From e05731ff9463fb49b662e182e93276049962bdac Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Jun 2020 08:59:29 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
	loop-replace-kill_bdev-with-invalidate_bdev.patch
---
 ...after-free-when-destroying-mad-agent.patch | 59 +++++++++++++++++
 ...place-kill_bdev-with-invalidate_bdev.patch | 65 +++++++++++++++++++
 queue-4.19/series                             |  2 +
 3 files changed, 126 insertions(+)
 create mode 100644 queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
 create mode 100644 queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch

diff --git a/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch b/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
new file mode 100644
index 00000000000..eaf3184fbf9
--- /dev/null
+++ b/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
@@ -0,0 +1,59 @@
+From 116a1b9f1cb769b83e5adff323f977a62b1dcb2e Mon Sep 17 00:00:00 2001
+From: Shay Drory <shayd@mellanox.com>
+Date: Sun, 21 Jun 2020 13:47:35 +0300
+Subject: IB/mad: Fix use after free when destroying MAD agent
+
+From: Shay Drory <shayd@mellanox.com>
+
+commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e upstream.
+
+Currently, when RMPP MADs are processed while the MAD agent is destroyed,
+it could result in use after free of rmpp_recv, as decribed below:
+
+	cpu-0						cpu-1
+	-----						-----
+ib_mad_recv_done()
+ ib_mad_complete_recv()
+  ib_process_rmpp_recv_wc()
+						unregister_mad_agent()
+						 ib_cancel_rmpp_recvs()
+						  cancel_delayed_work()
+   process_rmpp_data()
+    start_rmpp()
+     queue_delayed_work(rmpp_recv->cleanup_work)
+						  destroy_rmpp_recv()
+						   free_rmpp_recv()
+     cleanup_work()[1]
+      spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free
+
+[1] cleanup_work() == recv_cleanup_handler
+
+Fix it by waiting for the MAD agent reference count becoming zero before
+calling to ib_cancel_rmpp_recvs().
+
+Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
+Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org
+Signed-off-by: Shay Drory <shayd@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/mad.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -615,10 +615,10 @@ static void unregister_mad_agent(struct
+ 	idr_unlock(&ib_mad_clients);
+ 
+ 	flush_workqueue(port_priv->wq);
+-	ib_cancel_rmpp_recvs(mad_agent_priv);
+ 
+ 	deref_mad_agent(mad_agent_priv);
+ 	wait_for_completion(&mad_agent_priv->comp);
++	ib_cancel_rmpp_recvs(mad_agent_priv);
+ 
+ 	ib_mad_agent_security_cleanup(&mad_agent_priv->agent);
+ 
diff --git a/queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch b/queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch
new file mode 100644
index 00000000000..3024b10801d
--- /dev/null
+++ b/queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch
@@ -0,0 +1,65 @@
+From f4bd34b139a3fa2808c4205f12714c65e1548c6c Mon Sep 17 00:00:00 2001
+From: Zheng Bin <zhengbin13@huawei.com>
+Date: Thu, 18 Jun 2020 12:21:37 +0800
+Subject: loop: replace kill_bdev with invalidate_bdev
+
+From: Zheng Bin <zhengbin13@huawei.com>
+
+commit f4bd34b139a3fa2808c4205f12714c65e1548c6c upstream.
+
+When a filesystem is mounted on a loop device and on a loop ioctl
+LOOP_SET_STATUS64, because of kill_bdev, buffer_head mappings are getting
+destroyed.
+kill_bdev
+  truncate_inode_pages
+    truncate_inode_pages_range
+      do_invalidatepage
+        block_invalidatepage
+          discard_buffer  -->clear BH_Mapped flag
+
+sb_bread
+  __bread_gfp
+  bh = __getblk_gfp
+  -->discard_buffer clear BH_Mapped flag
+  __bread_slow
+    submit_bh
+      submit_bh_wbc
+        BUG_ON(!buffer_mapped(bh))  --> hit this BUG_ON
+
+Fixes: 5db470e229e2 ("loop: drop caches if offset or block_size are changed")
+Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1238,7 +1238,7 @@ loop_set_status(struct loop_device *lo,
+ 	if (lo->lo_offset != info->lo_offset ||
+ 	    lo->lo_sizelimit != info->lo_sizelimit) {
+ 		sync_blockdev(lo->lo_device);
+-		kill_bdev(lo->lo_device);
++		invalidate_bdev(lo->lo_device);
+ 	}
+ 
+ 	/* I/O need to be drained during transfer transition */
+@@ -1512,12 +1512,12 @@ static int loop_set_block_size(struct lo
+ 
+ 	if (lo->lo_queue->limits.logical_block_size != arg) {
+ 		sync_blockdev(lo->lo_device);
+-		kill_bdev(lo->lo_device);
++		invalidate_bdev(lo->lo_device);
+ 	}
+ 
+ 	blk_mq_freeze_queue(lo->lo_queue);
+ 
+-	/* kill_bdev should have truncated all the pages */
++	/* invalidate_bdev should have truncated all the pages */
+ 	if (lo->lo_queue->limits.logical_block_size != arg &&
+ 			lo->lo_device->bd_inode->i_mapping->nrpages) {
+ 		err = -EAGAIN;
diff --git a/queue-4.19/series b/queue-4.19/series
index ace56feeac6..ef33ad76c9e 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -54,3 +54,5 @@ xhci-fix-incorrect-ep_state_mask.patch
 xhci-fix-enumeration-issue-when-setting-max-packet-size-for-fs-devices.patch
 xhci-return-if-xhci-doesn-t-support-lpm.patch
 cdc-acm-add-disable_echo-quirk-for-microchip-smsc-chip.patch
+loop-replace-kill_bdev-with-invalidate_bdev.patch
+ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
-- 
2.47.3