From: "Theodore Tso" <tytso@mit.edu>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Deepanshu Kartikey <kartikey406@gmail.com>,
syzkaller@googlegroups.com, adilger.kernel@dilger.ca,
linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com
Subject: Re: SYZKALLER BUG: messing with a mounted file system via loop ioctls (was: Re: [PATCH] ext4: add bounds check in ext4_xattr_ibody_get() to) prevent out-of-bounds access
Date: Sun, 29 Mar 2026 08:48:32 -0500 [thread overview]
Message-ID: <20260329134832.GA8782@Mac> (raw)
In-Reply-To: <CACT4Y+ZzbnD_puTRMx4MpcACpp5m3aMhQYvH+1LAyTKOz6otEw@mail.gmail.com>
On Sun, Mar 29, 2026 at 11:47:44AM +0200, Dmitry Vyukov wrote:
> Thanks for the report.
>
> https://syzkaller.appspot.com/text?tag=ReproSyz&x=17a43b3a580000
>
> Do you mean LOOP_SET_STATUS64 ioctl? It's the only ioctl in the repro:
>
> ioctl$LOOP_SET_STATUS64(r0, 0x4c04, ...)
The loop LOOP_SET_STATUS ioctl is also problematic.
> Does it mean it should also be prohibited under
> CONFIG_BLK_DEV_WRITE_MOUNTED to avoid kernel memory corruption?
> Or at least some changes should be prohibited? E.g. I guess changing
> lo_offset is equivalent to writing to the mounted device.
Yes, that's correct. LOOP_SET_STATUS[64] can set lo_offset and
lo_sizelimit which effectively mutates the loop device while it is
mounted.
The fix is something like:
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 0000913f7efc..c1d17e2bbd0c 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1238,6 +1238,16 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
err = -ENXIO;
goto out_unlock;
}
+#ifndef CONFIG_BLK_DEV_WRITE_MOUNTED)
+ /*
+ * bdev_writes_blocked is a static function defiend in
+ * block/bdev.c, so this won't work as-is.
+ */
+ if (bdev_writes_blocked(lo->lo_device)) {
+ err = -EBUSY;
+ goto out_unlock;
+ }
+#endif
if (lo->lo_offset != info->lo_offset ||
lo->lo_sizelimit != info->lo_sizelimit) {
Turning this into a real patch that exports bdev_writes_blocked() is
left as an exercise to the reader.
- Ted
next prev parent reply other threads:[~2026-03-29 13:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 23:14 [PATCH] ext4: add bounds check in ext4_xattr_ibody_get() to prevent out-of-bounds access Deepanshu Kartikey
2026-03-10 1:47 ` Deepanshu Kartikey
2026-03-26 5:47 ` Theodore Tso
2026-03-27 14:32 ` Deepanshu Kartikey
2026-03-27 16:31 ` SYZKALLER BUG: messing with a mounted file system via loop ioctls (was: Re: [PATCH] ext4: add bounds check in ext4_xattr_ibody_get() to) " Theodore Tso
2026-03-28 15:02 ` Deepanshu Kartikey
2026-03-29 9:47 ` Dmitry Vyukov
2026-03-29 13:48 ` Theodore Tso [this message]
2026-03-29 14:39 ` Deepanshu Kartikey
2026-03-29 17:06 ` Theodore Tso
2026-03-30 4:44 ` Deepanshu Kartikey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260329134832.GA8782@Mac \
--to=tytso@mit.edu \
--cc=adilger.kernel@dilger.ca \
--cc=dvyukov@google.com \
--cc=kartikey406@gmail.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+fb32afec111a7d61b939@syzkaller.appspotmail.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.