From: Laibin Qiu
maillist inclusion
category: bugfix
issue: #I4NRS5
CVE: NA
Signed-off-by: Yu Changchun
---------------------------
We config the block size of a loop device throuth
the following process:
lo_ioctl(..., unsigned long arg)
| ^^^^
lo_simple_ioctl(..., unsigned long arg)
| ^^^^
loop_set_block_size(..., unsigned long arg)
| ^^^^
loop_validate_block_size(unsigned short bsize)
| ^^^^^
blk_queue_logical_block_size(..., unsigned int size) {
'''
limits->logical_block_size = size;
^^^^ int
'''
}
loop_validate_block_size() will check the validity of bsize.
But long to short will be truncated(eg arg=1049600 and
it becomes 1024 after truncation by short. The block size
must within the range of 512 ~ PAGE_SZIE, This truncation will
turn illegal block szie to legal). The wrong of block size will
raise other errors.
Fixes: 3448914e8cc55 ("loop: Add LOOP_CONFIGURE ioctl")
Signed-off-by: Laibin Qiu
Reviewed-by: Jason Yan
Signed-off-by: Chen Jun
Signed-off-by: Zheng Zengkai
Signed-off-by: Yu Changchun
---
drivers/block/loop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index f0fa0c8e7ec6..5dd8bd480e29 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -233,7 +233,7 @@ static void __loop_update_dio(struct loop_device *lo, bool dio)
* @bsize: size to validate
*/
static int
-loop_validate_block_size(unsigned short bsize)
+loop_validate_block_size(unsigned long bsize)
{
if (bsize < 512 || bsize > PAGE_SIZE || !is_power_of_2(bsize))
return -EINVAL;
--
2.25.1
