From d931d5bcabc8f501619f223af96941d20662e9e2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 15 Dec 2022 07:50:38 +0100 Subject: [PATCH] 4.19-stable patches added patches: block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch --- ...-part-inode-when-the-part-is-deleted.patch | 70 +++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 71 insertions(+) create mode 100644 queue-4.19/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch diff --git a/queue-4.19/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch b/queue-4.19/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch new file mode 100644 index 00000000000..c25e3ce199a --- /dev/null +++ b/queue-4.19/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch @@ -0,0 +1,70 @@ +From ming.lei@redhat.com Thu Dec 15 07:48:48 2022 +From: Ming Lei +Date: Tue, 13 Dec 2022 15:16:03 +0800 +Subject: block: unhash blkdev part inode when the part is deleted +To: Greg Kroah-Hartman , stable@vger.kernel.org +Cc: Jens Axboe , linux-block@vger.kernel.org, Ming Lei , Shiwei Cui , Christoph Hellwig , Jan Kara +Message-ID: <20221213071603.1197703-1-ming.lei@redhat.com> + +From: Ming Lei + +v5.11 changes the blkdev lookup mechanism completely since commit +22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"), +and small part of the change is to unhash part bdev inode when +deleting partition. Turns out this kind of change does fix one +nasty issue in case of BLOCK_EXT_MAJOR: + +1) when one partition is deleted & closed, disk_put_part() is always +called before bdput(bdev), see blkdev_put(); so the part's devt can +be freed & re-used before the inode is dropped + +2) then new partition with same devt can be created just before the +inode in 1) is dropped, then the old inode/bdev structurein 1) is +re-used for this new partition, this way causes use-after-free and +kernel panic. + +It isn't possible to backport the whole big patchset of "merge struct +block_device and struct hd_struct v4" for addressing this issue. + +https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/ + +So fixes it by unhashing part bdev in delete_partition(), and this way +is actually aligned with v5.11+'s behavior. + +Backported from the following 5.10.y commit: + +5f2f77560591 ("block: unhash blkdev part inode when the part is deleted") + +Reported-by: Shiwei Cui +Tested-by: Shiwei Cui +Cc: Christoph Hellwig +Cc: Jan Kara +Signed-off-by: Ming Lei +Signed-off-by: Greg Kroah-Hartman +--- + block/partition-generic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -276,6 +276,7 @@ void delete_partition(struct gendisk *di + struct disk_part_tbl *ptbl = + rcu_dereference_protected(disk->part_tbl, 1); + struct hd_struct *part; ++ struct block_device *bdev; + + if (partno >= ptbl->len) + return; +@@ -296,6 +297,12 @@ void delete_partition(struct gendisk *di + * "in-use" until we really free the gendisk. + */ + blk_invalidate_devt(part_devt(part)); ++ ++ bdev = bdget(part_devt(part)); ++ if (bdev) { ++ remove_inode_hash(bdev->bd_inode); ++ bdput(bdev); ++ } + hd_struct_kill(part); + } + diff --git a/queue-4.19/series b/queue-4.19/series index d5bb764d2a9..811aae376b3 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,2 +1,3 @@ mm-khugepaged-fix-gup-fast-interaction-by-sending-ipi.patch mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-collapse-paths.patch +block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch -- 2.47.3