Hi, We noticed that patch 6f861765464f should be probably ported to Linux 6.6 LTS. Its bug introducing commit is probably 05bdb9965305. So the vulnerability exists in Linux 6.6 LTS, but the patch is not ported into 6.6 LTS. According to our manual analysis, the commit (05bdb9965305) introduced a vulnerability by replacing `fmode_t` with `blk_mode_t` without preserving the write restrictions on mounted block devices. Specifically, the `sb_open_mode(flags)` macro was changed from using `FMODE_READ` and `FMODE_WRITE` to `BLK_OPEN_READ` and `BLK_OPEN_WRITE`: ```diff #define sb_open_mode(flags) \ - (FMODE_READ | (((flags) & SB_RDONLY) ? 0 : FMODE_WRITE)) + (BLK_OPEN_READ | (((flags) & SB_RDONLY) ? 0 : BLK_OPEN_WRITE)) ``` However, unlike `FMODE_WRITE`, the `BLK_OPEN_WRITE` flag does not inherently prevent unsafe writes to block devices that are mounted by filesystems. This oversight allowed for the possibility of writes directly to the mounted block device, bypassing filesystem controls and potentially leading to data corruption or security breaches. The later patch (commit 6f861765464f43a71462d52026fbddfc858239a5) addressed this vulnerability by introducing the `BLK_OPEN_RESTRICT_WRITES` flag to the `sb_open_mode(flags)` macro: ```diff #define sb_open_mode(flags) \ + (BLK_OPEN_READ | BLK_OPEN_RESTRICT_WRITES | \ + (((flags) & SB_RDONLY) ? 0 : BLK_OPEN_WRITE)) ``` By adding `BLK_OPEN_RESTRICT_WRITES`, the block layer is instructed to block unsafe writes to block devices that are in use by filesystems, restoring the necessary protection that was inadvertently removed in the previous commit. At the same time, we noticed that this patch fixes a bug reported on syzkaller https://syzkaller.appspot.com/bug?extid=c300ab283ba3bc072439, the crash list of this bug contains one report in cbf3a2cb156a(between 6.6-rc4 and 6.6-rc5), so it confirms again that this bug is introduced in 6.6 LTS -- Yours sincerely, Xingyu
