Re: [PATCH] Fix root hole in pktcdvd

From: Peter Osterlund
Date: Tue May 17 2005 - 13:15:27 EST

Next message: James Bottomley: "Re: What breaks aic7xxx in post 2.6.12-rc2 ?"
Previous message: Valdis . Kletnieks: "Re: 2.6.12-rc4-mm2 - sleeping function called from invalid context at mm/slab.c:2502"
In reply to: Al Viro: "Re: [PATCH] Fix root hole in pktcdvd"
Next in thread: Greg KH: "Re: [PATCH] Fix root hole in pktcdvd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Al Viro <viro@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> writes:

> On Tue, May 17, 2005 at 06:00:25AM +0100, Al Viro wrote:
> > Same comment as for previous patch. I'll take a look at that sucker,
> > it might happen to be OK, seeing that most of the bdev ->ioctl() instances
> > ignore file argument and we might get away with passing odd stuff to
> > anything that could occur here.
>
> Oh, lovely - pkt_open() opens underlying device, unless we already have our
> device opened. Guess what happens if you open() with O_RDONLY and
> then - with O_RDWR?

You get I/O errors when you submit write requests, which is definitely
not good. I don't know if it also has security implications.

A check got lost in the char dev control device conversion patch. The
patch below fixes it.

-
If you tried to open a packet device first in read-only mode and then
a second time in read-write mode, the second open succeeded even
though the device was not correctly set up for writing. If you then
tried to write data to the device, the writes would fail with I/O
errors.

This patch prevents that problem by making the second open fail with
-EBUSY.

Signed-off-by: Peter Osterlund <petero2@xxxxxxxxx>
---

linux-petero/drivers/block/pktcdvd.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletion(-)

diff -puN drivers/block/pktcdvd.c~packet-multi-open-fix drivers/block/pktcdvd.c
--- linux/drivers/block/pktcdvd.c~packet-multi-open-fix 2005-05-17 19:52:30.000000000 +0200
+++ linux-petero/drivers/block/pktcdvd.c 2005-05-17 19:52:30.000000000 +0200
@@ -2025,7 +2025,13 @@ static int pkt_open(struct inode *inode,
BUG_ON(pd->refcnt < 0);

pd->refcnt++;
- if (pd->refcnt == 1) {
+ if (pd->refcnt > 1) {
+ if ((file->f_mode & FMODE_WRITE) &&
+ !test_bit(PACKET_WRITABLE, &pd->flags)) {
+ ret = -EBUSY;
+ goto out_dec;
+ }
+ } else {
if (pkt_open_dev(pd, file->f_mode & FMODE_WRITE)) {
ret = -EIO;
goto out_dec;
_

--
Peter Osterlund - petero2@xxxxxxxxx
http://web.telia.com/~u89404340
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: James Bottomley: "Re: What breaks aic7xxx in post 2.6.12-rc2 ?"
Previous message: Valdis . Kletnieks: "Re: 2.6.12-rc4-mm2 - sleeping function called from invalid context at mm/slab.c:2502"
In reply to: Al Viro: "Re: [PATCH] Fix root hole in pktcdvd"
Next in thread: Greg KH: "Re: [PATCH] Fix root hole in pktcdvd"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]