block: check flags of claimed slave bdev to fix uaf for bd_holder_dir

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QE9 CVE: NA -------------------------------- As explained in 0eb44012 ("block: fix use after free for bd_holder_dir"), we should make sure the "disk" is still live and then grab a reference to 'bd_holder_dir'. However, the "disk" should be "the claimed slave bdev" rather than "the holding disk". Fixes: 0eb44012 ("block: fix use after free for bd_holder_dir") Signed-off-by: N Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by: N Yu Kuai <yukuai3@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

block: check flags of claimed slave bdev to fix uaf for bd_holder_dir
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QE9 CVE: NA -------------------------------- As explained in 0eb44012 ("block: fix use after free for bd_holder_dir"), we should make sure the "disk" is still live and then grab a reference to 'bd_holder_dir'. However, the "disk" should be "the claimed slave bdev" rather than "the holding disk". Fixes: 0eb44012 ("block: fix use after free for bd_holder_dir") Signed-off-by: N Li Lingfeng <lilingfeng3@huawei.com> Reviewed-by: N Yu Kuai <yukuai3@huawei.com> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
7fcfabe9 · Li Lingfeng · Yongqiang Liu · 0eb44012 · 7fcfabe9
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/block_dev.c fs/block_dev.c +1 -1

未找到文件。
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1310,7 +1310,7 @@ int bd_link_disk_holder(struct block_device *bdev, struct gendisk *disk)
 	 * the holder directory.  Hold on to it.
 	 */
 	down_read(&bdev->bd_disk->lookup_sem);
-	if (!(disk->flags & GENHD_FL_UP)) {
+	if (!(bdev->bd_disk->flags & GENHD_FL_UP)) {
 		up_read(&bdev->bd_disk->lookup_sem);
 		return -ENODEV;
 	}