mount: fix a race when a free loop device is snatched under us by another mount.

function old new delta set_loop 850 809 -41 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2020-12-17 15:05:14 +01:00 · 2020-12-17 15:05:14 +01:00 · 4bc59a4cf7
commit 4bc59a4cf7
parent cd48f07117
1 changed files with 73 additions and 65 deletions
--- a/libbb/loop.c
+++ b/libbb/loop.c
@ -98,9 +98,7 @@ int FAST_FUNC get_free_loop(void)
 /* Returns opened fd to the loop device, <0 on error.
 * *device is loop device to use, or if *device==NULL finds a loop device to
- * mount it on and sets *device to a strdup of that loop device name.  This
+ * mount it on and sets *device to a strdup of that loop device name.
 * search will re-use an existing loop device already bound to that
 * file/offset if it finds one.
 */
 int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offset,
 		unsigned long long sizelimit, unsigned flags)
@ -109,9 +107,7 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
 	char *try;
 	bb_loop_info loopinfo;
 	struct stat statbuf;
-	int i, dfd, ffd, mode, rc;
+	int i, lfd, ffd, mode, rc;
 	rc = dfd = -1;
 	/* Open the file.  Barf if this doesn't work.  */
 	mode = (flags & BB_LO_FLAGS_READ_ONLY) ? O_RDONLY : O_RDWR;
@ -127,24 +123,23 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
 	try = *device;
 	if (!try) {
 get_free_loopN:
 		i = get_free_loop();
 		if (i == -2) { /* no /dev/loop-control */
 			i = 0;
 			try = dev;
 			goto old_style;
 		}
 		if (i == -1) {
 			close(ffd);
 			return -1; /* no free loop devices */
 		}
-		try = *device = xasprintf(LOOP_FORMAT, i);
+		if (i >= 0) {
-		goto try_to_open;
+			try = xasprintf(LOOP_FORMAT, i);
 			goto open_lfd;
 		}
 		/* i == -2: no /dev/loop-control. Do an old-style search for a free device */
 		try = dev;
 	}
- old_style:
+	/* Find a loop device */
-	/* Find a loop device.  */
+	/* 0xfffff is a max possible minor number in Linux circa 2010 */
-	/* 1048575 (0xfffff) is a max possible minor number in Linux circa 2010 */
+	for (i = 0; i <= 0xfffff; i++) {
 	for (i = 0; rc && i < 1048576; i++) {
 		sprintf(dev, LOOP_FORMAT, i);
 		IF_FEATURE_MOUNT_LOOP_CREATE(errno = 0;)
@ -153,36 +148,47 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
 			 && errno == ENOENT
 			 && try == dev
 			) {
-				/* Node doesn't exist, try to create it.  */
+				/* Node doesn't exist, try to create it */
 				if (mknod(dev, S_IFBLK|0644, makedev(7, i)) == 0)
-					goto try_to_open;
+					goto open_lfd;
 			}
-			/* Ran out of block devices, return failure.  */
+			/* Ran out of block devices, return failure */
 			rc = -1;
 			break;
 		}
- try_to_open:
+ open_lfd:
-		/* Open the sucker and check its loopiness.  */
+		/* Open the sucker and check its loopiness */
-		dfd = open(try, mode);
+		lfd = rc = open(try, mode);
-		if (dfd < 0 && errno == EROFS) {
+		if (lfd < 0 && errno == EROFS) {
 			mode = O_RDONLY;
-			dfd = open(try, mode);
+			lfd = rc = open(try, mode);
 		}
-		if (dfd < 0) {
+		if (lfd < 0) {
 			if (errno == ENXIO) {
 				/* Happens if loop module is not loaded */
-				rc = -1;
+				/* rc is -1; */
 				break;
 			}
-			goto try_again;
+			goto try_next_loopN;
 		}
-		rc = ioctl(dfd, BB_LOOP_GET_STATUS, &loopinfo);
+		rc = ioctl(lfd, BB_LOOP_GET_STATUS, &loopinfo);
-		/* If device is free, claim it.  */
+		/* If device is free, try to claim it */
 		if (rc && errno == ENXIO) {
-			/* Associate free loop device with file.  */
+			/* Associate free loop device with file */
-			if (ioctl(dfd, LOOP_SET_FD, ffd) == 0) {
+			if (ioctl(lfd, LOOP_SET_FD, ffd)) {
 				/* Ouch. Are we racing with other mount? */
 				if (!*device   /* yes */
 				 && try != dev /* tried a _kernel-offered_ loopN? */
 				) {
 					free(try);
 					close(lfd);
 //TODO: add "if (--failcount != 0) ..."?
 					goto get_free_loopN;
 				}
 				goto try_next_loopN;
 			}
 			memset(&loopinfo, 0, sizeof(loopinfo));
 			safe_strncpy((char *)loopinfo.lo_file_name, file, LO_NAME_SIZE);
 			loopinfo.lo_offset = offset;
@ -190,35 +196,37 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
 			/*
 			 * Used by mount to set LO_FLAGS_AUTOCLEAR.
 			 * LO_FLAGS_READ_ONLY is not set because RO is controlled by open type of the file.
-				 * Note that closing LO_FLAGS_AUTOCLEARed dfd before mount
+			 * Note that closing LO_FLAGS_AUTOCLEARed lfd before mount
 			 * is wrong (would free the loop device!)
 			 */
 			loopinfo.lo_flags = (flags & ~BB_LO_FLAGS_READ_ONLY);
-				rc = ioctl(dfd, BB_LOOP_SET_STATUS, &loopinfo);
+			rc = ioctl(lfd, BB_LOOP_SET_STATUS, &loopinfo);
 			if (rc != 0 && (loopinfo.lo_flags & BB_LO_FLAGS_AUTOCLEAR)) {
 				/* Old kernel, does not support LO_FLAGS_AUTOCLEAR? */
 				/* (this code path is not tested) */
 				loopinfo.lo_flags -= BB_LO_FLAGS_AUTOCLEAR;
-					rc = ioctl(dfd, BB_LOOP_SET_STATUS, &loopinfo);
+				rc = ioctl(lfd, BB_LOOP_SET_STATUS, &loopinfo);
 			}
 				if (rc != 0) {
 					ioctl(dfd, LOOP_CLR_FD, 0); // actually, 0 param is unnecessary
 				}
 			}
 		} else {
 			rc = -1;
 		}
 		if (rc != 0) {
 			close(dfd);
 		}
 try_again:
 		if (*device) break;
 	}
 	close(ffd);
 			if (rc == 0) {
-		if (!*device)
+				/* SUCCESS! */
 				if (try != dev) /* tried a kernel-offered free loopN? */
 					*device = try; /* malloced */
 				if (!*device)   /* was looping in search of free "/dev/loopN"? */
 					*device = xstrdup(dev);
-		return dfd;
+				rc = lfd; /* return this */
 				break;
 			}
 			/* failure, undo LOOP_SET_FD */
 			ioctl(lfd, LOOP_CLR_FD, 0); // actually, 0 param is unnecessary
 		}
 		/* else: device is not free (rc == 0) or error other than ENXIO */
 		close(lfd);
 try_next_loopN:
 		rc = -1;
 		if (*device) /* was looking for a particular "/dev/loopN"? */
 			break; /* yes, do not try other names */
 	} /* for() */
 	close(ffd);
 	return rc;
 }