From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 17 May 2018 09:38:37 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.16.10~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74075cd6724914a10d46ae9699e782759b2efecf;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch
	xfrm-use-__skb_queue_tail-in-xfrm_trans_queue.patch
---

diff --git a/queue-4.14/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch b/queue-4.14/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch
new file mode 100644
index 00000000000..43152476cd5
--- /dev/null
+++ b/queue-4.14/btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch
@@ -0,0 +1,71 @@
+From 998ac6d21cfd6efd58f5edf420bae8839dda9f2a Mon Sep 17 00:00:00 2001
+From: ethanwu <ethanwu@synology.com>
+Date: Sun, 29 Apr 2018 15:59:42 +0800
+Subject: btrfs: Take trans lock before access running trans in check_delayed_ref
+
+From: ethanwu <ethanwu@synology.com>
+
+commit 998ac6d21cfd6efd58f5edf420bae8839dda9f2a upstream.
+
+In preivous patch:
+Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist
+We avoid starting btrfs transaction and get this information from
+fs_info->running_transaction directly.
+
+When accessing running_transaction in check_delayed_ref, there's a
+chance that current transaction will be freed by commit transaction
+after the NULL pointer check of running_transaction is passed.
+
+After looking all the other places using fs_info->running_transaction,
+they are either protected by trans_lock or holding the transactions.
+
+Fix this by using trans_lock and increasing the use_count.
+
+Fixes: e4c3b2dcd144 ("Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: ethanwu <ethanwu@synology.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/extent-tree.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -3171,7 +3171,11 @@ static noinline int check_delayed_ref(st
+ 	struct btrfs_transaction *cur_trans;
+ 	int ret = 0;
+ 
++	spin_lock(&root->fs_info->trans_lock);
+ 	cur_trans = root->fs_info->running_transaction;
++	if (cur_trans)
++		refcount_inc(&cur_trans->use_count);
++	spin_unlock(&root->fs_info->trans_lock);
+ 	if (!cur_trans)
+ 		return 0;
+ 
+@@ -3180,6 +3184,7 @@ static noinline int check_delayed_ref(st
+ 	head = btrfs_find_delayed_ref_head(delayed_refs, bytenr);
+ 	if (!head) {
+ 		spin_unlock(&delayed_refs->lock);
++		btrfs_put_transaction(cur_trans);
+ 		return 0;
+ 	}
+ 
+@@ -3196,6 +3201,7 @@ static noinline int check_delayed_ref(st
+ 		mutex_lock(&head->mutex);
+ 		mutex_unlock(&head->mutex);
+ 		btrfs_put_delayed_ref(&head->node);
++		btrfs_put_transaction(cur_trans);
+ 		return -EAGAIN;
+ 	}
+ 	spin_unlock(&delayed_refs->lock);
+@@ -3223,6 +3229,7 @@ static noinline int check_delayed_ref(st
+ 	}
+ 	spin_unlock(&head->lock);
+ 	mutex_unlock(&head->mutex);
++	btrfs_put_transaction(cur_trans);
+ 	return ret;
+ }
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index 4d958a7246c..dfd51be8bca 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -38,3 +38,5 @@ net-mlx5e-allow-offloading-ipv4-header-re-write-for-icmp.patch
 nsh-fix-infinite-loop.patch
 udp-fix-so_bindtodevice.patch
 scsi-aacraid-correct-hba_send-to-include-iu_type.patch
+xfrm-use-__skb_queue_tail-in-xfrm_trans_queue.patch
+btrfs-take-trans-lock-before-access-running-trans-in-check_delayed_ref.patch
diff --git a/queue-4.14/xfrm-use-__skb_queue_tail-in-xfrm_trans_queue.patch b/queue-4.14/xfrm-use-__skb_queue_tail-in-xfrm_trans_queue.patch
new file mode 100644
index 00000000000..a5085cc58d2
--- /dev/null
+++ b/queue-4.14/xfrm-use-__skb_queue_tail-in-xfrm_trans_queue.patch
@@ -0,0 +1,36 @@
+From d16b46e4fd8bc6063624605f25b8c0835bb1fbe3 Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Thu, 4 Jan 2018 22:25:07 +1100
+Subject: xfrm: Use __skb_queue_tail in xfrm_trans_queue
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit d16b46e4fd8bc6063624605f25b8c0835bb1fbe3 upstream.
+
+We do not need locking in xfrm_trans_queue because it is designed
+to use per-CPU buffers.  However, the original code incorrectly
+used skb_queue_tail which takes the lock.  This patch switches
+it to __skb_queue_tail instead.
+
+Reported-and-tested-by: Artem Savkov <asavkov@redhat.com>
+Fixes: acf568ee859f ("xfrm: Reinject transport-mode packets...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Alistair Strachan <astrachan@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_input.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -518,7 +518,7 @@ int xfrm_trans_queue(struct sk_buff *skb
+ 		return -ENOBUFS;
+ 
+ 	XFRM_TRANS_SKB_CB(skb)->finish = finish;
+-	skb_queue_tail(&trans->queue, skb);
++	__skb_queue_tail(&trans->queue, skb);
+ 	tasklet_schedule(&trans->tasklet);
+ 	return 0;
+ }