tag cc1b0a8467a24cb1676a12df22c7d5344d200a50
tagger Todd Kjos <tkjos@google.com> Tue May 08 08:36:21 2018 -0700
object ebb5a0ed5c8a0dac55a4e6036292edaf9b1bb9ae

https://source.android.com/security/bulletin/2018-05-01
CVE-2017-16643
CVE-2017-5754
CVE-2018-5344
CVE-2017-15129

commit ebb5a0ed5c8a0dac55a4e6036292edaf9b1bb9ae
author Linus Torvalds <torvalds@linux-foundation.org> Fri Jan 05 16:26:00 2018 -0800
committer Todd Kjos <tkjos@google.com> Mon May 07 16:12:48 2018 -0700
tree 98142ada9241f0909dc3e49831f31c588a71c315
parent f28e3cf82f71cf815de3a4f2bf293cf40258b658

loop: fix concurrent lo_open/lo_release

commit ae6650163c66a7eff1acd6eb8b0f752dcfa8eba5 upstream.

范龙飞 reports that KASAN can report a use-after-free in __lock_acquire.
The reason is due to insufficient serialization in lo_release(), which
will continue to use the loop device even after it has decremented the
lo_refcnt to zero.

In the meantime, another process can come in, open the loop device
again as it is being shut down. Confusion ensues.

Reported-by: 范龙飞 <long7573@126.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>