From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Nov 2021 13:59:31 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.160~51
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5d4bf5efbadfd1d76b3c6d4159d8946ec3cf9dd1;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	9p-net-fix-missing-error-check-in-p9_check_errors.patch
	ovl-fix-deadlock-in-splice-write.patch
---

diff --git a/queue-5.4/9p-net-fix-missing-error-check-in-p9_check_errors.patch b/queue-5.4/9p-net-fix-missing-error-check-in-p9_check_errors.patch
new file mode 100644
index 00000000000..94061a49a23
--- /dev/null
+++ b/queue-5.4/9p-net-fix-missing-error-check-in-p9_check_errors.patch
@@ -0,0 +1,29 @@
+From 27eb4c3144f7a5ebef3c9a261d80cb3e1fa784dc Mon Sep 17 00:00:00 2001
+From: Dominique Martinet <asmadeus@codewreck.org>
+Date: Tue, 2 Nov 2021 19:47:47 +0900
+Subject: 9p/net: fix missing error check in p9_check_errors
+
+From: Dominique Martinet <asmadeus@codewreck.org>
+
+commit 27eb4c3144f7a5ebef3c9a261d80cb3e1fa784dc upstream.
+
+Link: https://lkml.kernel.org/r/99338965-d36c-886e-cd0e-1d8fff2b4746@gmail.com
+Reported-by: syzbot+06472778c97ed94af66d@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/client.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -538,6 +538,8 @@ static int p9_check_errors(struct p9_cli
+ 		kfree(ename);
+ 	} else {
+ 		err = p9pdu_readf(&req->rc, c->proto_version, "d", &ecode);
++		if (err)
++			goto out_err;
+ 		err = -ecode;
+ 
+ 		p9_debug(P9_DEBUG_9P, "<<< RLERROR (%d)\n", -ecode);
diff --git a/queue-5.4/ovl-fix-deadlock-in-splice-write.patch b/queue-5.4/ovl-fix-deadlock-in-splice-write.patch
new file mode 100644
index 00000000000..7e62b82c515
--- /dev/null
+++ b/queue-5.4/ovl-fix-deadlock-in-splice-write.patch
@@ -0,0 +1,104 @@
+From 9b91b6b019fda817eb52f728eb9c79b3579760bc Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 28 Jul 2021 10:38:43 +0200
+Subject: ovl: fix deadlock in splice write
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 9b91b6b019fda817eb52f728eb9c79b3579760bc upstream.
+
+There's possibility of an ABBA deadlock in case of a splice write to an
+overlayfs file and a concurrent splice write to a corresponding real file.
+
+The call chain for splice to an overlay file:
+
+ -> do_splice                     [takes sb_writers on overlay file]
+   -> do_splice_from
+     -> iter_file_splice_write    [takes pipe->mutex]
+       -> vfs_iter_write
+         ...
+         -> ovl_write_iter        [takes sb_writers on real file]
+
+And the call chain for splice to a real file:
+
+ -> do_splice                     [takes sb_writers on real file]
+   -> do_splice_from
+     -> iter_file_splice_write    [takes pipe->mutex]
+
+Syzbot successfully bisected this to commit 82a763e61e2b ("ovl: simplify
+file splice").
+
+Fix by reverting the write part of the above commit and by adding missing
+bits from ovl_write_iter() into ovl_splice_write().
+
+Fixes: 82a763e61e2b ("ovl: simplify file splice")
+Reported-and-tested-by: syzbot+579885d1a9a833336209@syzkaller.appspotmail.com
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/file.c |   47 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 46 insertions(+), 1 deletion(-)
+
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -296,6 +296,51 @@ out_unlock:
+ 	return ret;
+ }
+ 
++/*
++ * Calling iter_file_splice_write() directly from overlay's f_op may deadlock
++ * due to lock order inversion between pipe->mutex in iter_file_splice_write()
++ * and file_start_write(real.file) in ovl_write_iter().
++ *
++ * So do everything ovl_write_iter() does and call iter_file_splice_write() on
++ * the real file.
++ */
++static ssize_t ovl_splice_write(struct pipe_inode_info *pipe, struct file *out,
++				loff_t *ppos, size_t len, unsigned int flags)
++{
++	struct fd real;
++	const struct cred *old_cred;
++	struct inode *inode = file_inode(out);
++	struct inode *realinode = ovl_inode_real(inode);
++	ssize_t ret;
++
++	inode_lock(inode);
++	/* Update mode */
++	ovl_copyattr(realinode, inode);
++	ret = file_remove_privs(out);
++	if (ret)
++		goto out_unlock;
++
++	ret = ovl_real_fdget(out, &real);
++	if (ret)
++		goto out_unlock;
++
++	old_cred = ovl_override_creds(inode->i_sb);
++	file_start_write(real.file);
++
++	ret = iter_file_splice_write(pipe, real.file, ppos, len, flags);
++
++	file_end_write(real.file);
++	/* Update size */
++	ovl_copyattr(realinode, inode);
++	revert_creds(old_cred);
++	fdput(real);
++
++out_unlock:
++	inode_unlock(inode);
++
++	return ret;
++}
++
+ static int ovl_fsync(struct file *file, loff_t start, loff_t end, int datasync)
+ {
+ 	struct fd real;
+@@ -653,7 +698,7 @@ const struct file_operations ovl_file_op
+ 	.unlocked_ioctl	= ovl_ioctl,
+ 	.compat_ioctl	= ovl_compat_ioctl,
+ 	.splice_read    = generic_file_splice_read,
+-	.splice_write   = iter_file_splice_write,
++	.splice_write   = ovl_splice_write,
+ 
+ 	.copy_file_range	= ovl_copy_file_range,
+ 	.remap_file_range	= ovl_remap_file_range,
diff --git a/queue-5.4/series b/queue-5.4/series
index 6d0b2699b33..f0ab36b87e7 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -339,3 +339,5 @@ parisc-fix-set_fixmap-on-pa1.x-cpus.patch
 irqchip-sifive-plic-fixup-eoi-failed-when-masked.patch
 f2fs-should-use-gfp_nofs-for-directory-inodes.patch
 net-neigh-enable-state-migration-between-nud_permane.patch
+9p-net-fix-missing-error-check-in-p9_check_errors.patch
+ovl-fix-deadlock-in-splice-write.patch