From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Dec 2021 15:07:51 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.296~63
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=04208859dbe0a2252c7874f636032fbe04544bca;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	dm-btree-remove-fix-use-after-free-in-rebalance_children.patch
	nfsd-fix-use-after-free-due-to-delegation-race.patch
	recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch
---

diff --git a/queue-4.9/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch b/queue-4.9/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch
new file mode 100644
index 00000000000..f2a9f377284
--- /dev/null
+++ b/queue-4.9/dm-btree-remove-fix-use-after-free-in-rebalance_children.patch
@@ -0,0 +1,32 @@
+From 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 24 Nov 2021 12:07:39 -0500
+Subject: dm btree remove: fix use after free in rebalance_children()
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream.
+
+Move dm_tm_unlock() after dm_tm_dec().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/persistent-data/dm-btree-remove.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -423,9 +423,9 @@ static int rebalance_children(struct sha
+ 
+ 		memcpy(n, dm_block_data(child),
+ 		       dm_bm_block_size(dm_tm_get_bm(info->tm)));
+-		dm_tm_unlock(info->tm, child);
+ 
+ 		dm_tm_dec(info->tm, dm_block_location(child));
++		dm_tm_unlock(info->tm, child);
+ 		return 0;
+ 	}
+ 
diff --git a/queue-4.9/nfsd-fix-use-after-free-due-to-delegation-race.patch b/queue-4.9/nfsd-fix-use-after-free-due-to-delegation-race.patch
new file mode 100644
index 00000000000..7c49f0478bb
--- /dev/null
+++ b/queue-4.9/nfsd-fix-use-after-free-due-to-delegation-race.patch
@@ -0,0 +1,66 @@
+From 548ec0805c399c65ed66c6641be467f717833ab5 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 29 Nov 2021 15:08:00 -0500
+Subject: nfsd: fix use-after-free due to delegation race
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream.
+
+A delegation break could arrive as soon as we've called vfs_setlease.  A
+delegation break runs a callback which immediately (in
+nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru.  If we
+then exit nfs4_set_delegation without hashing the delegation, it will be
+freed as soon as the callback is done with it, without ever being
+removed from del_recall_lru.
+
+Symptoms show up later as use-after-free or list corruption warnings,
+usually in the laundromat thread.
+
+I suspect aba2072f4523 "nfsd: grant read delegations to clients holding
+writes" made this bug easier to hit, but I looked as far back as v3.0
+and it looks to me it already had the same problem.  So I'm not sure
+where the bug was introduced; it may have been there from the beginning.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+[Salvatore Bonaccorso: Backport for context changes to versions which do
+not have 20b7d86f29d3 ("nfsd: use boottime for lease expiry calculation")]
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -955,6 +955,11 @@ hash_delegation_locked(struct nfs4_deleg
+ 	return 0;
+ }
+ 
++static bool delegation_hashed(struct nfs4_delegation *dp)
++{
++	return !(list_empty(&dp->dl_perfile));
++}
++
+ static bool
+ unhash_delegation_locked(struct nfs4_delegation *dp)
+ {
+@@ -962,7 +967,7 @@ unhash_delegation_locked(struct nfs4_del
+ 
+ 	lockdep_assert_held(&state_lock);
+ 
+-	if (list_empty(&dp->dl_perfile))
++	if (!delegation_hashed(dp))
+ 		return false;
+ 
+ 	dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID;
+@@ -3882,7 +3887,7 @@ static void nfsd4_cb_recall_prepare(stru
+ 	 * queued for a lease break. Don't queue it again.
+ 	 */
+ 	spin_lock(&state_lock);
+-	if (dp->dl_time == 0) {
++	if (delegation_hashed(dp) && dp->dl_time == 0) {
+ 		dp->dl_time = get_seconds();
+ 		list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru);
+ 	}
diff --git a/queue-4.9/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch b/queue-4.9/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch
new file mode 100644
index 00000000000..9772fed9783
--- /dev/null
+++ b/queue-4.9/recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch
@@ -0,0 +1,36 @@
+From 85bf17b28f97ca2749968d8786dc423db320d9c2 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Fri, 10 Dec 2021 10:38:27 +0100
+Subject: recordmcount.pl: look for jgnop instruction as well as bcrl on s390
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream.
+
+On s390, recordmcount.pl is looking for "bcrl 0,<xxx>" instructions in
+the objdump -d outpout. However since binutils 2.37, objdump -d
+display "jgnop <xxx>" for the same instruction. Update the
+mcount_regex so that it accepts both.
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/recordmcount.pl |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -250,7 +250,7 @@ if ($arch eq "x86_64") {
+ 
+ } elsif ($arch eq "s390" && $bits == 64) {
+     if ($cc =~ /-DCC_USING_HOTPATCH/) {
+-	$mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$";
++	$mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$";
+ 	$mcount_adjust = 0;
+     } else {
+ 	$mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_390_(PC|PLT)32DBL\\s+_mcount\\+0x2\$";
diff --git a/queue-4.9/series b/queue-4.9/series
index 2722fabd34b..2c7bff991d1 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -6,3 +6,6 @@ net-netlink-af_netlink-prevent-empty-skb-by-adding-a.patch
 tracing-fix-a-kmemleak-false-positive-in-tracing_map.patch
 hwmon-dell-smm-fix-warning-on-proc-i8k-creation-error.patch
 mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
+recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch
+dm-btree-remove-fix-use-after-free-in-rebalance_children.patch
+nfsd-fix-use-after-free-due-to-delegation-race.patch