4.19-stable patches

added patches:
	ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
	loop-replace-kill_bdev-with-invalidate_bdev.patch

diff --git a/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch b/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
new file mode 100644 (file)
index 0000000..eaf3184
--- /dev/null
+++ b/queue-4.19/ib-mad-fix-use-after-free-when-destroying-mad-agent.patch
@@ -0,0 +1,59 @@
+From 116a1b9f1cb769b83e5adff323f977a62b1dcb2e Mon Sep 17 00:00:00 2001
+From: Shay Drory <shayd@mellanox.com>
+Date: Sun, 21 Jun 2020 13:47:35 +0300
+Subject: IB/mad: Fix use after free when destroying MAD agent
+
+From: Shay Drory <shayd@mellanox.com>
+
+commit 116a1b9f1cb769b83e5adff323f977a62b1dcb2e upstream.
+
+Currently, when RMPP MADs are processed while the MAD agent is destroyed,
+it could result in use after free of rmpp_recv, as decribed below:
+
+       cpu-0                                           cpu-1
+       -----                                           -----
+ib_mad_recv_done()
+ ib_mad_complete_recv()
+  ib_process_rmpp_recv_wc()
+                                               unregister_mad_agent()
+                                                ib_cancel_rmpp_recvs()
+                                                 cancel_delayed_work()
+   process_rmpp_data()
+    start_rmpp()
+     queue_delayed_work(rmpp_recv->cleanup_work)
+                                                 destroy_rmpp_recv()
+                                                  free_rmpp_recv()
+     cleanup_work()[1]
+      spin_lock_irqsave(&rmpp_recv->agent->lock) <-- use after free
+
+[1] cleanup_work() == recv_cleanup_handler
+
+Fix it by waiting for the MAD agent reference count becoming zero before
+calling to ib_cancel_rmpp_recvs().
+
+Fixes: 9a41e38a467c ("IB/mad: Use IDR for agent IDs")
+Link: https://lore.kernel.org/r/20200621104738.54850-2-leon@kernel.org
+Signed-off-by: Shay Drory <shayd@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/mad.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -615,10 +615,10 @@ static void unregister_mad_agent(struct
+       idr_unlock(&ib_mad_clients);
+ 
+       flush_workqueue(port_priv->wq);
+-      ib_cancel_rmpp_recvs(mad_agent_priv);
+ 
+       deref_mad_agent(mad_agent_priv);
+       wait_for_completion(&mad_agent_priv->comp);
++      ib_cancel_rmpp_recvs(mad_agent_priv);
+ 
+       ib_mad_agent_security_cleanup(&mad_agent_priv->agent);
+ 

diff --git a/queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch b/queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch
new file mode 100644 (file)
index 0000000..3024b10
--- /dev/null
+++ b/queue-4.19/loop-replace-kill_bdev-with-invalidate_bdev.patch
@@ -0,0 +1,65 @@
+From f4bd34b139a3fa2808c4205f12714c65e1548c6c Mon Sep 17 00:00:00 2001
+From: Zheng Bin <zhengbin13@huawei.com>
+Date: Thu, 18 Jun 2020 12:21:37 +0800
+Subject: loop: replace kill_bdev with invalidate_bdev
+
+From: Zheng Bin <zhengbin13@huawei.com>
+
+commit f4bd34b139a3fa2808c4205f12714c65e1548c6c upstream.
+
+When a filesystem is mounted on a loop device and on a loop ioctl
+LOOP_SET_STATUS64, because of kill_bdev, buffer_head mappings are getting
+destroyed.
+kill_bdev
+  truncate_inode_pages
+    truncate_inode_pages_range
+      do_invalidatepage
+        block_invalidatepage
+          discard_buffer  -->clear BH_Mapped flag
+
+sb_bread
+  __bread_gfp
+  bh = __getblk_gfp
+  -->discard_buffer clear BH_Mapped flag
+  __bread_slow
+    submit_bh
+      submit_bh_wbc
+        BUG_ON(!buffer_mapped(bh))  --> hit this BUG_ON
+
+Fixes: 5db470e229e2 ("loop: drop caches if offset or block_size are changed")
+Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1238,7 +1238,7 @@ loop_set_status(struct loop_device *lo,
+       if (lo->lo_offset != info->lo_offset ||
+           lo->lo_sizelimit != info->lo_sizelimit) {
+               sync_blockdev(lo->lo_device);
+-              kill_bdev(lo->lo_device);
++              invalidate_bdev(lo->lo_device);
+       }
+ 
+       /* I/O need to be drained during transfer transition */
+@@ -1512,12 +1512,12 @@ static int loop_set_block_size(struct lo
+ 
+       if (lo->lo_queue->limits.logical_block_size != arg) {
+               sync_blockdev(lo->lo_device);
+-              kill_bdev(lo->lo_device);
++              invalidate_bdev(lo->lo_device);
+       }
+ 
+       blk_mq_freeze_queue(lo->lo_queue);
+ 
+-      /* kill_bdev should have truncated all the pages */
++      /* invalidate_bdev should have truncated all the pages */
+       if (lo->lo_queue->limits.logical_block_size != arg &&
+                       lo->lo_device->bd_inode->i_mapping->nrpages) {
+               err = -EAGAIN;

diff --git a/queue-4.19/series b/queue-4.19/series
index ace56feeac692618eae804e97ade72bcd80fe090..ef33ad76c9e687f1be74541ea36df5a0e983ebae 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -54,3 +54,5 @@ xhci-fix-incorrect-ep_state_mask.patch
 xhci-fix-enumeration-issue-when-setting-max-packet-size-for-fs-devices.patch
 xhci-return-if-xhci-doesn-t-support-lpm.patch
 cdc-acm-add-disable_echo-quirk-for-microchip-smsc-chip.patch
+loop-replace-kill_bdev-with-invalidate_bdev.patch
+ib-mad-fix-use-after-free-when-destroying-mad-agent.patch