loop_change_fd() and loop_configure() call loop_check_backing_file() to validate the new backing file. If validation fails, the reference acquired by fget() was not dropped, leaking a file reference.
Fix this by calling fput(file) before returning the error.
Cc: stable@vger.kernel.org Cc: "Markus Elfring"Markus.Elfring@web.de CC: "Yang Erkun" yangerkun@huawei.com Cc: "Ming Lei"ming.lei@redhat.com Cc: "Yu Kuai"yukuai1@huaweicloud.com Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter") Signed-off-by: Li Chen chenl311@chinatelecom.cn Reviewed-by: Ming Lei ming.lei@redhat.com Reviewed-by: Yang Erkun yangerkun@huawei.com --- changelog: v2: add review by, Fixes and cc stable tags.
drivers/block/loop.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c index 053a086d547e..94ec7f747f36 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_device *lo, struct block_device *bdev, return -EBADF;
error = loop_check_backing_file(file); - if (error) + if (error) { + fput(file); return error; + }
/* suppress uevents while reconfiguring the device */ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1); @@ -993,8 +995,10 @@ static int loop_configure(struct loop_device *lo, blk_mode_t mode, return -EBADF;
error = loop_check_backing_file(file); - if (error) + if (error) { + fput(file); return error; + }
is_loop = is_loop_device(file);