--- /dev/null
+From c3aba897c6e67fa464ec02b1f17911577d619713 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 1 Jun 2021 11:35:56 -0400
+Subject: NFSv4: Fix second deadlock in nfs4_evict_inode()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit c3aba897c6e67fa464ec02b1f17911577d619713 upstream.
+
+If the inode is being evicted but has to return a layout first, then
+that too can cause a deadlock in the corner case where the server
+reboots.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -9342,15 +9342,20 @@ int nfs4_proc_layoutreturn(struct nfs4_l
+ &task_setup_data.rpc_client, &msg);
+
+ dprintk("--> %s\n", __func__);
++ lrp->inode = nfs_igrab_and_active(lrp->args.inode);
+ if (!sync) {
+- lrp->inode = nfs_igrab_and_active(lrp->args.inode);
+ if (!lrp->inode) {
+ nfs4_layoutreturn_release(lrp);
+ return -EAGAIN;
+ }
+ task_setup_data.flags |= RPC_TASK_ASYNC;
+ }
+- nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, 0);
++ if (!lrp->inode)
++ nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1,
++ 1);
++ else
++ nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1,
++ 0);
+ task = rpc_run_task(&task_setup_data);
+ if (IS_ERR(task))
+ return PTR_ERR(task);
--- /dev/null
+From f8849e206ef52b584cd9227255f4724f0cc900bb Mon Sep 17 00:00:00 2001
+From: Dai Ngo <dai.ngo@oracle.com>
+Date: Wed, 19 May 2021 17:15:10 -0400
+Subject: NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+commit f8849e206ef52b584cd9227255f4724f0cc900bb upstream.
+
+Currently if __nfs4_proc_set_acl fails with NFS4ERR_BADOWNER it
+re-enables the idmapper by clearing NFS_CAP_UIDGID_NOMAP before
+retrying again. The NFS_CAP_UIDGID_NOMAP remains cleared even if
+the retry fails. This causes problem for subsequent setattr
+requests for v4 server that does not have idmapping configured.
+
+This patch modifies nfs4_proc_set_acl to detect NFS4ERR_BADOWNER
+and NFS4ERR_BADNAME and skips the retry, since the kernel isn't
+involved in encoding the ACEs, and return -EINVAL.
+
+Steps to reproduce the problem:
+
+ # mount -o vers=4.1,sec=sys server:/export/test /tmp/mnt
+ # touch /tmp/mnt/file1
+ # chown 99 /tmp/mnt/file1
+ # nfs4_setfacl -a A::unknown.user@xyz.com:wrtncy /tmp/mnt/file1
+ Failed setxattr operation: Invalid argument
+ # chown 99 /tmp/mnt/file1
+ chown: changing ownership of ‘/tmp/mnt/file1’: Invalid argument
+ # umount /tmp/mnt
+ # mount -o vers=4.1,sec=sys server:/export/test /tmp/mnt
+ # chown 99 /tmp/mnt/file1
+ #
+
+v2: detect NFS4ERR_BADOWNER and NFS4ERR_BADNAME and skip retry
+ in nfs4_proc_set_acl.
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -5799,6 +5799,14 @@ static int nfs4_proc_set_acl(struct inod
+ do {
+ err = __nfs4_proc_set_acl(inode, buf, buflen);
+ trace_nfs4_set_acl(inode, err);
++ if (err == -NFS4ERR_BADOWNER || err == -NFS4ERR_BADNAME) {
++ /*
++ * no need to retry since the kernel
++ * isn't involved in encoding the ACEs.
++ */
++ err = -EINVAL;
++ break;
++ }
+ err = nfs4_handle_exception(NFS_SERVER(inode), err,
+ &exception);
+ } while (exception.retry);
--- /dev/null
+From 66a834d092930cf41d809c0e989b13cd6f9ca006 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 2 Jun 2021 21:30:26 +0800
+Subject: scsi: core: Fix error handling of scsi_host_alloc()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 66a834d092930cf41d809c0e989b13cd6f9ca006 upstream.
+
+After device is initialized via device_initialize(), or its name is set via
+dev_set_name(), the device has to be freed via put_device(). Otherwise
+device name will be leaked because it is allocated dynamically in
+dev_set_name().
+
+Fix the leak by replacing kfree() with put_device(). Since
+scsi_host_dev_release() properly handles IDA and kthread removal, remove
+special-casing these from the error handling as well.
+
+Link: https://lore.kernel.org/r/20210602133029.2864069-2-ming.lei@redhat.com
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Tested-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -389,8 +389,10 @@ struct Scsi_Host *scsi_host_alloc(struct
+ mutex_init(&shost->scan_mutex);
+
+ index = ida_simple_get(&host_index_ida, 0, 0, GFP_KERNEL);
+- if (index < 0)
+- goto fail_kfree;
++ if (index < 0) {
++ kfree(shost);
++ return NULL;
++ }
+ shost->host_no = index;
+
+ shost->dma_channel = 0xff;
+@@ -482,7 +484,7 @@ struct Scsi_Host *scsi_host_alloc(struct
+ shost_printk(KERN_WARNING, shost,
+ "error handler thread failed to spawn, error = %ld\n",
+ PTR_ERR(shost->ehandler));
+- goto fail_index_remove;
++ goto fail;
+ }
+
+ shost->tmf_work_q = alloc_workqueue("scsi_tmf_%d",
+@@ -491,17 +493,18 @@ struct Scsi_Host *scsi_host_alloc(struct
+ if (!shost->tmf_work_q) {
+ shost_printk(KERN_WARNING, shost,
+ "failed to create tmf workq\n");
+- goto fail_kthread;
++ goto fail;
+ }
+ scsi_proc_hostdir_add(shost->hostt);
+ return shost;
++ fail:
++ /*
++ * Host state is still SHOST_CREATED and that is enough to release
++ * ->shost_gendev. scsi_host_dev_release() will free
++ * dev_name(&shost->shost_dev).
++ */
++ put_device(&shost->shost_gendev);
+
+- fail_kthread:
+- kthread_stop(shost->ehandler);
+- fail_index_remove:
+- ida_simple_remove(&host_index_ida, shost->host_no);
+- fail_kfree:
+- kfree(shost);
+ return NULL;
+ }
+ EXPORT_SYMBOL(scsi_host_alloc);
--- /dev/null
+From 3719f4ff047e20062b8314c23ec3cab84d74c908 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 2 Jun 2021 21:30:27 +0800
+Subject: scsi: core: Fix failure handling of scsi_add_host_with_dma()
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 3719f4ff047e20062b8314c23ec3cab84d74c908 upstream.
+
+When scsi_add_host_with_dma() returns failure, the caller will call
+scsi_host_put(shost) to release everything allocated for this host
+instance. Consequently we can't also free allocated stuff in
+scsi_add_host_with_dma(), otherwise we will end up with a double free.
+
+Strictly speaking, host resource allocations should have been done in
+scsi_host_alloc(). However, the allocations may need information which is
+not yet provided by the driver when that function is called. So leave the
+allocations where they are but rely on host device's release handler to
+free resources.
+
+Link: https://lore.kernel.org/r/20210602133029.2864069-3-ming.lei@redhat.com
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Tested-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -275,23 +275,22 @@ int scsi_add_host_with_dma(struct Scsi_H
+ shost->work_q_name);
+ if (!shost->work_q) {
+ error = -EINVAL;
+- goto out_free_shost_data;
++ goto out_del_dev;
+ }
+ }
+
+ error = scsi_sysfs_add_host(shost);
+ if (error)
+- goto out_destroy_host;
++ goto out_del_dev;
+
+ scsi_proc_host_add(shost);
+ scsi_autopm_put_host(shost);
+ return error;
+
+- out_destroy_host:
+- if (shost->work_q)
+- destroy_workqueue(shost->work_q);
+- out_free_shost_data:
+- kfree(shost->shost_data);
++ /*
++ * Any host allocation in this function will be freed in
++ * scsi_host_dev_release().
++ */
+ out_del_dev:
+ device_del(&shost->shost_dev);
+ out_del_gendev:
+@@ -301,7 +300,6 @@ int scsi_add_host_with_dma(struct Scsi_H
+ pm_runtime_disable(&shost->shost_gendev);
+ pm_runtime_set_suspended(&shost->shost_gendev);
+ pm_runtime_put_noidle(&shost->shost_gendev);
+- scsi_mq_destroy_tags(shost);
+ fail:
+ return error;
+ }
--- /dev/null
+From 1e0d4e6225996f05271de1ebcb1a7c9381af0b27 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 2 Jun 2021 21:30:29 +0800
+Subject: scsi: core: Only put parent device if host state differs from SHOST_CREATED
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 1e0d4e6225996f05271de1ebcb1a7c9381af0b27 upstream.
+
+get_device(shost->shost_gendev.parent) is called after host state has
+switched to SHOST_RUNNING. scsi_host_dev_release() shouldn't release the
+parent device if host state is still SHOST_CREATED.
+
+Link: https://lore.kernel.org/r/20210602133029.2864069-5-ming.lei@redhat.com
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Tested-by: John Garry <john.garry@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -344,7 +344,7 @@ static void scsi_host_dev_release(struct
+
+ ida_simple_remove(&host_index_ida, shost->host_no);
+
+- if (parent)
++ if (shost->shost_state != SHOST_CREATED)
+ put_device(parent);
+ kfree(shost);
+ }
--- /dev/null
+From 11714026c02d613c30a149c3f4c4a15047744529 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 2 Jun 2021 21:30:28 +0800
+Subject: scsi: core: Put .shost_dev in failure path if host state changes to RUNNING
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 11714026c02d613c30a149c3f4c4a15047744529 upstream.
+
+scsi_host_dev_release() only frees dev_name when host state is
+SHOST_CREATED. After host state has changed to SHOST_RUNNING,
+scsi_host_dev_release() no longer cleans up.
+
+Fix this by doing a put_device(&shost->shost_dev) in the failure path when
+host state is SHOST_RUNNING. Move get_device(&shost->shost_gendev) before
+device_add(&shost->shost_dev) so that scsi_host_cls_release() can do a put
+on this reference.
+
+Link: https://lore.kernel.org/r/20210602133029.2864069-4-ming.lei@redhat.com
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Hannes Reinecke <hare@suse.de>
+Reported-by: John Garry <john.garry@huawei.com>
+Tested-by: John Garry <john.garry@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hosts.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -253,12 +253,11 @@ int scsi_add_host_with_dma(struct Scsi_H
+
+ device_enable_async_suspend(&shost->shost_dev);
+
++ get_device(&shost->shost_gendev);
+ error = device_add(&shost->shost_dev);
+ if (error)
+ goto out_del_gendev;
+
+- get_device(&shost->shost_gendev);
+-
+ if (shost->transportt->host_size) {
+ shost->shost_data = kzalloc(shost->transportt->host_size,
+ GFP_KERNEL);
+@@ -294,6 +293,11 @@ int scsi_add_host_with_dma(struct Scsi_H
+ out_del_dev:
+ device_del(&shost->shost_dev);
+ out_del_gendev:
++ /*
++ * Host state is SHOST_RUNNING so we have to explicitly release
++ * ->shost_dev.
++ */
++ put_device(&shost->shost_dev);
+ device_del(&shost->shost_gendev);
+ out_disable_runtime_pm:
+ device_disable_async_suspend(&shost->shost_gendev);
perf-session-correct-buffer-copying-when-peeking-eve.patch
kvm-fix-previous-commit-for-32-bit-builds.patch
nfs-fix-use-after-free-in-nfs4_init_client.patch
+nfsv4-fix-second-deadlock-in-nfs4_evict_inode.patch
+nfsv4-nfs4_proc_set_acl-needs-to-restore-nfs_cap_uidgid_nomap-on-error.patch
+scsi-core-fix-error-handling-of-scsi_host_alloc.patch
+scsi-core-fix-failure-handling-of-scsi_add_host_with_dma.patch
+scsi-core-put-.shost_dev-in-failure-path-if-host-state-changes-to-running.patch
+scsi-core-only-put-parent-device-if-host-state-differs-from-shost_created.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
