diff --git a/SOURCES/0005-oracleasm-Access-d_bdev-before-dropping-inode.patch b/SOURCES/0005-oracleasm-Access-d_bdev-before-dropping-inode.patch new file mode 100644 index 0000000..4d89c40 --- /dev/null +++ b/SOURCES/0005-oracleasm-Access-d_bdev-before-dropping-inode.patch @@ -0,0 +1,47 @@ +commit a6982d0edd0caeb2a7a0f3465c0adf85a902102a +Author: Stephen Brennan stephen.s.brennan@oracle.com +Date: Mon Sep 14 16:03:32 2020 -0700 + +oracleasm: Access d_bdev before dropping inode + +d_bdev is stored alongside the inode. If we hold the last reference to +disk_inode, then iput() will clear the d_bdev field and cause a page +fault when it is dereferenced. Further, the iput() could result in a +blkdev_put(), after which our accesses to bdev could be further +corrupted. To avoid all this, delay the iput() until all access to d, +disk_inode, and bdev are complete. + +Ora bug: 31901945 +Signed-off-by: Stephen Brennan stephen.s.brennan@oracle.com +Reviewed-by: Junxiao Bi junxiao.bi@oracle.com +Signed-off-by: Somasundaram Krishnasamy somasundaram.krishnasamy@oracle.com + +diff --git a/drivers/block/oracleasm/driver.c b/drivers/block/oracleasm/driver.c +index 2bcad19af0d8..02882105f799 100644 +--- a/drivers/block/oracleasm/driver.c ++++ b/drivers/block/oracleasm/driver.c +@@ -2380,7 +2380,6 @@ static ssize_t asmfs_svc_query_handle(struct file *file, char *buf, size_t size) + } + + d = ASMDISK_I(disk_inode); +- iput(disk_inode); + bdev = d->d_bdev; + + qh_info->qh_max_sectors = compute_max_sectors(bdev); +@@ -2395,6 +2394,15 @@ static ssize_t asmfs_svc_query_handle(struct file *file, char *buf, size_t size) + trace_queryhandle(bdev, qh_info); + ret = 0; + ++ /* ++ * Dropping the reference to disk_inode could result in d and ++ * disk_inode being evicted and freed. This will further drop the ++ * reference to bdev, which could be the last one. Thus, we must ++ * delay the iput() until all accesses to disk_inode, d, and bdev ++ * are complete. ++ */ ++ iput(disk_inode); ++ + out: + qh_info->qh_abi.ai_status = ret; + return size; + diff --git a/SPECS/kmod-redhat-oracleasm.spec b/SPECS/kmod-redhat-oracleasm.spec index acdc9a9..9bd640c 100644 --- a/SPECS/kmod-redhat-oracleasm.spec +++ b/SPECS/kmod-redhat-oracleasm.spec @@ -3,9 +3,9 @@ %define kmod_rpm_name kmod-redhat-oracleasm %define kmod_driver_version 2.0.8 %define kmod_driver_epoch 8 -%define kmod_rpm_release 18 -%define kmod_kernel_version 4.18.0-513.el8 -%define kmod_kernel_version_min 4.18.0-513.el8 +%define kmod_rpm_release 18.1 +%define kmod_kernel_version 4.18.0-552%{dist} +%define kmod_kernel_version_min 4.18.0-552%{dist} %define kmod_kernel_version_dep 4.18.0 %define kmod_kbuild_dir drivers/block/oracleasm %define kmod_install_path extra/kmod-redhat-oracleasm @@ -13,7 +13,6 @@ %define kernel_devel_pkg kernel-devel %define kernel_modules_pkg kernel-modules -%{!?dist: %define dist .el8_4} %{!?make_build: %define make_build make} %if "%{kmod_kernel_version_dep}" == "" @@ -28,6 +27,7 @@ Patch0: 0000-Makefile-config-opts.patch Patch2: 0002-oracleasm-driver-make-bio_for_each_segment_all-worki.patch Patch3: 0003-oracleasm-copy-rhel8-s-bio_map_user_iov.patch Patch4: 0004-update-bdi-writeback-acct_dirty-flags.patch +Patch5: 0005-oracleasm-Access-d_bdev-before-dropping-inode.patch %define findpat %( echo "%""P" ) %define __find_requires /usr/lib/rpm/redhat/find-requires.ksyms @@ -157,6 +157,7 @@ exit 0 %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 set -- * mkdir source mv "$@" source/ @@ -219,6 +220,9 @@ install -m 644 -D source/greylist.txt $RPM_BUILD_ROOT/usr/share/doc/%{kmod_rpm_n rm -rf $RPM_BUILD_ROOT %changelog +* Mon Apr 08 2024 Eugene Syromiatnikov 2.0.8-18.1 +- Fix use-after-free in asmfs_svc_query_handle (RHEL-30468). + * Wed Jan 04 2023 Eugene Syromiatnikov 2.0.8-18 - Rebuild against kernel-4.18.0-507.el8 (#2228579).