From 6e78cf444a12309c0ff7e6458cab4cf1a80d2879 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Feb 2023 15:15:02 +0100 Subject: [PATCH] 5.4-stable patches added patches: aio-fix-mremap-after-fork-null-deref.patch btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch netfilter-nft_tproxy-restrict-to-prerouting-hook.patch --- ...aio-fix-mremap-after-fork-null-deref.patch | 49 ++++++++++++++ ...vices-for-a-single-device-filesystem.patch | 65 +++++++++++++++++++ ...t_tproxy-restrict-to-prerouting-hook.patch | 45 +++++++++++++ queue-5.4/series | 3 + 4 files changed, 162 insertions(+) create mode 100644 queue-5.4/aio-fix-mremap-after-fork-null-deref.patch create mode 100644 queue-5.4/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch create mode 100644 queue-5.4/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch diff --git a/queue-5.4/aio-fix-mremap-after-fork-null-deref.patch b/queue-5.4/aio-fix-mremap-after-fork-null-deref.patch new file mode 100644 index 00000000000..1fa23c1b5cc --- /dev/null +++ b/queue-5.4/aio-fix-mremap-after-fork-null-deref.patch @@ -0,0 +1,49 @@ +From 81e9d6f8647650a7bead74c5f926e29970e834d1 Mon Sep 17 00:00:00 2001 +From: Seth Jenkins +Date: Tue, 31 Jan 2023 12:25:55 -0500 +Subject: aio: fix mremap after fork null-deref + +From: Seth Jenkins + +commit 81e9d6f8647650a7bead74c5f926e29970e834d1 upstream. + +Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced +a null-deref if mremap is called on an old aio mapping after fork as +mm->ioctx_table will be set to NULL. + +[jmoyer@redhat.com: fix 80 column issue] +Link: https://lkml.kernel.org/r/x49sffq4nvg.fsf@segfault.boston.devel.redhat.com +Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring") +Signed-off-by: Seth Jenkins +Signed-off-by: Jeff Moyer +Cc: Alexander Viro +Cc: Benjamin LaHaise +Cc: Jann Horn +Cc: Pavel Emelyanov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/aio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -336,6 +336,9 @@ static int aio_ring_mremap(struct vm_are + spin_lock(&mm->ioctx_lock); + rcu_read_lock(); + table = rcu_dereference(mm->ioctx_table); ++ if (!table) ++ goto out_unlock; ++ + for (i = 0; i < table->nr; i++) { + struct kioctx *ctx; + +@@ -349,6 +352,7 @@ static int aio_ring_mremap(struct vm_are + } + } + ++out_unlock: + rcu_read_unlock(); + spin_unlock(&mm->ioctx_lock); + return res; diff --git a/queue-5.4/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch b/queue-5.4/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch new file mode 100644 index 00000000000..7e9b8da7792 --- /dev/null +++ b/queue-5.4/btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch @@ -0,0 +1,65 @@ +From 5f58d783fd7823b2c2d5954d1126e702f94bfc4c Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Fri, 20 Jan 2023 21:47:16 +0800 +Subject: btrfs: free device in btrfs_close_devices for a single device filesystem + +From: Anand Jain + +commit 5f58d783fd7823b2c2d5954d1126e702f94bfc4c upstream. + +We have this check to make sure we don't accidentally add older devices +that may have disappeared and re-appeared with an older generation from +being added to an fs_devices (such as a replace source device). This +makes sense, we don't want stale disks in our file system. However for +single disks this doesn't really make sense. + +I've seen this in testing, but I was provided a reproducer from a +project that builds btrfs images on loopback devices. The loopback +device gets cached with the new generation, and then if it is re-used to +generate a new file system we'll fail to mount it because the new fs is +"older" than what we have in cache. + +Fix this by freeing the cache when closing the device for a single device +filesystem. This will ensure that the mount command passed device path is +scanned successfully during the next mount. + +CC: stable@vger.kernel.org # 5.10+ +Reported-by: Daan De Meyer +Signed-off-by: Josef Bacik +Signed-off-by: Anand Jain +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Anand Jain +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -354,6 +354,7 @@ void btrfs_free_device(struct btrfs_devi + static void free_fs_devices(struct btrfs_fs_devices *fs_devices) + { + struct btrfs_device *device; ++ + WARN_ON(fs_devices->opened); + while (!list_empty(&fs_devices->devices)) { + device = list_entry(fs_devices->devices.next, +@@ -1401,6 +1402,17 @@ int btrfs_close_devices(struct btrfs_fs_ + if (!fs_devices->opened) { + seed_devices = fs_devices->seed; + fs_devices->seed = NULL; ++ ++ /* ++ * If the struct btrfs_fs_devices is not assembled with any ++ * other device, it can be re-initialized during the next mount ++ * without the needing device-scan step. Therefore, it can be ++ * fully freed. ++ */ ++ if (fs_devices->num_devices == 1) { ++ list_del(&fs_devices->fs_list); ++ free_fs_devices(fs_devices); ++ } + } + mutex_unlock(&uuid_mutex); + diff --git a/queue-5.4/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch b/queue-5.4/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch new file mode 100644 index 00000000000..086a0cf421b --- /dev/null +++ b/queue-5.4/netfilter-nft_tproxy-restrict-to-prerouting-hook.patch @@ -0,0 +1,45 @@ +From 18bbc3213383a82b05383827f4b1b882e3f0a5a5 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 20 Aug 2022 17:54:06 +0200 +Subject: netfilter: nft_tproxy: restrict to prerouting hook + +From: Florian Westphal + +commit 18bbc3213383a82b05383827f4b1b882e3f0a5a5 upstream. + +TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this. +This fixes a crash (null dereference) when using tproxy from e.g. output. + +Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support") +Reported-by: Shell Chen +Signed-off-by: Florian Westphal +Signed-off-by: Qingfang DENG +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_tproxy.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/netfilter/nft_tproxy.c ++++ b/net/netfilter/nft_tproxy.c +@@ -289,6 +289,13 @@ static int nft_tproxy_dump(struct sk_buf + return 0; + } + ++static int nft_tproxy_validate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nft_data **data) ++{ ++ return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING); ++} ++ + static struct nft_expr_type nft_tproxy_type; + static const struct nft_expr_ops nft_tproxy_ops = { + .type = &nft_tproxy_type, +@@ -296,6 +303,7 @@ static const struct nft_expr_ops nft_tpr + .eval = nft_tproxy_eval, + .init = nft_tproxy_init, + .dump = nft_tproxy_dump, ++ .validate = nft_tproxy_validate, + }; + + static struct nft_expr_type nft_tproxy_type __read_mostly = { diff --git a/queue-5.4/series b/queue-5.4/series index 5b44cb63f9f..ce8a39f8697 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -96,3 +96,6 @@ net-stmmac-do-not-stop-rx_clk-in-rx-lpi-state-for-qc.patch net-sched-sch-bounds-check-priority.patch s390-decompressor-specify-__decompress-buf-len-to-av.patch nvme-fc-fix-a-missing-queue-put-in-nvmet_fc_ls_creat.patch +aio-fix-mremap-after-fork-null-deref.patch +btrfs-free-device-in-btrfs_close_devices-for-a-single-device-filesystem.patch +netfilter-nft_tproxy-restrict-to-prerouting-hook.patch -- 2.47.2