--- /dev/null
+From 81e9d6f8647650a7bead74c5f926e29970e834d1 Mon Sep 17 00:00:00 2001
+From: Seth Jenkins <sethjenkins@google.com>
+Date: Tue, 31 Jan 2023 12:25:55 -0500
+Subject: aio: fix mremap after fork null-deref
+
+From: Seth Jenkins <sethjenkins@google.com>
+
+commit 81e9d6f8647650a7bead74c5f926e29970e834d1 upstream.
+
+Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced
+a null-deref if mremap is called on an old aio mapping after fork as
+mm->ioctx_table will be set to NULL.
+
+[jmoyer@redhat.com: fix 80 column issue]
+Link: https://lkml.kernel.org/r/x49sffq4nvg.fsf@segfault.boston.devel.redhat.com
+Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring")
+Signed-off-by: Seth Jenkins <sethjenkins@google.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/aio.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -336,6 +336,9 @@ static int aio_ring_mremap(struct vm_are
+ spin_lock(&mm->ioctx_lock);
+ rcu_read_lock();
+ table = rcu_dereference(mm->ioctx_table);
++ if (!table)
++ goto out_unlock;
++
+ for (i = 0; i < table->nr; i++) {
+ struct kioctx *ctx;
+
+@@ -349,6 +352,7 @@ static int aio_ring_mremap(struct vm_are
+ }
+ }
+
++out_unlock:
+ rcu_read_unlock();
+ spin_unlock(&mm->ioctx_lock);
+ return res;
--- /dev/null
+From 5f58d783fd7823b2c2d5954d1126e702f94bfc4c Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Fri, 20 Jan 2023 21:47:16 +0800
+Subject: btrfs: free device in btrfs_close_devices for a single device filesystem
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit 5f58d783fd7823b2c2d5954d1126e702f94bfc4c upstream.
+
+We have this check to make sure we don't accidentally add older devices
+that may have disappeared and re-appeared with an older generation from
+being added to an fs_devices (such as a replace source device). This
+makes sense, we don't want stale disks in our file system. However for
+single disks this doesn't really make sense.
+
+I've seen this in testing, but I was provided a reproducer from a
+project that builds btrfs images on loopback devices. The loopback
+device gets cached with the new generation, and then if it is re-used to
+generate a new file system we'll fail to mount it because the new fs is
+"older" than what we have in cache.
+
+Fix this by freeing the cache when closing the device for a single device
+filesystem. This will ensure that the mount command passed device path is
+scanned successfully during the next mount.
+
+CC: stable@vger.kernel.org # 5.10+
+Reported-by: Daan De Meyer <daandemeyer@fb.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -354,6 +354,7 @@ void btrfs_free_device(struct btrfs_devi
+ static void free_fs_devices(struct btrfs_fs_devices *fs_devices)
+ {
+ struct btrfs_device *device;
++
+ WARN_ON(fs_devices->opened);
+ while (!list_empty(&fs_devices->devices)) {
+ device = list_entry(fs_devices->devices.next,
+@@ -1401,6 +1402,17 @@ int btrfs_close_devices(struct btrfs_fs_
+ if (!fs_devices->opened) {
+ seed_devices = fs_devices->seed;
+ fs_devices->seed = NULL;
++
++ /*
++ * If the struct btrfs_fs_devices is not assembled with any
++ * other device, it can be re-initialized during the next mount
++ * without the needing device-scan step. Therefore, it can be
++ * fully freed.
++ */
++ if (fs_devices->num_devices == 1) {
++ list_del(&fs_devices->fs_list);
++ free_fs_devices(fs_devices);
++ }
+ }
+ mutex_unlock(&uuid_mutex);
+
--- /dev/null
+From 18bbc3213383a82b05383827f4b1b882e3f0a5a5 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 20 Aug 2022 17:54:06 +0200
+Subject: netfilter: nft_tproxy: restrict to prerouting hook
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 18bbc3213383a82b05383827f4b1b882e3f0a5a5 upstream.
+
+TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this.
+This fixes a crash (null dereference) when using tproxy from e.g. output.
+
+Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
+Reported-by: Shell Chen <xierch@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Qingfang DENG <dqfext@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tproxy.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/netfilter/nft_tproxy.c
++++ b/net/netfilter/nft_tproxy.c
+@@ -289,6 +289,13 @@ static int nft_tproxy_dump(struct sk_buf
+ return 0;
+ }
+
++static int nft_tproxy_validate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr,
++ const struct nft_data **data)
++{
++ return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
++}
++
+ static struct nft_expr_type nft_tproxy_type;
+ static const struct nft_expr_ops nft_tproxy_ops = {
+ .type = &nft_tproxy_type,
+@@ -296,6 +303,7 @@ static const struct nft_expr_ops nft_tpr
+ .eval = nft_tproxy_eval,
+ .init = nft_tproxy_init,
+ .dump = nft_tproxy_dump,
++ .validate = nft_tproxy_validate,
+ };
+
+ static struct nft_expr_type nft_tproxy_type __read_mostly = {
net-sched-sch-bounds-check-priority.patch
s390-decompressor-specify-__decompress-buf-len-to-av.patch
nvme-fc-fix-a-missing-queue-put-in-nvmet_fc_ls_creat.patch
+aio-fix-mremap-after-fork-null-deref.patch
+btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch
+netfilter-nft_tproxy-restrict-to-prerouting-hook.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
