From 0f0d5f3183881bce839d5db5d9bdda902637c999 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 Jan 2021 15:56:22 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	nbd-freeze-the-queue-while-we-re-adding-connections.patch
---
 ...queue-while-we-re-adding-connections.patch | 60 +++++++++++++++++++
 queue-4.14/series                             |  1 +
 queue-4.19/series                             |  1 +
 queue-4.9/series                              |  0
 queue-5.10/series                             |  3 +
 queue-5.4/series                              |  3 +
 6 files changed, 68 insertions(+)
 create mode 100644 queue-4.14/nbd-freeze-the-queue-while-we-re-adding-connections.patch
 create mode 100644 queue-4.14/series
 create mode 100644 queue-4.19/series
 create mode 100644 queue-4.9/series
 create mode 100644 queue-5.10/series
 create mode 100644 queue-5.4/series

diff --git a/queue-4.14/nbd-freeze-the-queue-while-we-re-adding-connections.patch b/queue-4.14/nbd-freeze-the-queue-while-we-re-adding-connections.patch
new file mode 100644
index 00000000000..4bceb3f2906
--- /dev/null
+++ b/queue-4.14/nbd-freeze-the-queue-while-we-re-adding-connections.patch
@@ -0,0 +1,60 @@
+From b98e762e3d71e893b221f871825dc64694cfb258 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 25 Jan 2021 12:21:02 -0500
+Subject: nbd: freeze the queue while we're adding connections
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit b98e762e3d71e893b221f871825dc64694cfb258 upstream.
+
+When setting up a device, we can krealloc the config->socks array to add
+new sockets to the configuration.  However if we happen to get a IO
+request in at this point even though we aren't setup we could hit a UAF,
+as we deref config->socks without any locking, assuming that the
+configuration was setup already and that ->socks is safe to access it as
+we have a reference on the configuration.
+
+But there's nothing really preventing IO from occurring at this point of
+the device setup, we don't want to incur the overhead of a lock to
+access ->socks when it will never change while the device is running.
+To fix this UAF scenario simply freeze the queue if we are adding
+sockets.  This will protect us from this particular case without adding
+any additional overhead for the normal running case.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/nbd.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -952,6 +952,12 @@ static int nbd_add_socket(struct nbd_dev
+ 	if (!sock)
+ 		return err;
+ 
++	/*
++	 * We need to make sure we don't get any errant requests while we're
++	 * reallocating the ->socks array.
++	 */
++	blk_mq_freeze_queue(nbd->disk->queue);
++
+ 	if (!netlink && !nbd->task_setup &&
+ 	    !test_bit(NBD_BOUND, &config->runtime_flags))
+ 		nbd->task_setup = current;
+@@ -990,10 +996,12 @@ static int nbd_add_socket(struct nbd_dev
+ 	nsock->cookie = 0;
+ 	socks[config->num_connections++] = nsock;
+ 	atomic_inc(&config->live_connections);
++	blk_mq_unfreeze_queue(nbd->disk->queue);
+ 
+ 	return 0;
+ 
+ put_socket:
++	blk_mq_unfreeze_queue(nbd->disk->queue);
+ 	sockfd_put(sock);
+ 	return err;
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
new file mode 100644
index 00000000000..be330070051
--- /dev/null
+++ b/queue-4.14/series
@@ -0,0 +1 @@
+nbd-freeze-the-queue-while-we-re-adding-connections.patch
diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644
index 00000000000..be330070051
--- /dev/null
+++ b/queue-4.19/series
@@ -0,0 +1 @@
+nbd-freeze-the-queue-while-we-re-adding-connections.patch
diff --git a/queue-4.9/series b/queue-4.9/series
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/queue-5.10/series b/queue-5.10/series
new file mode 100644
index 00000000000..38aaa88473e
--- /dev/null
+++ b/queue-5.10/series
@@ -0,0 +1,3 @@
+iwlwifi-provide-gso_type-to-gso-packets.patch
+nbd-freeze-the-queue-while-we-re-adding-connections.patch
+tty-avoid-using-vfs_iocb_iter_write-for-redirected-console-writes.patch
diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644
index 00000000000..c611083028f
--- /dev/null
+++ b/queue-5.4/series
@@ -0,0 +1,3 @@
+icmpv6-add-icmpv6-parameter-problem-code-3-definition.patch
+ipv6-reply-icmp-error-if-the-first-fragment-don-t-include-all-headers.patch
+nbd-freeze-the-queue-while-we-re-adding-connections.patch
-- 
2.47.3