From: Greg Kroah-Hartman Date: Fri, 15 Apr 2022 10:39:02 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.238~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9dd75234ea958c207d08b2a6b5d6f92f2da0246;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-core-add-snd_card_free_on_error-helper.patch alsa-sis7019-fix-the-missing-error-handling.patch btrfs-release-correct-delalloc-amount-in-direct-io-write-path.patch --- diff --git a/queue-5.15/alsa-core-add-snd_card_free_on_error-helper.patch b/queue-5.15/alsa-core-add-snd_card_free_on_error-helper.patch new file mode 100644 index 00000000000..e847ab0e651 --- /dev/null +++ b/queue-5.15/alsa-core-add-snd_card_free_on_error-helper.patch @@ -0,0 +1,96 @@ +From fee2b871d8d6389c9b4bdf9346a99ccc1c98c9b8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Apr 2022 11:31:40 +0200 +Subject: ALSA: core: Add snd_card_free_on_error() helper + +From: Takashi Iwai + +commit fee2b871d8d6389c9b4bdf9346a99ccc1c98c9b8 upstream. + +This is a small helper function to handle the error path more easily +when an error happens during the probe for the device with the +device-managed card. Since devres releases in the reverser order of +the creations, usually snd_card_free() gets called at the last in the +probe error path unless it already reached snd_card_register() calls. +Due to this nature, when a driver expects the resource releases in +card->private_free, this might be called too lately. + +As a workaround, one should call the probe like: + + static int __some_probe(...) { // do real probe.... } + + static int some_probe(...) + { + return snd_card_free_on_error(dev, __some_probe(dev, ...)); + } + +so that the snd_card_free() is called explicitly at the beginning of +the error path from the probe. + +This function will be used in the upcoming fixes to address the +regressions by devres usages. + +Fixes: e8ad415b7a55 ("ALSA: core: Add managed card creation") +Cc: +Link: https://lore.kernel.org/r/20220412093141.8008-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + include/sound/core.h | 1 + + sound/core/init.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + +--- a/include/sound/core.h ++++ b/include/sound/core.h +@@ -284,6 +284,7 @@ int snd_card_disconnect(struct snd_card + void snd_card_disconnect_sync(struct snd_card *card); + int snd_card_free(struct snd_card *card); + int snd_card_free_when_closed(struct snd_card *card); ++int snd_card_free_on_error(struct device *dev, int ret); + void snd_card_set_id(struct snd_card *card, const char *id); + int snd_card_register(struct snd_card *card); + int snd_card_info_init(void); +--- a/sound/core/init.c ++++ b/sound/core/init.c +@@ -209,6 +209,12 @@ static void __snd_card_release(struct de + * snd_card_register(), the very first devres action to call snd_card_free() + * is added automatically. In that way, the resource disconnection is assured + * at first, then released in the expected order. ++ * ++ * If an error happens at the probe before snd_card_register() is called and ++ * there have been other devres resources, you'd need to free the card manually ++ * via snd_card_free() call in the error; otherwise it may lead to UAF due to ++ * devres call orders. You can use snd_card_free_on_error() helper for ++ * handling it more easily. + */ + int snd_devm_card_new(struct device *parent, int idx, const char *xid, + struct module *module, size_t extra_size, +@@ -235,6 +241,28 @@ int snd_devm_card_new(struct device *par + } + EXPORT_SYMBOL_GPL(snd_devm_card_new); + ++/** ++ * snd_card_free_on_error - a small helper for handling devm probe errors ++ * @dev: the managed device object ++ * @ret: the return code from the probe callback ++ * ++ * This function handles the explicit snd_card_free() call at the error from ++ * the probe callback. It's just a small helper for simplifying the error ++ * handling with the managed devices. ++ */ ++int snd_card_free_on_error(struct device *dev, int ret) ++{ ++ struct snd_card *card; ++ ++ if (!ret) ++ return 0; ++ card = devres_find(dev, __snd_card_release, NULL, NULL); ++ if (card) ++ snd_card_free(card); ++ return ret; ++} ++EXPORT_SYMBOL_GPL(snd_card_free_on_error); ++ + static int snd_card_init(struct snd_card *card, struct device *parent, + int idx, const char *xid, struct module *module, + size_t extra_size) diff --git a/queue-5.15/alsa-sis7019-fix-the-missing-error-handling.patch b/queue-5.15/alsa-sis7019-fix-the-missing-error-handling.patch new file mode 100644 index 00000000000..22bce0dd200 --- /dev/null +++ b/queue-5.15/alsa-sis7019-fix-the-missing-error-handling.patch @@ -0,0 +1,60 @@ +From 2236a3243ff8291e97c70097dd11a0fdb8904380 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 12 Apr 2022 12:26:24 +0200 +Subject: ALSA: sis7019: Fix the missing error handling + +From: Takashi Iwai + +commit 2236a3243ff8291e97c70097dd11a0fdb8904380 upstream. + +The previous cleanup with devres forgot to replace the snd_card_free() +call with the devm version. Moreover, it still needs the manual call +of snd_card_free() at the probe error path, otherwise the reverse +order of the releases may happen. This patch addresses those issues. + +Fixes: 499ddc16394c ("ALSA: sis7019: Allocate resources with device-managed APIs") +Cc: +Link: https://lore.kernel.org/r/20220412102636.16000-28-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/sis7019.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/sound/pci/sis7019.c ++++ b/sound/pci/sis7019.c +@@ -1331,8 +1331,8 @@ static int sis_chip_create(struct snd_ca + return 0; + } + +-static int snd_sis7019_probe(struct pci_dev *pci, +- const struct pci_device_id *pci_id) ++static int __snd_sis7019_probe(struct pci_dev *pci, ++ const struct pci_device_id *pci_id) + { + struct snd_card *card; + struct sis7019 *sis; +@@ -1352,8 +1352,8 @@ static int snd_sis7019_probe(struct pci_ + if (!codecs) + codecs = SIS_PRIMARY_CODEC_PRESENT; + +- rc = snd_card_new(&pci->dev, index, id, THIS_MODULE, +- sizeof(*sis), &card); ++ rc = snd_devm_card_new(&pci->dev, index, id, THIS_MODULE, ++ sizeof(*sis), &card); + if (rc < 0) + return rc; + +@@ -1386,6 +1386,12 @@ static int snd_sis7019_probe(struct pci_ + return 0; + } + ++static int snd_sis7019_probe(struct pci_dev *pci, ++ const struct pci_device_id *pci_id) ++{ ++ return snd_card_free_on_error(&pci->dev, __snd_sis7019_probe(pci, pci_id)); ++} ++ + static struct pci_driver sis7019_driver = { + .name = KBUILD_MODNAME, + .id_table = snd_sis7019_ids, diff --git a/queue-5.15/btrfs-release-correct-delalloc-amount-in-direct-io-write-path.patch b/queue-5.15/btrfs-release-correct-delalloc-amount-in-direct-io-write-path.patch new file mode 100644 index 00000000000..7a377feda7e --- /dev/null +++ b/queue-5.15/btrfs-release-correct-delalloc-amount-in-direct-io-write-path.patch @@ -0,0 +1,107 @@ +From 6d82ad13c4110e73c7b0392f00534a1502a1b520 Mon Sep 17 00:00:00 2001 +From: Naohiro Aota +Date: Mon, 28 Mar 2022 21:32:05 +0900 +Subject: btrfs: release correct delalloc amount in direct IO write path + +From: Naohiro Aota + +commit 6d82ad13c4110e73c7b0392f00534a1502a1b520 upstream. + +Running generic/406 causes the following WARNING in btrfs_destroy_inode() +which tells there are outstanding extents left. + +In btrfs_get_blocks_direct_write(), we reserve a temporary outstanding +extents with btrfs_delalloc_reserve_metadata() (or indirectly from +btrfs_delalloc_reserve_space(()). We then release the outstanding extents +with btrfs_delalloc_release_extents(). However, the "len" can be modified +in the COW case, which releases fewer outstanding extents than expected. + +Fix it by calling btrfs_delalloc_release_extents() for the original length. + +To reproduce the warning, the filesystem should be 1 GiB. It's +triggering a short-write, due to not being able to allocate a large +extent and instead allocating a smaller one. + + WARNING: CPU: 0 PID: 757 at fs/btrfs/inode.c:8848 btrfs_destroy_inode+0x1e6/0x210 [btrfs] + Modules linked in: btrfs blake2b_generic xor lzo_compress + lzo_decompress raid6_pq zstd zstd_decompress zstd_compress xxhash zram + zsmalloc + CPU: 0 PID: 757 Comm: umount Not tainted 5.17.0-rc8+ #101 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014 + RIP: 0010:btrfs_destroy_inode+0x1e6/0x210 [btrfs] + RSP: 0018:ffffc9000327bda8 EFLAGS: 00010206 + RAX: 0000000000000000 RBX: ffff888100548b78 RCX: 0000000000000000 + RDX: 0000000000026900 RSI: 0000000000000000 RDI: ffff888100548b78 + RBP: ffff888100548940 R08: 0000000000000000 R09: ffff88810b48aba8 + R10: 0000000000000001 R11: ffff8881004eb240 R12: ffff88810b48a800 + R13: ffff88810b48ec08 R14: ffff88810b48ed00 R15: ffff888100490c68 + FS: 00007f8549ea0b80(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f854a09e733 CR3: 000000010a2e9003 CR4: 0000000000370eb0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + + destroy_inode+0x33/0x70 + dispose_list+0x43/0x60 + evict_inodes+0x161/0x1b0 + generic_shutdown_super+0x2d/0x110 + kill_anon_super+0xf/0x20 + btrfs_kill_super+0xd/0x20 [btrfs] + deactivate_locked_super+0x27/0x90 + cleanup_mnt+0x12c/0x180 + task_work_run+0x54/0x80 + exit_to_user_mode_prepare+0x152/0x160 + syscall_exit_to_user_mode+0x12/0x30 + do_syscall_64+0x42/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f854a000fb7 + +Fixes: f0bfa76a11e9 ("btrfs: fix ENOSPC failure when attempting direct IO write into NOCOW range") +CC: stable@vger.kernel.org # 5.17 +Reviewed-by: Johannes Thumshirn +Tested-by: Johannes Thumshirn +Reviewed-by: Filipe Manana +Signed-off-by: Naohiro Aota +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7772,6 +7772,7 @@ static int btrfs_get_blocks_direct_write + u64 block_start, orig_start, orig_block_len, ram_bytes; + bool can_nocow = false; + bool space_reserved = false; ++ u64 prev_len; + int ret = 0; + + /* +@@ -7799,6 +7800,7 @@ static int btrfs_get_blocks_direct_write + can_nocow = true; + } + ++ prev_len = len; + if (can_nocow) { + struct extent_map *em2; + +@@ -7828,8 +7830,6 @@ static int btrfs_get_blocks_direct_write + goto out; + } + } else { +- const u64 prev_len = len; +- + /* Our caller expects us to free the input extent map. */ + free_extent_map(em); + *map = NULL; +@@ -7860,7 +7860,7 @@ static int btrfs_get_blocks_direct_write + * We have created our ordered extent, so we can now release our reservation + * for an outstanding extent. + */ +- btrfs_delalloc_release_extents(BTRFS_I(inode), len); ++ btrfs_delalloc_release_extents(BTRFS_I(inode), prev_len); + + /* + * Need to update the i_size under the extent lock so buffered diff --git a/queue-5.15/series b/queue-5.15/series index 1fee074ef5e..db9b5d78732 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -12,3 +12,6 @@ btrfs-remove-unused-variable-in-btrfs_-start-write-_dirty_block_groups.patch soc-qcom-aoss-expose-send-for-generic-usecase.patch dt-bindings-net-qcom-ipa-add-optional-qcom-qmp-property.patch net-ipa-request-ipa-register-values-be-retained.patch +btrfs-release-correct-delalloc-amount-in-direct-io-write-path.patch +alsa-core-add-snd_card_free_on_error-helper.patch +alsa-sis7019-fix-the-missing-error-handling.patch