From: Peter Osterlund <petero2@telia.com>
To: Al Viro <viro@parcelfarce.linux.theplanet.co.uk>
Cc: Greg K-H <greg@kroah.com>,
linux-kernel@vger.kernel.org, Andrew Morton <akpm@osdl.org>
Subject: Re: [PATCH] Fix root hole in pktcdvd
Date: 17 May 2005 20:12:18 +0200 [thread overview]
Message-ID: <m31x85k9h9.fsf@telia.com> (raw)
In-Reply-To: <20050517055452.GQ1150@parcelfarce.linux.theplanet.co.uk>
Al Viro <viro@parcelfarce.linux.theplanet.co.uk> writes:
> On Tue, May 17, 2005 at 06:00:25AM +0100, Al Viro wrote:
> > Same comment as for previous patch. I'll take a look at that sucker,
> > it might happen to be OK, seeing that most of the bdev ->ioctl() instances
> > ignore file argument and we might get away with passing odd stuff to
> > anything that could occur here.
>
> Oh, lovely - pkt_open() opens underlying device, unless we already have our
> device opened. Guess what happens if you open() with O_RDONLY and
> then - with O_RDWR?
You get I/O errors when you submit write requests, which is definitely
not good. I don't know if it also has security implications.
A check got lost in the char dev control device conversion patch. The
patch below fixes it.
-
If you tried to open a packet device first in read-only mode and then
a second time in read-write mode, the second open succeeded even
though the device was not correctly set up for writing. If you then
tried to write data to the device, the writes would fail with I/O
errors.
This patch prevents that problem by making the second open fail with
-EBUSY.
Signed-off-by: Peter Osterlund <petero2@telia.com>
---
linux-petero/drivers/block/pktcdvd.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletion(-)
diff -puN drivers/block/pktcdvd.c~packet-multi-open-fix drivers/block/pktcdvd.c
--- linux/drivers/block/pktcdvd.c~packet-multi-open-fix 2005-05-17 19:52:30.000000000 +0200
+++ linux-petero/drivers/block/pktcdvd.c 2005-05-17 19:52:30.000000000 +0200
@@ -2025,7 +2025,13 @@ static int pkt_open(struct inode *inode,
BUG_ON(pd->refcnt < 0);
pd->refcnt++;
- if (pd->refcnt == 1) {
+ if (pd->refcnt > 1) {
+ if ((file->f_mode & FMODE_WRITE) &&
+ !test_bit(PACKET_WRITABLE, &pd->flags)) {
+ ret = -EBUSY;
+ goto out_dec;
+ }
+ } else {
if (pkt_open_dev(pd, file->f_mode & FMODE_WRITE)) {
ret = -EIO;
goto out_dec;
_
--
Peter Osterlund - petero2@telia.com
http://web.telia.com/~u89404340
next prev parent reply other threads:[~2005-05-17 18:12 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-17 4:37 [GIT PATCH] Stable bugfixes for 2.6.12-rc4 Greg KH
2005-05-17 4:37 ` [PATCH] fix Linux kernel ELF core dump privilege elevation Greg KH
2005-05-17 4:37 ` [PATCH] Fix root hole in raw device Greg KH
2005-05-17 4:37 ` [PATCH] Fix root hole in pktcdvd Greg KH
2005-05-17 5:00 ` Al Viro
2005-05-17 5:54 ` Al Viro
2005-05-17 18:12 ` Peter Osterlund [this message]
2005-05-17 15:35 ` Greg KH
2005-05-17 4:57 ` [PATCH] Fix root hole in raw device Al Viro
2005-05-17 7:03 ` Willy Tarreau
2005-05-17 7:07 ` Willy Tarreau
2005-05-17 7:38 ` Al Viro
2005-05-17 7:32 ` Al Viro
2005-05-17 13:04 ` Stephen C. Tweedie
2005-05-17 16:53 ` Al Viro
2005-05-22 11:55 ` Peter Osterlund
2005-05-22 11:57 ` Peter Osterlund
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m31x85k9h9.fsf@telia.com \
--to=petero2@telia.com \
--cc=akpm@osdl.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox