From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Aug 2023 11:45:38 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v6.4.12~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=39b56792e1fbbad163e106c2536e64aad23380fe;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	cifs-release-folio-lock-on-fscache-read-hit.patch
	mmc-block-fix-in_flight-value-error.patch
	mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
---

diff --git a/queue-5.4/cifs-release-folio-lock-on-fscache-read-hit.patch b/queue-5.4/cifs-release-folio-lock-on-fscache-read-hit.patch
new file mode 100644
index 00000000000..2ba6a618e3e
--- /dev/null
+++ b/queue-5.4/cifs-release-folio-lock-on-fscache-read-hit.patch
@@ -0,0 +1,65 @@
+From 69513dd669e243928f7450893190915a88f84a2b Mon Sep 17 00:00:00 2001
+From: Russell Harmon via samba-technical <samba-technical@lists.samba.org>
+Date: Thu, 10 Aug 2023 00:19:22 -0700
+Subject: cifs: Release folio lock on fscache read hit.
+
+From: Russell Harmon via samba-technical <samba-technical@lists.samba.org>
+
+commit 69513dd669e243928f7450893190915a88f84a2b upstream.
+
+Under the current code, when cifs_readpage_worker is called, the call
+contract is that the callee should unlock the page. This is documented
+in the read_folio section of Documentation/filesystems/vfs.rst as:
+
+> The filesystem should unlock the folio once the read has completed,
+> whether it was successful or not.
+
+Without this change, when fscache is in use and cache hit occurs during
+a read, the page lock is leaked, producing the following stack on
+subsequent reads (via mmap) to the page:
+
+$ cat /proc/3890/task/12864/stack
+[<0>] folio_wait_bit_common+0x124/0x350
+[<0>] filemap_read_folio+0xad/0xf0
+[<0>] filemap_fault+0x8b1/0xab0
+[<0>] __do_fault+0x39/0x150
+[<0>] do_fault+0x25c/0x3e0
+[<0>] __handle_mm_fault+0x6ca/0xc70
+[<0>] handle_mm_fault+0xe9/0x350
+[<0>] do_user_addr_fault+0x225/0x6c0
+[<0>] exc_page_fault+0x84/0x1b0
+[<0>] asm_exc_page_fault+0x27/0x30
+
+This requires a reboot to resolve; it is a deadlock.
+
+Note however that the call to cifs_readpage_from_fscache does mark the
+page clean, but does not free the folio lock. This happens in
+__cifs_readpage_from_fscache on success. Releasing the lock at that
+point however is not appropriate as cifs_readahead also calls
+cifs_readpage_from_fscache and *does* unconditionally release the lock
+after its return. This change therefore effectively makes
+cifs_readpage_worker work like cifs_readahead.
+
+Signed-off-by: Russell Harmon <russ@har.mn>
+Acked-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/file.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -4510,9 +4510,9 @@ static int cifs_readpage_worker(struct f
+ 
+ io_error:
+ 	kunmap(page);
+-	unlock_page(page);
+ 
+ read_complete:
++	unlock_page(page);
+ 	return rc;
+ }
+ 
diff --git a/queue-5.4/mmc-block-fix-in_flight-value-error.patch b/queue-5.4/mmc-block-fix-in_flight-value-error.patch
new file mode 100644
index 00000000000..9e0b4dcf0be
--- /dev/null
+++ b/queue-5.4/mmc-block-fix-in_flight-value-error.patch
@@ -0,0 +1,75 @@
+From 4b430d4ac99750ee2ae2f893f1055c7af1ec3dc5 Mon Sep 17 00:00:00 2001
+From: Yibin Ding <yibin.ding@unisoc.com>
+Date: Wed, 2 Aug 2023 10:30:23 +0800
+Subject: mmc: block: Fix in_flight[issue_type] value error
+
+From: Yibin Ding <yibin.ding@unisoc.com>
+
+commit 4b430d4ac99750ee2ae2f893f1055c7af1ec3dc5 upstream.
+
+For a completed request, after the mmc_blk_mq_complete_rq(mq, req)
+function is executed, the bitmap_tags corresponding to the
+request will be cleared, that is, the request will be regarded as
+idle. If the request is acquired by a different type of process at
+this time, the issue_type of the request may change. It further
+caused the value of mq->in_flight[issue_type] to be abnormal,
+and a large number of requests could not be sent.
+
+p1:					      p2:
+mmc_blk_mq_complete_rq
+  blk_mq_free_request
+					      blk_mq_get_request
+					        blk_mq_rq_ctx_init
+mmc_blk_mq_dec_in_flight
+  mmc_issue_type(mq, req)
+
+This strategy can ensure the consistency of issue_type
+before and after executing mmc_blk_mq_complete_rq.
+
+Fixes: 81196976ed94 ("mmc: block: Add blk-mq support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yibin Ding <yibin.ding@unisoc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20230802023023.1318134-1-yunlong.xing@unisoc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -1969,14 +1969,14 @@ static void mmc_blk_mq_poll_completion(s
+ 	mmc_blk_urgent_bkops(mq, mqrq);
+ }
+ 
+-static void mmc_blk_mq_dec_in_flight(struct mmc_queue *mq, struct request *req)
++static void mmc_blk_mq_dec_in_flight(struct mmc_queue *mq, enum mmc_issue_type issue_type)
+ {
+ 	unsigned long flags;
+ 	bool put_card;
+ 
+ 	spin_lock_irqsave(&mq->lock, flags);
+ 
+-	mq->in_flight[mmc_issue_type(mq, req)] -= 1;
++	mq->in_flight[issue_type] -= 1;
+ 
+ 	put_card = (mmc_tot_in_flight(mq) == 0);
+ 
+@@ -1988,6 +1988,7 @@ static void mmc_blk_mq_dec_in_flight(str
+ 
+ static void mmc_blk_mq_post_req(struct mmc_queue *mq, struct request *req)
+ {
++	enum mmc_issue_type issue_type = mmc_issue_type(mq, req);
+ 	struct mmc_queue_req *mqrq = req_to_mmc_queue_req(req);
+ 	struct mmc_request *mrq = &mqrq->brq.mrq;
+ 	struct mmc_host *host = mq->card->host;
+@@ -2003,7 +2004,7 @@ static void mmc_blk_mq_post_req(struct m
+ 	else
+ 		blk_mq_complete_request(req);
+ 
+-	mmc_blk_mq_dec_in_flight(mq, req);
++	mmc_blk_mq_dec_in_flight(mq, issue_type);
+ }
+ 
+ void mmc_blk_mq_recovery(struct mmc_queue *mq)
diff --git a/queue-5.4/mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch b/queue-5.4/mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
new file mode 100644
index 00000000000..920c548774f
--- /dev/null
+++ b/queue-5.4/mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
@@ -0,0 +1,33 @@
+From d83035433701919ac6db15f7737cbf554c36c1a6 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Mon, 7 Aug 2023 20:44:42 +0800
+Subject: mmc: wbsd: fix double mmc_free_host() in wbsd_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit d83035433701919ac6db15f7737cbf554c36c1a6 upstream.
+
+mmc_free_host() has already be called in wbsd_free_mmc(),
+remove the mmc_free_host() in error path in wbsd_init().
+
+Fixes: dc5b9b50fc9d ("mmc: wbsd: fix return value check of mmc_add_host()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230807124443.3431366-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/wbsd.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/mmc/host/wbsd.c
++++ b/drivers/mmc/host/wbsd.c
+@@ -1708,8 +1708,6 @@ static int wbsd_init(struct device *dev,
+ 
+ 		wbsd_release_resources(host);
+ 		wbsd_free_mmc(dev);
+-
+-		mmc_free_host(mmc);
+ 		return ret;
+ 	}
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index ad00f884fcf..c511bcadd25 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -85,3 +85,6 @@ asoc-rt5665-add-missed-regulator_bulk_disable.patch
 asoc-meson-axg-tdm-formatter-fix-channel-slot-alloca.patch
 serial-8250-fix-oops-for-port-pm-on-uart_change_pm.patch
 alsa-usb-audio-add-support-for-mythware-xa001au-capture-and-playback-interfaces.patch
+cifs-release-folio-lock-on-fscache-read-hit.patch
+mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
+mmc-block-fix-in_flight-value-error.patch