1 files changed, 33 insertions, 18 deletions
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 3d806820280e..1e888c9e85b3 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -161,17 +161,19 @@ static struct loop_func_table *xfer_funcs[MAX_LO_CRYPT] = {
        &xor_funcs
 };
-static loff_t get_loop_size(struct loop_device *lo, struct file *file)
+static loff_t get_size(loff_t offset, loff_t sizelimit, struct file *file)
 {
-        loff_t size, offset, loopsize;
+        loff_t size, loopsize;
        /* Compute loopsize in bytes */
        size = i_size_read(file->f_mapping->host);
-        offset = lo->lo_offset;
        loopsize = size - offset;
-        if (lo->lo_sizelimit > 0 && lo->lo_sizelimit < loopsize)
+        /* offset is beyond i_size, wierd but possible */
-                loopsize = lo->lo_sizelimit;
+        if (loopsize < 0)
+                return 0;
+        if (sizelimit > 0 && sizelimit < loopsize)
+                loopsize = sizelimit;
        /*
         * Unfortunately, if we want to do I/O on the device,
         * the number of 512-byte sectors has to fit into a sector_t.
@@ -179,17 +181,25 @@ static loff_t get_loop_size(struct loop_device *lo, struct file *file)
        return loopsize >> 9;
 }
+static loff_t get_loop_size(struct loop_device *lo, struct file *file)
+{
+        return get_size(lo->lo_offset, lo->lo_sizelimit, file);
+}
 static int
-figure_loop_size(struct loop_device *lo)
+figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
 {
-        loff_t size = get_loop_size(lo, lo->lo_backing_file);
+        loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
        sector_t x = (sector_t)size;
        if (unlikely((loff_t)x != size))
                return -EFBIG;
+        if (lo->lo_offset != offset)
+                lo->lo_offset = offset;
+        if (lo->lo_sizelimit != sizelimit)
+                lo->lo_sizelimit = sizelimit;
        set_capacity(lo->lo_disk, x);
-        return 0;                                       
+        return 0;
 }
 static inline int
@@ -372,7 +382,8 @@ do_lo_receive(struct loop_device *lo,
        if (retval < 0)
                return retval;
+        if (retval != bvec->bv_len)
+                return -EIO;
        return 0;
 }
@@ -411,7 +422,7 @@ static int do_bio_filebacked(struct loop_device *lo, struct bio *bio)
                /*
                 * We use punch hole to reclaim the free space used by the
-                 * image a.k.a. discard. However we do support discard if
+                 * image a.k.a. discard. However we do not support discard if
                 * encryption is enabled, because it may give an attacker
                 * useful information.
                 */
@@ -786,7 +797,7 @@ static void loop_config_discard(struct loop_device *lo)
        }
        q->limits.discard_granularity = inode->i_sb->s_blocksize;
-        q->limits.discard_alignment = inode->i_sb->s_blocksize;
+        q->limits.discard_alignment = 0;
        q->limits.max_discard_sectors = UINT_MAX >> 9;
        q->limits.discard_zeroes_data = 1;
        queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, q);
@@ -1058,9 +1069,7 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
        if (lo->lo_offset != info->lo_offset ||
            lo->lo_sizelimit != info->lo_sizelimit) {
-                lo->lo_offset = info->lo_offset;
+                if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit))
-                lo->lo_sizelimit = info->lo_sizelimit;
-                if (figure_loop_size(lo))
                        return -EFBIG;
        }
        loop_config_discard(lo);
@@ -1246,7 +1255,7 @@ static int loop_set_capacity(struct loop_device *lo, struct block_device *bdev)
        err = -ENXIO;
        if (unlikely(lo->lo_state != Lo_bound))
                goto out;
-        err = figure_loop_size(lo);
+        err = figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
        if (unlikely(err))
                goto out;
        sec = get_capacity(lo->lo_disk);
@@ -1284,13 +1293,19 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
                        goto out_unlocked;
                break;
        case LOOP_SET_STATUS:
-                err = loop_set_status_old(lo, (struct loop_info __user *) arg);
+                err = -EPERM;
+                if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+                        err = loop_set_status_old(lo,
+                                        (struct loop_info __user *)arg);
                break;
        case LOOP_GET_STATUS:
                err = loop_get_status_old(lo, (struct loop_info __user *) arg);
                break;
        case LOOP_SET_STATUS64:
-                err = loop_set_status64(lo, (struct loop_info64 __user *) arg);
+                err = -EPERM;
+                if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN))
+                        err = loop_set_status64(lo,
+                                        (struct loop_info64 __user *) arg);
                break;
        case LOOP_GET_STATUS64:
                err = loop_get_status64(lo, (struct loop_info64 __user *) arg);

diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 3d806820280e..1e888c9e85b3 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c
@@ -161,17 +161,19 @@ static struct loop_func_table *xfer_funcs[MAX_LO_CRYPT] = {
161	&xor_funcs	161	&xor_funcs
162	};	162	};
163		163
164	static loff_t get_loop_size(struct loop_device lo, struct file file)	164	static loff_t get_size(loff_t offset, loff_t sizelimit, struct file *file)
165	{	165	{
166	loff_t size, offset, loopsize;	166	loff_t size, loopsize;
167		167
168	/* Compute loopsize in bytes */	168	/* Compute loopsize in bytes */
169	size = i_size_read(file->f_mapping->host);	169	size = i_size_read(file->f_mapping->host);
170	offset = lo->lo_offset;
171	loopsize = size - offset;	170	loopsize = size - offset;
172	if (lo->lo_sizelimit > 0 && lo->lo_sizelimit < loopsize)	171	/* offset is beyond i_size, wierd but possible */
173	loopsize = lo->lo_sizelimit;	172	if (loopsize < 0)
		173	return 0;
174		174
		175	if (sizelimit > 0 && sizelimit < loopsize)
		176	loopsize = sizelimit;
175	/*	177	/*
176	* Unfortunately, if we want to do I/O on the device,	178	* Unfortunately, if we want to do I/O on the device,
177	* the number of 512-byte sectors has to fit into a sector_t.	179	* the number of 512-byte sectors has to fit into a sector_t.
@@ -179,17 +181,25 @@ static loff_t get_loop_size(struct loop_device lo, struct file file)
179	return loopsize >> 9;	181	return loopsize >> 9;
180	}	182	}
181		183
		184	static loff_t get_loop_size(struct loop_device lo, struct file file)
		185	{
		186	return get_size(lo->lo_offset, lo->lo_sizelimit, file);
		187	}
		188
182	static int	189	static int
183	figure_loop_size(struct loop_device *lo)	190	figure_loop_size(struct loop_device *lo, loff_t offset, loff_t sizelimit)
184	{	191	{
185	loff_t size = get_loop_size(lo, lo->lo_backing_file);	192	loff_t size = get_size(offset, sizelimit, lo->lo_backing_file);
186	sector_t x = (sector_t)size;	193	sector_t x = (sector_t)size;
187		194
188	if (unlikely((loff_t)x != size))	195	if (unlikely((loff_t)x != size))
189	return -EFBIG;	196	return -EFBIG;
190		197	if (lo->lo_offset != offset)
		198	lo->lo_offset = offset;
		199	if (lo->lo_sizelimit != sizelimit)
		200	lo->lo_sizelimit = sizelimit;
191	set_capacity(lo->lo_disk, x);	201	set_capacity(lo->lo_disk, x);
192	return 0;	202	return 0;
193	}	203	}
194		204
195	static inline int	205	static inline int
@@ -372,7 +382,8 @@ do_lo_receive(struct loop_device *lo,
372		382
373	if (retval < 0)	383	if (retval < 0)
374	return retval;	384	return retval;
375		385	if (retval != bvec->bv_len)
		386	return -EIO;
376	return 0;	387	return 0;
377	}	388	}
378		389
@@ -411,7 +422,7 @@ static int do_bio_filebacked(struct loop_device lo, struct bio bio)
411		422
412	/*	423	/*
413	* We use punch hole to reclaim the free space used by the	424	* We use punch hole to reclaim the free space used by the
414	* image a.k.a. discard. However we do support discard if	425	* image a.k.a. discard. However we do not support discard if
415	* encryption is enabled, because it may give an attacker	426	* encryption is enabled, because it may give an attacker
416	* useful information.	427	* useful information.
417	*/	428	*/
@@ -786,7 +797,7 @@ static void loop_config_discard(struct loop_device *lo)
786	}	797	}
787		798
788	q->limits.discard_granularity = inode->i_sb->s_blocksize;	799	q->limits.discard_granularity = inode->i_sb->s_blocksize;
789	q->limits.discard_alignment = inode->i_sb->s_blocksize;	800	q->limits.discard_alignment = 0;
790	q->limits.max_discard_sectors = UINT_MAX >> 9;	801	q->limits.max_discard_sectors = UINT_MAX >> 9;
791	q->limits.discard_zeroes_data = 1;	802	q->limits.discard_zeroes_data = 1;
792	queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, q);	803	queue_flag_set_unlocked(QUEUE_FLAG_DISCARD, q);
@@ -1058,9 +1069,7 @@ loop_set_status(struct loop_device lo, const struct loop_info64 info)
1058		1069
1059	if (lo->lo_offset != info->lo_offset \|\|	1070	if (lo->lo_offset != info->lo_offset \|\|
1060	lo->lo_sizelimit != info->lo_sizelimit) {	1071	lo->lo_sizelimit != info->lo_sizelimit) {
1061	lo->lo_offset = info->lo_offset;	1072	if (figure_loop_size(lo, info->lo_offset, info->lo_sizelimit))
1062	lo->lo_sizelimit = info->lo_sizelimit;
1063	if (figure_loop_size(lo))
1064	return -EFBIG;	1073	return -EFBIG;
1065	}	1074	}
1066	loop_config_discard(lo);	1075	loop_config_discard(lo);
@@ -1246,7 +1255,7 @@ static int loop_set_capacity(struct loop_device lo, struct block_device bdev)
1246	err = -ENXIO;	1255	err = -ENXIO;
1247	if (unlikely(lo->lo_state != Lo_bound))	1256	if (unlikely(lo->lo_state != Lo_bound))
1248	goto out;	1257	goto out;
1249	err = figure_loop_size(lo);	1258	err = figure_loop_size(lo, lo->lo_offset, lo->lo_sizelimit);
1250	if (unlikely(err))	1259	if (unlikely(err))
1251	goto out;	1260	goto out;
1252	sec = get_capacity(lo->lo_disk);	1261	sec = get_capacity(lo->lo_disk);
@@ -1284,13 +1293,19 @@ static int lo_ioctl(struct block_device *bdev, fmode_t mode,
1284	goto out_unlocked;	1293	goto out_unlocked;
1285	break;	1294	break;
1286	case LOOP_SET_STATUS:	1295	case LOOP_SET_STATUS:
1287	err = loop_set_status_old(lo, (struct loop_info __user *) arg);	1296	err = -EPERM;
		1297	if ((mode & FMODE_WRITE) \|\| capable(CAP_SYS_ADMIN))
		1298	err = loop_set_status_old(lo,
		1299	(struct loop_info __user *)arg);
1288	break;	1300	break;
1289	case LOOP_GET_STATUS:	1301	case LOOP_GET_STATUS:
1290	err = loop_get_status_old(lo, (struct loop_info __user *) arg);	1302	err = loop_get_status_old(lo, (struct loop_info __user *) arg);
1291	break;	1303	break;
1292	case LOOP_SET_STATUS64:	1304	case LOOP_SET_STATUS64:
1293	err = loop_set_status64(lo, (struct loop_info64 __user *) arg);	1305	err = -EPERM;
		1306	if ((mode & FMODE_WRITE) \|\| capable(CAP_SYS_ADMIN))
		1307	err = loop_set_status64(lo,
		1308	(struct loop_info64 __user *) arg);
1294	break;	1309	break;
1295	case LOOP_GET_STATUS64:	1310	case LOOP_GET_STATUS64:
1296	err = loop_get_status64(lo, (struct loop_info64 __user *) arg);	1311	err = loop_get_status64(lo, (struct loop_info64 __user *) arg);