From d8a3502cb4ea3e67e807415239c7c9ee03bd2da5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 15 Dec 2022 07:50:46 +0100 Subject: [PATCH] 5.4-stable patches added patches: block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch --- ...-part-inode-when-the-part-is-deleted.patch | 70 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 71 insertions(+) create mode 100644 queue-5.4/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch diff --git a/queue-5.4/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch b/queue-5.4/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch new file mode 100644 index 00000000000..c293d832686 --- /dev/null +++ b/queue-5.4/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch @@ -0,0 +1,70 @@ +From ming.lei@redhat.com Thu Dec 15 07:48:48 2022 +From: Ming Lei +Date: Tue, 13 Dec 2022 15:16:03 +0800 +Subject: block: unhash blkdev part inode when the part is deleted +To: Greg Kroah-Hartman , stable@vger.kernel.org +Cc: Jens Axboe , linux-block@vger.kernel.org, Ming Lei , Shiwei Cui , Christoph Hellwig , Jan Kara +Message-ID: <20221213071603.1197703-1-ming.lei@redhat.com> + +From: Ming Lei + +v5.11 changes the blkdev lookup mechanism completely since commit +22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"), +and small part of the change is to unhash part bdev inode when +deleting partition. Turns out this kind of change does fix one +nasty issue in case of BLOCK_EXT_MAJOR: + +1) when one partition is deleted & closed, disk_put_part() is always +called before bdput(bdev), see blkdev_put(); so the part's devt can +be freed & re-used before the inode is dropped + +2) then new partition with same devt can be created just before the +inode in 1) is dropped, then the old inode/bdev structurein 1) is +re-used for this new partition, this way causes use-after-free and +kernel panic. + +It isn't possible to backport the whole big patchset of "merge struct +block_device and struct hd_struct v4" for addressing this issue. + +https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/ + +So fixes it by unhashing part bdev in delete_partition(), and this way +is actually aligned with v5.11+'s behavior. + +Backported from the following 5.10.y commit: + +5f2f77560591 ("block: unhash blkdev part inode when the part is deleted") + +Reported-by: Shiwei Cui +Tested-by: Shiwei Cui +Cc: Christoph Hellwig +Cc: Jan Kara +Signed-off-by: Ming Lei +Signed-off-by: Greg Kroah-Hartman +--- + block/partition-generic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -272,6 +272,7 @@ void delete_partition(struct gendisk *di + struct disk_part_tbl *ptbl = + rcu_dereference_protected(disk->part_tbl, 1); + struct hd_struct *part; ++ struct block_device *bdev; + + if (partno >= ptbl->len) + return; +@@ -292,6 +293,12 @@ void delete_partition(struct gendisk *di + * "in-use" until we really free the gendisk. + */ + blk_invalidate_devt(part_devt(part)); ++ ++ bdev = bdget(part_devt(part)); ++ if (bdev) { ++ remove_inode_hash(bdev->bd_inode); ++ bdput(bdev); ++ } + hd_struct_kill(part); + } + diff --git a/queue-5.4/series b/queue-5.4/series index f5fe6ce370c..3da4f4b3bef 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,4 @@ net-bpf-allow-tc-programs-to-call-bpf_func_skb_change_head.patch x86-smpboot-move-rcu_cpu_starting-earlier.patch mm-hugetlb-fix-races-when-looking-up-a-cont-pte-pmd-size-hugetlb-page.patch +block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch -- 2.47.3