From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Feb 2023 14:11:58 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.14.306~60
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1583af707d9cd859f080d47cd4c06859d9f085d8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	aio-fix-mremap-after-fork-null-deref.patch
---

diff --git a/queue-4.14/aio-fix-mremap-after-fork-null-deref.patch b/queue-4.14/aio-fix-mremap-after-fork-null-deref.patch
new file mode 100644
index 00000000000..1afee187e6d
--- /dev/null
+++ b/queue-4.14/aio-fix-mremap-after-fork-null-deref.patch
@@ -0,0 +1,49 @@
+From 81e9d6f8647650a7bead74c5f926e29970e834d1 Mon Sep 17 00:00:00 2001
+From: Seth Jenkins <sethjenkins@google.com>
+Date: Tue, 31 Jan 2023 12:25:55 -0500
+Subject: aio: fix mremap after fork null-deref
+
+From: Seth Jenkins <sethjenkins@google.com>
+
+commit 81e9d6f8647650a7bead74c5f926e29970e834d1 upstream.
+
+Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced
+a null-deref if mremap is called on an old aio mapping after fork as
+mm->ioctx_table will be set to NULL.
+
+[jmoyer@redhat.com: fix 80 column issue]
+Link: https://lkml.kernel.org/r/x49sffq4nvg.fsf@segfault.boston.devel.redhat.com
+Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring")
+Signed-off-by: Seth Jenkins <sethjenkins@google.com>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Benjamin LaHaise <bcrl@kvack.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/aio.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -328,6 +328,9 @@ static int aio_ring_mremap(struct vm_are
+ 	spin_lock(&mm->ioctx_lock);
+ 	rcu_read_lock();
+ 	table = rcu_dereference(mm->ioctx_table);
++	if (!table)
++		goto out_unlock;
++
+ 	for (i = 0; i < table->nr; i++) {
+ 		struct kioctx *ctx;
+ 
+@@ -341,6 +344,7 @@ static int aio_ring_mremap(struct vm_are
+ 		}
+ 	}
+ 
++out_unlock:
+ 	rcu_read_unlock();
+ 	spin_unlock(&mm->ioctx_lock);
+ 	return res;
diff --git a/queue-4.14/series b/queue-4.14/series
index 35a2c98c99c..b0255cecb0a 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -34,3 +34,4 @@ migrate-hugetlb-check-for-hugetlb-shared-pmd-in-node-migration.patch
 tools-virtio-fix-the-vringh-test-for-virtio-ring-cha.patch
 net-rose-fix-to-not-accept-on-connected-socket.patch
 nvme-fc-fix-a-missing-queue-put-in-nvmet_fc_ls_creat.patch
+aio-fix-mremap-after-fork-null-deref.patch