From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 3 Jun 2022 17:04:00 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.317~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80af004a4f12260755c0e267e01ee42d2d8f64ff;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch
	nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch
---

diff --git a/queue-4.9/bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch b/queue-4.9/bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch
new file mode 100644
index 00000000000..5654a274dfe
--- /dev/null
+++ b/queue-4.9/bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch
@@ -0,0 +1,44 @@
+From 45969b4152c1752089351cd6836a42a566d49bcf Mon Sep 17 00:00:00 2001
+From: Liu Jian <liujian56@huawei.com>
+Date: Sat, 16 Apr 2022 18:57:59 +0800
+Subject: bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes
+
+From: Liu Jian <liujian56@huawei.com>
+
+commit 45969b4152c1752089351cd6836a42a566d49bcf upstream.
+
+The data length of skb frags + frag_list may be greater than 0xffff, and
+skb_header_pointer can not handle negative offset. So, here INT_MAX is used
+to check the validity of offset. Add the same change to the related function
+skb_store_bytes.
+
+Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20220416105801.88708-2-liujian56@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1388,7 +1388,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct s
+ 
+ 	if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
+ 		return -EINVAL;
+-	if (unlikely(offset > 0xffff))
++	if (unlikely(offset > INT_MAX))
+ 		return -EFAULT;
+ 	if (unlikely(bpf_try_make_writable(skb, offset + len)))
+ 		return -EFAULT;
+@@ -1423,7 +1423,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const str
+ {
+ 	void *ptr;
+ 
+-	if (unlikely(offset > 0xffff))
++	if (unlikely(offset > INT_MAX))
+ 		goto err_clear;
+ 
+ 	ptr = skb_header_pointer(skb, offset, len, to);
diff --git a/queue-4.9/nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch b/queue-4.9/nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch
new file mode 100644
index 00000000000..e1d1f8d3fb4
--- /dev/null
+++ b/queue-4.9/nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch
@@ -0,0 +1,51 @@
+From ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sat, 21 May 2022 19:06:13 -0400
+Subject: NFSD: Fix possible sleep during nfsd4_release_lockowner()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b upstream.
+
+nfsd4_release_lockowner() holds clp->cl_lock when it calls
+check_for_locks(). However, check_for_locks() calls nfsd_file_get()
+/ nfsd_file_put() to access the backing inode's flc_posix list, and
+nfsd_file_put() can sleep if the inode was recently removed.
+
+Let's instead rely on the stateowner's reference count to gate
+whether the release is permitted. This should be a reliable
+indication of locks-in-use since file lock operations and
+->lm_get_owner take appropriate references, which are released
+appropriately when file locks are removed.
+
+Reported-by: Dai Ngo <dai.ngo@oracle.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c |   12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6342,16 +6342,12 @@ nfsd4_release_lockowner(struct svc_rqst
+ 		if (sop->so_is_open_owner || !same_owner_str(sop, owner))
+ 			continue;
+ 
+-		/* see if there are still any locks associated with it */
+-		lo = lockowner(sop);
+-		list_for_each_entry(stp, &sop->so_stateids, st_perstateowner) {
+-			if (check_for_locks(stp->st_stid.sc_file, lo)) {
+-				status = nfserr_locks_held;
+-				spin_unlock(&clp->cl_lock);
+-				return status;
+-			}
++		if (atomic_read(&sop->so_count) != 1) {
++			spin_unlock(&clp->cl_lock);
++			return nfserr_locks_held;
+ 		}
+ 
++		lo = lockowner(sop);
+ 		nfs4_get_stateowner(sop);
+ 		break;
+ 	}
diff --git a/queue-4.9/series b/queue-4.9/series
index 067405c4349..9406a864184 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -8,3 +8,5 @@ dm-crypt-make-printing-of-the-key-constant-time.patch
 dm-stats-add-cond_resched-when-looping-over-entries.patch
 dm-verity-set-dm_target_immutable-feature-flag.patch
 tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch
+nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch
+bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch