(lo, size);
+ return 0;
}
static inline int
@@ -996,7 +1000,10 @@ static int loop_set_fd(struct loop_devic
!file->f_op->write_iter)
lo_flags |= LO_FLAGS_READ_ONLY;
+ error = -EFBIG;
size = get_loop_size(lo, file);
+ if ((loff_t)(sector_t)size != size)
+ goto out_unlock;
error = loop_prepare_queue(lo);
if (error)
@@ -1246,6 +1253,7 @@ loop_set_status_from_info(struct loop_de
int err;
struct loop_func_table *xfer;
kuid_t uid = current_uid();
+ loff_t new_size;
if ((unsigned int) info->lo_encrypt_key_size > LO_KEY_SIZE)
return -EINVAL;
@@ -1273,6 +1281,11 @@ loop_set_status_from_info(struct loop_de
if (info->lo_offset > LLONG_MAX || info->lo_sizelimit > LLONG_MAX)
return -EOVERFLOW;
+ new_size = get_size(info->lo_offset, info->lo_sizelimit,
+ lo->lo_backing_file);
+ if ((loff_t)(sector_t)new_size != new_size)
+ return -EFBIG;
+
lo->lo_offset = info->lo_offset;
lo->lo_sizelimit = info->lo_sizelimit;
@@ -1531,9 +1544,7 @@ static int loop_set_capacity(struct loop
if (unlikely(lo->lo_state != Lo_bound))
return -ENXIO;
- figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
-
- return 0;
+ return figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
}
static int loop_set_dio(struct loop_device *lo, unsigned long arg)
