From: Greg Kroah-Hartman Date: Sun, 12 Dec 2021 13:26:38 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.295~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=351831db6f7027f7696b727e7ad9641b06221087;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: can-m_can-disable-and-ignore-elo-interrupt.patch can-pch_can-pch_can_rx_normal-fix-use-after-free.patch clk-qcom-regmap-mux-fix-parent-clock-lookup.patch drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch libata-add-horkage-for-asmedia-1092.patch md-fix-update-super-1.0-on-rdev-size-change.patch mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch nfsd-fix-nsfd-startup-race-again.patch nfsd-fix-use-after-free-due-to-delegation-race.patch tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch --- diff --git a/queue-5.10/can-m_can-disable-and-ignore-elo-interrupt.patch b/queue-5.10/can-m_can-disable-and-ignore-elo-interrupt.patch new file mode 100644 index 00000000000..62a5ebf11a1 --- /dev/null +++ b/queue-5.10/can-m_can-disable-and-ignore-elo-interrupt.patch @@ -0,0 +1,63 @@ +From f58ac1adc76b5beda43c64ef359056077df4d93a Mon Sep 17 00:00:00 2001 +From: Brian Silverman +Date: Mon, 29 Nov 2021 14:26:28 -0800 +Subject: can: m_can: Disable and ignore ELO interrupt + +From: Brian Silverman + +commit f58ac1adc76b5beda43c64ef359056077df4d93a upstream. + +With the design of this driver, this condition is often triggered. +However, the counter that this interrupt indicates an overflow is never +read either, so overflowing is harmless. + +On my system, when a CAN bus starts flapping up and down, this locks up +the whole system with lots of interrupts and printks. + +Specifically, this interrupt indicates the CEL field of ECR has +overflowed. All reads of ECR mask out CEL. + +Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") +Link: https://lore.kernel.org/all/20211129222628.7490-1-brian.silverman@bluerivertech.com +Cc: stable@vger.kernel.org +Signed-off-by: Brian Silverman +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/m_can/m_can.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -207,15 +207,15 @@ enum m_can_reg { + + /* Interrupts for version 3.0.x */ + #define IR_ERR_LEC_30X (IR_STE | IR_FOE | IR_ACKE | IR_BE | IR_CRCE) +-#define IR_ERR_BUS_30X (IR_ERR_LEC_30X | IR_WDI | IR_ELO | IR_BEU | \ +- IR_BEC | IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | \ +- IR_RF1L | IR_RF0L) ++#define IR_ERR_BUS_30X (IR_ERR_LEC_30X | IR_WDI | IR_BEU | IR_BEC | \ ++ IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | IR_RF1L | \ ++ IR_RF0L) + #define IR_ERR_ALL_30X (IR_ERR_STATE | IR_ERR_BUS_30X) + /* Interrupts for version >= 3.1.x */ + #define IR_ERR_LEC_31X (IR_PED | IR_PEA) +-#define IR_ERR_BUS_31X (IR_ERR_LEC_31X | IR_WDI | IR_ELO | IR_BEU | \ +- IR_BEC | IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | \ +- IR_RF1L | IR_RF0L) ++#define IR_ERR_BUS_31X (IR_ERR_LEC_31X | IR_WDI | IR_BEU | IR_BEC | \ ++ IR_TOO | IR_MRAF | IR_TSW | IR_TEFL | IR_RF1L | \ ++ IR_RF0L) + #define IR_ERR_ALL_31X (IR_ERR_STATE | IR_ERR_BUS_31X) + + /* Interrupt Line Select (ILS) */ +@@ -752,8 +752,6 @@ static void m_can_handle_other_err(struc + { + if (irqstatus & IR_WDI) + netdev_err(dev, "Message RAM Watchdog event due to missing READY\n"); +- if (irqstatus & IR_ELO) +- netdev_err(dev, "Error Logging Overflow\n"); + if (irqstatus & IR_BEU) + netdev_err(dev, "Bit Error Uncorrected\n"); + if (irqstatus & IR_BEC) diff --git a/queue-5.10/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch b/queue-5.10/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch new file mode 100644 index 00000000000..2fd4ba91369 --- /dev/null +++ b/queue-5.10/can-pch_can-pch_can_rx_normal-fix-use-after-free.patch @@ -0,0 +1,41 @@ +From 94cddf1e9227a171b27292509d59691819c458db Mon Sep 17 00:00:00 2001 +From: Vincent Mailhol +Date: Tue, 23 Nov 2021 20:16:54 +0900 +Subject: can: pch_can: pch_can_rx_normal: fix use after free + +From: Vincent Mailhol + +commit 94cddf1e9227a171b27292509d59691819c458db upstream. + +After calling netif_receive_skb(skb), dereferencing skb is unsafe. +Especially, the can_frame cf which aliases skb memory is dereferenced +just after the call netif_receive_skb(skb). + +Reordering the lines solves the issue. + +Fixes: b21d18b51b31 ("can: Topcliff: Add PCH_CAN driver.") +Link: https://lore.kernel.org/all/20211123111654.621610-1-mailhol.vincent@wanadoo.fr +Cc: stable@vger.kernel.org +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/pch_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/pch_can.c ++++ b/drivers/net/can/pch_can.c +@@ -692,11 +692,11 @@ static int pch_can_rx_normal(struct net_ + cf->data[i + 1] = data_reg >> 8; + } + +- netif_receive_skb(skb); + rcv_pkts++; + stats->rx_packets++; + quota--; + stats->rx_bytes += cf->can_dlc; ++ netif_receive_skb(skb); + + pch_fifo_thresh(priv, obj_num); + obj_num++; diff --git a/queue-5.10/clk-qcom-regmap-mux-fix-parent-clock-lookup.patch b/queue-5.10/clk-qcom-regmap-mux-fix-parent-clock-lookup.patch new file mode 100644 index 00000000000..78c05dbb5e2 --- /dev/null +++ b/queue-5.10/clk-qcom-regmap-mux-fix-parent-clock-lookup.patch @@ -0,0 +1,70 @@ +From 9a61f813fcc8d56d85fcf9ca6119cf2b5ac91dd5 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Tue, 16 Nov 2021 02:34:07 +0300 +Subject: clk: qcom: regmap-mux: fix parent clock lookup + +From: Dmitry Baryshkov + +commit 9a61f813fcc8d56d85fcf9ca6119cf2b5ac91dd5 upstream. + +The function mux_get_parent() uses qcom_find_src_index() to find the +parent clock index, which is incorrect: qcom_find_src_index() uses src +enum for the lookup, while mux_get_parent() should use cfg field (which +corresponds to the register value). Add qcom_find_cfg_index() function +doing this kind of lookup and use it for mux parent lookup. + +Fixes: df964016490b ("clk: qcom: add parent map for regmap mux") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211115233407.1046179-1-dmitry.baryshkov@linaro.org +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/clk-regmap-mux.c | 2 +- + drivers/clk/qcom/common.c | 12 ++++++++++++ + drivers/clk/qcom/common.h | 2 ++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/clk/qcom/clk-regmap-mux.c ++++ b/drivers/clk/qcom/clk-regmap-mux.c +@@ -28,7 +28,7 @@ static u8 mux_get_parent(struct clk_hw * + val &= mask; + + if (mux->parent_map) +- return qcom_find_src_index(hw, mux->parent_map, val); ++ return qcom_find_cfg_index(hw, mux->parent_map, val); + + return val; + } +--- a/drivers/clk/qcom/common.c ++++ b/drivers/clk/qcom/common.c +@@ -69,6 +69,18 @@ int qcom_find_src_index(struct clk_hw *h + } + EXPORT_SYMBOL_GPL(qcom_find_src_index); + ++int qcom_find_cfg_index(struct clk_hw *hw, const struct parent_map *map, u8 cfg) ++{ ++ int i, num_parents = clk_hw_get_num_parents(hw); ++ ++ for (i = 0; i < num_parents; i++) ++ if (cfg == map[i].cfg) ++ return i; ++ ++ return -ENOENT; ++} ++EXPORT_SYMBOL_GPL(qcom_find_cfg_index); ++ + struct regmap * + qcom_cc_map(struct platform_device *pdev, const struct qcom_cc_desc *desc) + { +--- a/drivers/clk/qcom/common.h ++++ b/drivers/clk/qcom/common.h +@@ -49,6 +49,8 @@ extern void + qcom_pll_set_fsm_mode(struct regmap *m, u32 reg, u8 bias_count, u8 lock_count); + extern int qcom_find_src_index(struct clk_hw *hw, const struct parent_map *map, + u8 src); ++extern int qcom_find_cfg_index(struct clk_hw *hw, const struct parent_map *map, ++ u8 cfg); + + extern int qcom_cc_register_board_clk(struct device *dev, const char *path, + const char *name, unsigned long rate); diff --git a/queue-5.10/drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch b/queue-5.10/drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch new file mode 100644 index 00000000000..f49613f4db4 --- /dev/null +++ b/queue-5.10/drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch @@ -0,0 +1,59 @@ +From b19926d4f3a660a8b76e5d989ffd1168e619a5c4 Mon Sep 17 00:00:00 2001 +From: Bas Nieuwenhuizen +Date: Wed, 8 Dec 2021 03:39:35 +0100 +Subject: drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bas Nieuwenhuizen + +commit b19926d4f3a660a8b76e5d989ffd1168e619a5c4 upstream. + +dma_fence_chain_find_seqno only ever returns the top fence in the +chain or an unsignalled fence. Hence if we request a seqno that +is already signalled it returns a NULL fence. Some callers are +not prepared to handle this, like the syncobj transfer functions +for example. + +This behavior is "new" with timeline syncobj and it looks like +not all callers were updated. To fix this behavior make sure +that a successful drm_sync_find_fence always returns a non-NULL +fence. + +v2: Move the fix to drm_syncobj_find_fence from the transfer + functions. + +Fixes: ea569910cbab ("drm/syncobj: add transition iotcls between binary and timeline v2") +Cc: stable@vger.kernel.org +Signed-off-by: Bas Nieuwenhuizen +Reviewed-by: Christian König +Acked-by: Lionel Landwerlin +Signed-off-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20211208023935.17018-1-bas@basnieuwenhuizen.nl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_syncobj.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_syncobj.c ++++ b/drivers/gpu/drm/drm_syncobj.c +@@ -391,8 +391,17 @@ int drm_syncobj_find_fence(struct drm_fi + + if (*fence) { + ret = dma_fence_chain_find_seqno(fence, point); +- if (!ret) ++ if (!ret) { ++ /* If the requested seqno is already signaled ++ * drm_syncobj_find_fence may return a NULL ++ * fence. To make sure the recipient gets ++ * signalled, use a new fence instead. ++ */ ++ if (!*fence) ++ *fence = dma_fence_get_stub(); ++ + goto out; ++ } + dma_fence_put(*fence); + } else { + ret = -EINVAL; diff --git a/queue-5.10/libata-add-horkage-for-asmedia-1092.patch b/queue-5.10/libata-add-horkage-for-asmedia-1092.patch new file mode 100644 index 00000000000..974aeb05534 --- /dev/null +++ b/queue-5.10/libata-add-horkage-for-asmedia-1092.patch @@ -0,0 +1,33 @@ +From a66307d473077b7aeba74e9b09c841ab3d399c2d Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Wed, 8 Dec 2021 07:58:53 +0100 +Subject: libata: add horkage for ASMedia 1092 + +From: Hannes Reinecke + +commit a66307d473077b7aeba74e9b09c841ab3d399c2d upstream. + +The ASMedia 1092 has a configuration mode which will present a +dummy device; sadly the implementation falsely claims to provide +a device with 100M which doesn't actually exist. +So disable this device to avoid errors during boot. + +Cc: stable@vger.kernel.org +Signed-off-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -3831,6 +3831,8 @@ static const struct ata_blacklist_entry + { "VRFDFC22048UCHC-TE*", NULL, ATA_HORKAGE_NODMA }, + /* Odd clown on sil3726/4726 PMPs */ + { "Config Disk", NULL, ATA_HORKAGE_DISABLE }, ++ /* Similar story with ASMedia 1092 */ ++ { "ASMT109x- Config", NULL, ATA_HORKAGE_DISABLE }, + + /* Weird ATAPI devices */ + { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 }, diff --git a/queue-5.10/md-fix-update-super-1.0-on-rdev-size-change.patch b/queue-5.10/md-fix-update-super-1.0-on-rdev-size-change.patch new file mode 100644 index 00000000000..31eb8ae0f54 --- /dev/null +++ b/queue-5.10/md-fix-update-super-1.0-on-rdev-size-change.patch @@ -0,0 +1,35 @@ +From 55df1ce0d4e086e05a8ab20619c73c729350f965 Mon Sep 17 00:00:00 2001 +From: Markus Hochholdinger +Date: Tue, 16 Nov 2021 10:21:35 +0000 +Subject: md: fix update super 1.0 on rdev size change + +From: Markus Hochholdinger + +commit 55df1ce0d4e086e05a8ab20619c73c729350f965 upstream. + +The superblock of version 1.0 doesn't get moved to the new position on a +device size change. This leads to a rdev without a superblock on a known +position, the raid can't be re-assembled. + +The line was removed by mistake and is re-added by this patch. + +Fixes: d9c0fa509eaf ("md: fix max sectors calculation for super 1.0") +Cc: stable@vger.kernel.org +Signed-off-by: Markus Hochholdinger +Reviewed-by: Xiao Ni +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2252,6 +2252,7 @@ super_1_rdev_size_change(struct md_rdev + + if (!num_sectors || num_sectors > max_sectors) + num_sectors = max_sectors; ++ rdev->sb_start = sb_start; + } + sb = page_address(rdev->sb_page); + sb->data_size = cpu_to_le64(num_sectors); diff --git a/queue-5.10/mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch b/queue-5.10/mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch new file mode 100644 index 00000000000..69fb9b09f2f --- /dev/null +++ b/queue-5.10/mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch @@ -0,0 +1,34 @@ +From 7dba402807a85fa3723f4a27504813caf81cc9d7 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang +Date: Tue, 30 Nov 2021 14:23:09 +0100 +Subject: mmc: renesas_sdhi: initialize variable properly when tuning + +From: Wolfram Sang + +commit 7dba402807a85fa3723f4a27504813caf81cc9d7 upstream. + +'cmd_error' is not necessarily initialized on some error paths in +mmc_send_tuning(). Initialize it. + +Fixes: 2c9017d0b5d3 ("mmc: renesas_sdhi: abort tuning when timeout detected") +Reported-by: Dan Carpenter +Signed-off-by: Wolfram Sang +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211130132309.18246-1-wsa+renesas@sang-engineering.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/renesas_sdhi_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/renesas_sdhi_core.c ++++ b/drivers/mmc/host/renesas_sdhi_core.c +@@ -660,7 +660,7 @@ static int renesas_sdhi_execute_tuning(s + + /* Issue CMD19 twice for each tap */ + for (i = 0; i < 2 * priv->tap_num; i++) { +- int cmd_error; ++ int cmd_error = 0; + + /* Set sampling clock position */ + sd_scc_write32(host, priv, SH_MOBILE_SDHI_SCC_TAPSET, i % priv->tap_num); diff --git a/queue-5.10/nfsd-fix-nsfd-startup-race-again.patch b/queue-5.10/nfsd-fix-nsfd-startup-race-again.patch new file mode 100644 index 00000000000..8d3b4ed133c --- /dev/null +++ b/queue-5.10/nfsd-fix-nsfd-startup-race-again.patch @@ -0,0 +1,109 @@ +From b10252c7ae9c9d7c90552f88b544a44ee773af64 Mon Sep 17 00:00:00 2001 +From: Alexander Sverdlin +Date: Tue, 7 Dec 2021 15:00:39 +0100 +Subject: nfsd: Fix nsfd startup race (again) + +From: Alexander Sverdlin + +commit b10252c7ae9c9d7c90552f88b544a44ee773af64 upstream. + +Commit bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") +has re-opened rpc_pipefs_event() race against nfsd_net_id registration +(register_pernet_subsys()) which has been fixed by commit bb7ffbf29e76 +("nfsd: fix nsfd startup race triggering BUG_ON"). + +Restore the order of register_pernet_subsys() vs register_cld_notifier(). +Add WARN_ON() to prevent a future regression. + +Crash info: +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000012 +CPU: 8 PID: 345 Comm: mount Not tainted 5.4.144-... #1 +pc : rpc_pipefs_event+0x54/0x120 [nfsd] +lr : rpc_pipefs_event+0x48/0x120 [nfsd] +Call trace: + rpc_pipefs_event+0x54/0x120 [nfsd] + blocking_notifier_call_chain + rpc_fill_super + get_tree_keyed + rpc_fs_get_tree + vfs_get_tree + do_mount + ksys_mount + __arm64_sys_mount + el0_svc_handler + el0_svc + +Fixes: bd5ae9288d64 ("nfsd: register pernet ops last, unregister first") +Cc: stable@vger.kernel.org +Signed-off-by: Alexander Sverdlin +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4recover.c | 1 + + fs/nfsd/nfsctl.c | 14 +++++++------- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4recover.c ++++ b/fs/nfsd/nfs4recover.c +@@ -2156,6 +2156,7 @@ static struct notifier_block nfsd4_cld_b + int + register_cld_notifier(void) + { ++ WARN_ON(!nfsd_net_id); + return rpc_pipefs_notifier_register(&nfsd4_cld_block); + } + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1525,12 +1525,9 @@ static int __init init_nfsd(void) + int retval; + printk(KERN_INFO "Installing knfsd (copyright (C) 1996 okir@monad.swb.de).\n"); + +- retval = register_cld_notifier(); +- if (retval) +- return retval; + retval = nfsd4_init_slabs(); + if (retval) +- goto out_unregister_notifier; ++ return retval; + retval = nfsd4_init_pnfs(); + if (retval) + goto out_free_slabs; +@@ -1547,9 +1544,14 @@ static int __init init_nfsd(void) + goto out_free_exports; + retval = register_pernet_subsys(&nfsd_net_ops); + if (retval < 0) ++ goto out_free_filesystem; ++ retval = register_cld_notifier(); ++ if (retval) + goto out_free_all; + return 0; + out_free_all: ++ unregister_pernet_subsys(&nfsd_net_ops); ++out_free_filesystem: + unregister_filesystem(&nfsd_fs_type); + out_free_exports: + remove_proc_entry("fs/nfs/exports", NULL); +@@ -1562,13 +1564,12 @@ out_free_stat: + nfsd4_exit_pnfs(); + out_free_slabs: + nfsd4_free_slabs(); +-out_unregister_notifier: +- unregister_cld_notifier(); + return retval; + } + + static void __exit exit_nfsd(void) + { ++ unregister_cld_notifier(); + unregister_pernet_subsys(&nfsd_net_ops); + nfsd_drc_slab_free(); + remove_proc_entry("fs/nfs/exports", NULL); +@@ -1578,7 +1579,6 @@ static void __exit exit_nfsd(void) + nfsd4_free_slabs(); + nfsd4_exit_pnfs(); + unregister_filesystem(&nfsd_fs_type); +- unregister_cld_notifier(); + } + + MODULE_AUTHOR("Olaf Kirch "); diff --git a/queue-5.10/nfsd-fix-use-after-free-due-to-delegation-race.patch b/queue-5.10/nfsd-fix-use-after-free-due-to-delegation-race.patch new file mode 100644 index 00000000000..76fdfc3053c --- /dev/null +++ b/queue-5.10/nfsd-fix-use-after-free-due-to-delegation-race.patch @@ -0,0 +1,63 @@ +From 548ec0805c399c65ed66c6641be467f717833ab5 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 29 Nov 2021 15:08:00 -0500 +Subject: nfsd: fix use-after-free due to delegation race + +From: J. Bruce Fields + +commit 548ec0805c399c65ed66c6641be467f717833ab5 upstream. + +A delegation break could arrive as soon as we've called vfs_setlease. A +delegation break runs a callback which immediately (in +nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we +then exit nfs4_set_delegation without hashing the delegation, it will be +freed as soon as the callback is done with it, without ever being +removed from del_recall_lru. + +Symptoms show up later as use-after-free or list corruption warnings, +usually in the laundromat thread. + +I suspect aba2072f4523 "nfsd: grant read delegations to clients holding +writes" made this bug easier to hit, but I looked as far back as v3.0 +and it looks to me it already had the same problem. So I'm not sure +where the bug was introduced; it may have been there from the beginning. + +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1089,6 +1089,11 @@ hash_delegation_locked(struct nfs4_deleg + return 0; + } + ++static bool delegation_hashed(struct nfs4_delegation *dp) ++{ ++ return !(list_empty(&dp->dl_perfile)); ++} ++ + static bool + unhash_delegation_locked(struct nfs4_delegation *dp) + { +@@ -1096,7 +1101,7 @@ unhash_delegation_locked(struct nfs4_del + + lockdep_assert_held(&state_lock); + +- if (list_empty(&dp->dl_perfile)) ++ if (!delegation_hashed(dp)) + return false; + + dp->dl_stid.sc_type = NFS4_CLOSED_DELEG_STID; +@@ -4512,7 +4517,7 @@ static void nfsd4_cb_recall_prepare(stru + * queued for a lease break. Don't queue it again. + */ + spin_lock(&state_lock); +- if (dp->dl_time == 0) { ++ if (delegation_hashed(dp) && dp->dl_time == 0) { + dp->dl_time = ktime_get_boottime_seconds(); + list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru); + } diff --git a/queue-5.10/series b/queue-5.10/series index b2c82b23168..55ac3ddace5 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -51,3 +51,13 @@ alsa-pcm-oss-handle-missing-errors-in-snd_pcm_oss_change_params.patch scsi-qla2xxx-format-log-strings-only-if-needed.patch btrfs-clear-extent-buffer-uptodate-when-we-fail-to-write-it.patch btrfs-replace-the-bug_on-in-btrfs_del_root_ref-with-proper-error-handling.patch +md-fix-update-super-1.0-on-rdev-size-change.patch +nfsd-fix-use-after-free-due-to-delegation-race.patch +nfsd-fix-nsfd-startup-race-again.patch +tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch +mmc-renesas_sdhi-initialize-variable-properly-when-tuning.patch +clk-qcom-regmap-mux-fix-parent-clock-lookup.patch +drm-syncobj-deal-with-signalled-fences-in-drm_syncobj_find_fence.patch +can-pch_can-pch_can_rx_normal-fix-use-after-free.patch +can-m_can-disable-and-ignore-elo-interrupt.patch +libata-add-horkage-for-asmedia-1092.patch diff --git a/queue-5.10/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch b/queue-5.10/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch new file mode 100644 index 00000000000..7a735b7b7cf --- /dev/null +++ b/queue-5.10/tracefs-have-new-files-inherit-the-ownership-of-their-parent.patch @@ -0,0 +1,53 @@ +From ee7f3666995d8537dec17b1d35425f28877671a9 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 8 Dec 2021 07:57:20 -0500 +Subject: tracefs: Have new files inherit the ownership of their parent + +From: Steven Rostedt (VMware) + +commit ee7f3666995d8537dec17b1d35425f28877671a9 upstream. + +If directories in tracefs have their ownership changed, then any new files +and directories that are created under those directories should inherit +the ownership of the director they are created in. + +Link: https://lkml.kernel.org/r/20211208075720.4855d180@gandalf.local.home + +Cc: Kees Cook +Cc: Ingo Molnar +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Al Viro +Cc: Greg Kroah-Hartman +Cc: Yabin Cui +Cc: Christian Brauner +Cc: stable@vger.kernel.org +Fixes: 4282d60689d4f ("tracefs: Add new tracefs file system") +Reported-by: Kalesh Singh +Reported: https://lore.kernel.org/all/CAC_TJve8MMAv+H_NdLSJXZUSoxOEq2zB_pVaJ9p=7H6Bu3X76g@mail.gmail.com/ +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -412,6 +412,8 @@ struct dentry *tracefs_create_file(const + inode->i_mode = mode; + inode->i_fop = fops ? fops : &tracefs_file_operations; + inode->i_private = data; ++ inode->i_uid = d_inode(dentry->d_parent)->i_uid; ++ inode->i_gid = d_inode(dentry->d_parent)->i_gid; + d_instantiate(dentry, inode); + fsnotify_create(dentry->d_parent->d_inode, dentry); + return end_creating(dentry); +@@ -434,6 +436,8 @@ static struct dentry *__create_dir(const + inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP; + inode->i_op = ops; + inode->i_fop = &simple_dir_operations; ++ inode->i_uid = d_inode(dentry->d_parent)->i_uid; ++ inode->i_gid = d_inode(dentry->d_parent)->i_gid; + + /* directory inodes start off with i_nlink == 2 (for "." entry) */ + inc_nlink(inode);