mount: fix a race when a free loop device is snatched under us by another mount.

function                                             old     new   delta
set_loop                                             850     809     -41

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2020-12-17 15:05:14 +01:00
parent cd48f07117
commit 4bc59a4cf7

View File

@ -98,9 +98,7 @@ int FAST_FUNC get_free_loop(void)
/* Returns opened fd to the loop device, <0 on error. /* Returns opened fd to the loop device, <0 on error.
* *device is loop device to use, or if *device==NULL finds a loop device to * *device is loop device to use, or if *device==NULL finds a loop device to
* mount it on and sets *device to a strdup of that loop device name. This * mount it on and sets *device to a strdup of that loop device name.
* search will re-use an existing loop device already bound to that
* file/offset if it finds one.
*/ */
int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offset, int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offset,
unsigned long long sizelimit, unsigned flags) unsigned long long sizelimit, unsigned flags)
@ -109,9 +107,7 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
char *try; char *try;
bb_loop_info loopinfo; bb_loop_info loopinfo;
struct stat statbuf; struct stat statbuf;
int i, dfd, ffd, mode, rc; int i, lfd, ffd, mode, rc;
rc = dfd = -1;
/* Open the file. Barf if this doesn't work. */ /* Open the file. Barf if this doesn't work. */
mode = (flags & BB_LO_FLAGS_READ_ONLY) ? O_RDONLY : O_RDWR; mode = (flags & BB_LO_FLAGS_READ_ONLY) ? O_RDONLY : O_RDWR;
@ -127,24 +123,23 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
try = *device; try = *device;
if (!try) { if (!try) {
get_free_loopN:
i = get_free_loop(); i = get_free_loop();
if (i == -2) { /* no /dev/loop-control */
i = 0;
try = dev;
goto old_style;
}
if (i == -1) { if (i == -1) {
close(ffd); close(ffd);
return -1; /* no free loop devices */ return -1; /* no free loop devices */
} }
try = *device = xasprintf(LOOP_FORMAT, i); if (i >= 0) {
goto try_to_open; try = xasprintf(LOOP_FORMAT, i);
goto open_lfd;
}
/* i == -2: no /dev/loop-control. Do an old-style search for a free device */
try = dev;
} }
old_style: /* Find a loop device */
/* Find a loop device. */ /* 0xfffff is a max possible minor number in Linux circa 2010 */
/* 1048575 (0xfffff) is a max possible minor number in Linux circa 2010 */ for (i = 0; i <= 0xfffff; i++) {
for (i = 0; rc && i < 1048576; i++) {
sprintf(dev, LOOP_FORMAT, i); sprintf(dev, LOOP_FORMAT, i);
IF_FEATURE_MOUNT_LOOP_CREATE(errno = 0;) IF_FEATURE_MOUNT_LOOP_CREATE(errno = 0;)
@ -153,72 +148,85 @@ int FAST_FUNC set_loop(char **device, const char *file, unsigned long long offse
&& errno == ENOENT && errno == ENOENT
&& try == dev && try == dev
) { ) {
/* Node doesn't exist, try to create it. */ /* Node doesn't exist, try to create it */
if (mknod(dev, S_IFBLK|0644, makedev(7, i)) == 0) if (mknod(dev, S_IFBLK|0644, makedev(7, i)) == 0)
goto try_to_open; goto open_lfd;
} }
/* Ran out of block devices, return failure. */ /* Ran out of block devices, return failure */
rc = -1; rc = -1;
break; break;
} }
try_to_open: open_lfd:
/* Open the sucker and check its loopiness. */ /* Open the sucker and check its loopiness */
dfd = open(try, mode); lfd = rc = open(try, mode);
if (dfd < 0 && errno == EROFS) { if (lfd < 0 && errno == EROFS) {
mode = O_RDONLY; mode = O_RDONLY;
dfd = open(try, mode); lfd = rc = open(try, mode);
} }
if (dfd < 0) { if (lfd < 0) {
if (errno == ENXIO) { if (errno == ENXIO) {
/* Happens if loop module is not loaded */ /* Happens if loop module is not loaded */
rc = -1; /* rc is -1; */
break; break;
} }
goto try_again; goto try_next_loopN;
} }
rc = ioctl(dfd, BB_LOOP_GET_STATUS, &loopinfo); rc = ioctl(lfd, BB_LOOP_GET_STATUS, &loopinfo);
/* If device is free, claim it. */ /* If device is free, try to claim it */
if (rc && errno == ENXIO) { if (rc && errno == ENXIO) {
/* Associate free loop device with file. */ /* Associate free loop device with file */
if (ioctl(dfd, LOOP_SET_FD, ffd) == 0) { if (ioctl(lfd, LOOP_SET_FD, ffd)) {
memset(&loopinfo, 0, sizeof(loopinfo)); /* Ouch. Are we racing with other mount? */
safe_strncpy((char *)loopinfo.lo_file_name, file, LO_NAME_SIZE); if (!*device /* yes */
loopinfo.lo_offset = offset; && try != dev /* tried a _kernel-offered_ loopN? */
loopinfo.lo_sizelimit = sizelimit; ) {
/* free(try);
* Used by mount to set LO_FLAGS_AUTOCLEAR. close(lfd);
* LO_FLAGS_READ_ONLY is not set because RO is controlled by open type of the file. //TODO: add "if (--failcount != 0) ..."?
* Note that closing LO_FLAGS_AUTOCLEARed dfd before mount goto get_free_loopN;
* is wrong (would free the loop device!)
*/
loopinfo.lo_flags = (flags & ~BB_LO_FLAGS_READ_ONLY);
rc = ioctl(dfd, BB_LOOP_SET_STATUS, &loopinfo);
if (rc != 0 && (loopinfo.lo_flags & BB_LO_FLAGS_AUTOCLEAR)) {
/* Old kernel, does not support LO_FLAGS_AUTOCLEAR? */
/* (this code path is not tested) */
loopinfo.lo_flags -= BB_LO_FLAGS_AUTOCLEAR;
rc = ioctl(dfd, BB_LOOP_SET_STATUS, &loopinfo);
}
if (rc != 0) {
ioctl(dfd, LOOP_CLR_FD, 0); // actually, 0 param is unnecessary
} }
goto try_next_loopN;
} }
} else { memset(&loopinfo, 0, sizeof(loopinfo));
rc = -1; safe_strncpy((char *)loopinfo.lo_file_name, file, LO_NAME_SIZE);
loopinfo.lo_offset = offset;
loopinfo.lo_sizelimit = sizelimit;
/*
* Used by mount to set LO_FLAGS_AUTOCLEAR.
* LO_FLAGS_READ_ONLY is not set because RO is controlled by open type of the file.
* Note that closing LO_FLAGS_AUTOCLEARed lfd before mount
* is wrong (would free the loop device!)
*/
loopinfo.lo_flags = (flags & ~BB_LO_FLAGS_READ_ONLY);
rc = ioctl(lfd, BB_LOOP_SET_STATUS, &loopinfo);
if (rc != 0 && (loopinfo.lo_flags & BB_LO_FLAGS_AUTOCLEAR)) {
/* Old kernel, does not support LO_FLAGS_AUTOCLEAR? */
/* (this code path is not tested) */
loopinfo.lo_flags -= BB_LO_FLAGS_AUTOCLEAR;
rc = ioctl(lfd, BB_LOOP_SET_STATUS, &loopinfo);
}
if (rc == 0) {
/* SUCCESS! */
if (try != dev) /* tried a kernel-offered free loopN? */
*device = try; /* malloced */
if (!*device) /* was looping in search of free "/dev/loopN"? */
*device = xstrdup(dev);
rc = lfd; /* return this */
break;
}
/* failure, undo LOOP_SET_FD */
ioctl(lfd, LOOP_CLR_FD, 0); // actually, 0 param is unnecessary
} }
if (rc != 0) { /* else: device is not free (rc == 0) or error other than ENXIO */
close(dfd); close(lfd);
} try_next_loopN:
try_again: rc = -1;
if (*device) break; if (*device) /* was looking for a particular "/dev/loopN"? */
} break; /* yes, do not try other names */
} /* for() */
close(ffd); close(ffd);
if (rc == 0) {
if (!*device)
*device = xstrdup(dev);
return dfd;
}
return rc; return rc;
} }