From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 15 Dec 2022 06:50:21 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v5.4.228~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f9ce7d791dbb960ffbba3974de388289846019ef;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch
---

diff --git a/queue-4.9/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch b/queue-4.9/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch
new file mode 100644
index 00000000000..8983a76df45
--- /dev/null
+++ b/queue-4.9/block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch
@@ -0,0 +1,69 @@
+From ming.lei@redhat.com  Thu Dec 15 07:49:50 2022
+From: Ming Lei <ming.lei@redhat.com>
+Date: Tue, 13 Dec 2022 15:16:55 +0800
+Subject: block: unhash blkdev part inode when the part is deleted
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org
+Cc: Jens Axboe <axboe@kernel.dk>, linux-block@vger.kernel.org, Ming Lei <ming.lei@redhat.com>, Shiwei Cui <cuishw@inspur.com>, Christoph Hellwig <hch@lst.de>, Jan Kara <jack@suse.cz>
+Message-ID: <20221213071655.1197875-1-ming.lei@redhat.com>
+
+From: Ming Lei <ming.lei@redhat.com>
+
+v5.11 changes the blkdev lookup mechanism completely since commit
+22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get"),
+and small part of the change is to unhash part bdev inode when
+deleting partition. Turns out this kind of change does fix one
+nasty issue in case of BLOCK_EXT_MAJOR:
+
+1) when one partition is deleted & closed, disk_put_part() is always
+called before bdput(bdev), see blkdev_put(); so the part's devt can
+be freed & re-used before the inode is dropped
+
+2) then new partition with same devt can be created just before the
+inode in 1) is dropped, then the old inode/bdev structurein 1) is
+re-used for this new partition, this way causes use-after-free and
+kernel panic.
+
+It isn't possible to backport the whole big patchset of "merge struct
+block_device and struct hd_struct v4" for addressing this issue.
+
+https://lore.kernel.org/linux-block/20201128161510.347752-1-hch@lst.de/
+
+So fixes it by unhashing part bdev in delete_partition(), and this way
+is actually aligned with v5.11+'s behavior.
+
+Backported from the following 5.10.y commit:
+
+5f2f77560591 ("block: unhash blkdev part inode when the part is deleted")
+
+Reported-by: Shiwei Cui <cuishw@inspur.com>
+Tested-by: Shiwei Cui <cuishw@inspur.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jan Kara <jack@suse.cz>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/partition-generic.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -254,6 +254,7 @@ void delete_partition(struct gendisk *di
+ {
+ 	struct disk_part_tbl *ptbl = disk->part_tbl;
+ 	struct hd_struct *part;
++	struct block_device *bdev;
+ 
+ 	if (partno >= ptbl->len)
+ 		return;
+@@ -267,6 +268,11 @@ void delete_partition(struct gendisk *di
+ 	kobject_put(part->holder_dir);
+ 	device_del(part_to_dev(part));
+ 
++	bdev = bdget(part_devt(part));
++	if (bdev) {
++		remove_inode_hash(bdev->bd_inode);
++		bdput(bdev);
++	}
+ 	hd_struct_kill(part);
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index d5bb764d2a9..811aae376b3 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,2 +1,3 @@
 mm-khugepaged-fix-gup-fast-interaction-by-sending-ipi.patch
 mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-collapse-paths.patch
+block-unhash-blkdev-part-inode-when-the-part-is-deleted.patch