loop: fix concurrent lo_open/lo_release
commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.
范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
The reason is due to insufficient serialization in lo_release(), which
will continue to use the loop device even after it has decremented the
lo_refcnt to zero.
In the meantime, another process can come in, open the loop device
again as it is being shut down. Confusion ensues.
Reported-by: 范龙飞 <email@example.com>
Signed-off-by: Linus Torvalds <firstname.lastname@example.org>
Signed-off-by: Jens Axboe <email@example.com>
Cc: Ben Hutchings <firstname.lastname@example.org>
Signed-off-by: Greg Kroah-Hartman <email@example.com>
1 file changed