From: Greg Kroah-Hartman Date: Thu, 15 Dec 2022 06:50:29 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.4.228~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9595b42b4b285a7e77a29ab9d858f50b8ce45d9e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch --- diff --git a/queue-4.14/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch b/queue-4.14/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch new file mode 100644 index 00000000000..f93c6daab32 --- /dev/null +++ b/queue-4.14/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch @@ -0,0 +1,69 @@ +From ming.lei@redhat.com Thu Dec 15 07:49:27 2022 +From: Ming Lei +Date: Tue, 13 Dec 2022 15:16:27 +0800 +Subject: block: unhash blkdev part inode when the part is deleted +To: Greg Kroah-Hartman , stable@vger.kernel.org +Cc: Jens Axboe , linux-block@vger.kernel.org, Ming Lei , Shiwei Cui , Christoph Hellwig , Jan Kara +Message-ID: <20221213071627.1197786-1-ming.lei@redhat.com> + +From: Ming Lei + +v5.11 changes the blkdev lookup mechanism completely since commit +22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"), +and small part of the change is to unhash part bdev inode when +deleting partition. Turns out this kind of change does fix one +nasty issue in case of BLOCK_EXT_MAJOR: + +1) when one partition is deleted & closed, disk_put_part() is always +called before bdput(bdev), see blkdev_put(); so the part's devt can +be freed & re-used before the inode is dropped + +2) then new partition with same devt can be created just before the +inode in 1) is dropped, then the old inode/bdev structurein 1) is +re-used for this new partition, this way causes use-after-free and +kernel panic. + +It isn't possible to backport the whole big patchset of "merge struct +block_device and struct hd_struct v4" for addressing this issue. + +https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/ + +So fixes it by unhashing part bdev in delete_partition(), and this way +is actually aligned with v5.11+'s behavior. + +Backported from the following 5.10.y commit: + +5f2f77560591 ("block: unhash blkdev part inode when the part is deleted") + +Reported-by: Shiwei Cui +Tested-by: Shiwei Cui +Cc: Christoph Hellwig +Cc: Jan Kara +Signed-off-by: Ming Lei +Signed-off-by: Greg Kroah-Hartman +--- + block/partition-generic.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -270,6 +270,7 @@ void delete_partition(struct gendisk *di + struct disk_part_tbl *ptbl = + rcu_dereference_protected(disk->part_tbl, 1); + struct hd_struct *part; ++ struct block_device *bdev; + + if (partno >= ptbl->len) + return; +@@ -283,6 +284,11 @@ void delete_partition(struct gendisk *di + kobject_put(part->holder_dir); + device_del(part_to_dev(part)); + ++ bdev = bdget(part_devt(part)); ++ if (bdev) { ++ remove_inode_hash(bdev->bd_inode); ++ bdput(bdev); ++ } + hd_struct_kill(part); + } + diff --git a/queue-4.14/series b/queue-4.14/series index 1f58dbb7943..ba5e71e8e8f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -2,3 +2,4 @@ libtraceevent-fix-build-with-binutils-2.35.patch once-add-do_once_slow-for-sleepable-contexts.patch mm-khugepaged-fix-gup-fast-interaction-by-sending-ipi.patch mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-collapse-paths.patch +block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch