From: Greg Kroah-Hartman Date: Mon, 14 Jun 2021 08:49:26 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v4.4.273~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3a0720e123c122dad85581215fde12f804dab48;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: nfsv4-fix-second-deadlock-in-nfs4_evict_inode.patch nfsv4-nfs4_proc_set_acl-needs-to-restore-nfs_cap_uidgid_nomap-on-error.patch scsi-core-fix-error-handling-of-scsi_host_alloc.patch scsi-core-fix-failure-handling-of-scsi_add_host_with_dma.patch scsi-core-only-put-parent-device-if-host-state-differs-from-shost_created.patch scsi-core-put-.shost_dev-in-failure-path-if-host-state-changes-to-running.patch --- diff --git a/queue-5.12/nfsv4-fix-second-deadlock-in-nfs4_evict_inode.patch b/queue-5.12/nfsv4-fix-second-deadlock-in-nfs4_evict_inode.patch new file mode 100644 index 00000000000..254962b3510 --- /dev/null +++ b/queue-5.12/nfsv4-fix-second-deadlock-in-nfs4_evict_inode.patch @@ -0,0 +1,44 @@ +From c3aba897c6e67fa464ec02b1f17911577d619713 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 1 Jun 2021 11:35:56 -0400 +Subject: NFSv4: Fix second deadlock in nfs4_evict_inode() + +From: Trond Myklebust + +commit c3aba897c6e67fa464ec02b1f17911577d619713 upstream. + +If the inode is being evicted but has to return a layout first, then +that too can cause a deadlock in the corner case where the server +reboots. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -9630,15 +9630,20 @@ int nfs4_proc_layoutreturn(struct nfs4_l + &task_setup_data.rpc_client, &msg); + + dprintk("--> %s\n", __func__); ++ lrp->inode = nfs_igrab_and_active(lrp->args.inode); + if (!sync) { +- lrp->inode = nfs_igrab_and_active(lrp->args.inode); + if (!lrp->inode) { + nfs4_layoutreturn_release(lrp); + return -EAGAIN; + } + task_setup_data.flags |= RPC_TASK_ASYNC; + } +- nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, 0); ++ if (!lrp->inode) ++ nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, ++ 1); ++ else ++ nfs4_init_sequence(&lrp->args.seq_args, &lrp->res.seq_res, 1, ++ 0); + task = rpc_run_task(&task_setup_data); + if (IS_ERR(task)) + return PTR_ERR(task); diff --git a/queue-5.12/nfsv4-nfs4_proc_set_acl-needs-to-restore-nfs_cap_uidgid_nomap-on-error.patch b/queue-5.12/nfsv4-nfs4_proc_set_acl-needs-to-restore-nfs_cap_uidgid_nomap-on-error.patch new file mode 100644 index 00000000000..fe8ac698416 --- /dev/null +++ b/queue-5.12/nfsv4-nfs4_proc_set_acl-needs-to-restore-nfs_cap_uidgid_nomap-on-error.patch @@ -0,0 +1,62 @@ +From f8849e206ef52b584cd9227255f4724f0cc900bb Mon Sep 17 00:00:00 2001 +From: Dai Ngo +Date: Wed, 19 May 2021 17:15:10 -0400 +Subject: NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dai Ngo + +commit f8849e206ef52b584cd9227255f4724f0cc900bb upstream. + +Currently if __nfs4_proc_set_acl fails with NFS4ERR_BADOWNER it +re-enables the idmapper by clearing NFS_CAP_UIDGID_NOMAP before +retrying again. The NFS_CAP_UIDGID_NOMAP remains cleared even if +the retry fails. This causes problem for subsequent setattr +requests for v4 server that does not have idmapping configured. + +This patch modifies nfs4_proc_set_acl to detect NFS4ERR_BADOWNER +and NFS4ERR_BADNAME and skips the retry, since the kernel isn't +involved in encoding the ACEs, and return -EINVAL. + +Steps to reproduce the problem: + + # mount -o vers=4.1,sec=sys server:/export/test /tmp/mnt + # touch /tmp/mnt/file1 + # chown 99 /tmp/mnt/file1 + # nfs4_setfacl -a A::unknown.user@xyz.com:wrtncy /tmp/mnt/file1 + Failed setxattr operation: Invalid argument + # chown 99 /tmp/mnt/file1 + chown: changing ownership of ‘/tmp/mnt/file1’: Invalid argument + # umount /tmp/mnt + # mount -o vers=4.1,sec=sys server:/export/test /tmp/mnt + # chown 99 /tmp/mnt/file1 + # + +v2: detect NFS4ERR_BADOWNER and NFS4ERR_BADNAME and skip retry + in nfs4_proc_set_acl. +Signed-off-by: Dai Ngo +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -5944,6 +5944,14 @@ static int nfs4_proc_set_acl(struct inod + do { + err = __nfs4_proc_set_acl(inode, buf, buflen); + trace_nfs4_set_acl(inode, err); ++ if (err == -NFS4ERR_BADOWNER || err == -NFS4ERR_BADNAME) { ++ /* ++ * no need to retry since the kernel ++ * isn't involved in encoding the ACEs. ++ */ ++ err = -EINVAL; ++ break; ++ } + err = nfs4_handle_exception(NFS_SERVER(inode), err, + &exception); + } while (exception.retry); diff --git a/queue-5.12/scsi-core-fix-error-handling-of-scsi_host_alloc.patch b/queue-5.12/scsi-core-fix-error-handling-of-scsi_host_alloc.patch new file mode 100644 index 00000000000..0ccf641d2c5 --- /dev/null +++ b/queue-5.12/scsi-core-fix-error-handling-of-scsi_host_alloc.patch @@ -0,0 +1,83 @@ +From 66a834d092930cf41d809c0e989b13cd6f9ca006 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 2 Jun 2021 21:30:26 +0800 +Subject: scsi: core: Fix error handling of scsi_host_alloc() + +From: Ming Lei + +commit 66a834d092930cf41d809c0e989b13cd6f9ca006 upstream. + +After device is initialized via device_initialize(), or its name is set via +dev_set_name(), the device has to be freed via put_device(). Otherwise +device name will be leaked because it is allocated dynamically in +dev_set_name(). + +Fix the leak by replacing kfree() with put_device(). Since +scsi_host_dev_release() properly handles IDA and kthread removal, remove +special-casing these from the error handling as well. + +Link: https://lore.kernel.org/r/20210602133029.2864069-2-ming.lei@redhat.com +Cc: Bart Van Assche +Cc: John Garry +Cc: Hannes Reinecke +Tested-by: John Garry +Reviewed-by: Bart Van Assche +Reviewed-by: John Garry +Reviewed-by: Hannes Reinecke +Signed-off-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hosts.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -392,8 +392,10 @@ struct Scsi_Host *scsi_host_alloc(struct + mutex_init(&shost->scan_mutex); + + index = ida_simple_get(&host_index_ida, 0, 0, GFP_KERNEL); +- if (index < 0) +- goto fail_kfree; ++ if (index < 0) { ++ kfree(shost); ++ return NULL; ++ } + shost->host_no = index; + + shost->dma_channel = 0xff; +@@ -486,7 +488,7 @@ struct Scsi_Host *scsi_host_alloc(struct + shost_printk(KERN_WARNING, shost, + "error handler thread failed to spawn, error = %ld\n", + PTR_ERR(shost->ehandler)); +- goto fail_index_remove; ++ goto fail; + } + + shost->tmf_work_q = alloc_workqueue("scsi_tmf_%d", +@@ -495,17 +497,18 @@ struct Scsi_Host *scsi_host_alloc(struct + if (!shost->tmf_work_q) { + shost_printk(KERN_WARNING, shost, + "failed to create tmf workq\n"); +- goto fail_kthread; ++ goto fail; + } + scsi_proc_hostdir_add(shost->hostt); + return shost; ++ fail: ++ /* ++ * Host state is still SHOST_CREATED and that is enough to release ++ * ->shost_gendev. scsi_host_dev_release() will free ++ * dev_name(&shost->shost_dev). ++ */ ++ put_device(&shost->shost_gendev); + +- fail_kthread: +- kthread_stop(shost->ehandler); +- fail_index_remove: +- ida_simple_remove(&host_index_ida, shost->host_no); +- fail_kfree: +- kfree(shost); + return NULL; + } + EXPORT_SYMBOL(scsi_host_alloc); diff --git a/queue-5.12/scsi-core-fix-failure-handling-of-scsi_add_host_with_dma.patch b/queue-5.12/scsi-core-fix-failure-handling-of-scsi_add_host_with_dma.patch new file mode 100644 index 00000000000..d41a200d301 --- /dev/null +++ b/queue-5.12/scsi-core-fix-failure-handling-of-scsi_add_host_with_dma.patch @@ -0,0 +1,75 @@ +From 3719f4ff047e20062b8314c23ec3cab84d74c908 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 2 Jun 2021 21:30:27 +0800 +Subject: scsi: core: Fix failure handling of scsi_add_host_with_dma() + +From: Ming Lei + +commit 3719f4ff047e20062b8314c23ec3cab84d74c908 upstream. + +When scsi_add_host_with_dma() returns failure, the caller will call +scsi_host_put(shost) to release everything allocated for this host +instance. Consequently we can't also free allocated stuff in +scsi_add_host_with_dma(), otherwise we will end up with a double free. + +Strictly speaking, host resource allocations should have been done in +scsi_host_alloc(). However, the allocations may need information which is +not yet provided by the driver when that function is called. So leave the +allocations where they are but rely on host device's release handler to +free resources. + +Link: https://lore.kernel.org/r/20210602133029.2864069-3-ming.lei@redhat.com +Cc: Bart Van Assche +Cc: John Garry +Cc: Hannes Reinecke +Tested-by: John Garry +Reviewed-by: Bart Van Assche +Reviewed-by: John Garry +Reviewed-by: Hannes Reinecke +Signed-off-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hosts.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -278,23 +278,22 @@ int scsi_add_host_with_dma(struct Scsi_H + + if (!shost->work_q) { + error = -EINVAL; +- goto out_free_shost_data; ++ goto out_del_dev; + } + } + + error = scsi_sysfs_add_host(shost); + if (error) +- goto out_destroy_host; ++ goto out_del_dev; + + scsi_proc_host_add(shost); + scsi_autopm_put_host(shost); + return error; + +- out_destroy_host: +- if (shost->work_q) +- destroy_workqueue(shost->work_q); +- out_free_shost_data: +- kfree(shost->shost_data); ++ /* ++ * Any host allocation in this function will be freed in ++ * scsi_host_dev_release(). ++ */ + out_del_dev: + device_del(&shost->shost_dev); + out_del_gendev: +@@ -304,7 +303,6 @@ int scsi_add_host_with_dma(struct Scsi_H + pm_runtime_disable(&shost->shost_gendev); + pm_runtime_set_suspended(&shost->shost_gendev); + pm_runtime_put_noidle(&shost->shost_gendev); +- scsi_mq_destroy_tags(shost); + fail: + return error; + } diff --git a/queue-5.12/scsi-core-only-put-parent-device-if-host-state-differs-from-shost_created.patch b/queue-5.12/scsi-core-only-put-parent-device-if-host-state-differs-from-shost_created.patch new file mode 100644 index 00000000000..526289f3758 --- /dev/null +++ b/queue-5.12/scsi-core-only-put-parent-device-if-host-state-differs-from-shost_created.patch @@ -0,0 +1,37 @@ +From 1e0d4e6225996f05271de1ebcb1a7c9381af0b27 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 2 Jun 2021 21:30:29 +0800 +Subject: scsi: core: Only put parent device if host state differs from SHOST_CREATED + +From: Ming Lei + +commit 1e0d4e6225996f05271de1ebcb1a7c9381af0b27 upstream. + +get_device(shost->shost_gendev.parent) is called after host state has +switched to SHOST_RUNNING. scsi_host_dev_release() shouldn't release the +parent device if host state is still SHOST_CREATED. + +Link: https://lore.kernel.org/r/20210602133029.2864069-5-ming.lei@redhat.com +Cc: Bart Van Assche +Cc: John Garry +Cc: Hannes Reinecke +Tested-by: John Garry +Reviewed-by: John Garry +Signed-off-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hosts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -347,7 +347,7 @@ static void scsi_host_dev_release(struct + + ida_simple_remove(&host_index_ida, shost->host_no); + +- if (parent) ++ if (shost->shost_state != SHOST_CREATED) + put_device(parent); + kfree(shost); + } diff --git a/queue-5.12/scsi-core-put-.shost_dev-in-failure-path-if-host-state-changes-to-running.patch b/queue-5.12/scsi-core-put-.shost_dev-in-failure-path-if-host-state-changes-to-running.patch new file mode 100644 index 00000000000..8c7d268b1fb --- /dev/null +++ b/queue-5.12/scsi-core-put-.shost_dev-in-failure-path-if-host-state-changes-to-running.patch @@ -0,0 +1,60 @@ +From 11714026c02d613c30a149c3f4c4a15047744529 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Wed, 2 Jun 2021 21:30:28 +0800 +Subject: scsi: core: Put .shost_dev in failure path if host state changes to RUNNING + +From: Ming Lei + +commit 11714026c02d613c30a149c3f4c4a15047744529 upstream. + +scsi_host_dev_release() only frees dev_name when host state is +SHOST_CREATED. After host state has changed to SHOST_RUNNING, +scsi_host_dev_release() no longer cleans up. + +Fix this by doing a put_device(&shost->shost_dev) in the failure path when +host state is SHOST_RUNNING. Move get_device(&shost->shost_gendev) before +device_add(&shost->shost_dev) so that scsi_host_cls_release() can do a put +on this reference. + +Link: https://lore.kernel.org/r/20210602133029.2864069-4-ming.lei@redhat.com +Cc: Bart Van Assche +Cc: Hannes Reinecke +Reported-by: John Garry +Tested-by: John Garry +Reviewed-by: John Garry +Reviewed-by: Hannes Reinecke +Signed-off-by: Ming Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hosts.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/hosts.c ++++ b/drivers/scsi/hosts.c +@@ -254,12 +254,11 @@ int scsi_add_host_with_dma(struct Scsi_H + + device_enable_async_suspend(&shost->shost_dev); + ++ get_device(&shost->shost_gendev); + error = device_add(&shost->shost_dev); + if (error) + goto out_del_gendev; + +- get_device(&shost->shost_gendev); +- + if (shost->transportt->host_size) { + shost->shost_data = kzalloc(shost->transportt->host_size, + GFP_KERNEL); +@@ -297,6 +296,11 @@ int scsi_add_host_with_dma(struct Scsi_H + out_del_dev: + device_del(&shost->shost_dev); + out_del_gendev: ++ /* ++ * Host state is SHOST_RUNNING so we have to explicitly release ++ * ->shost_dev. ++ */ ++ put_device(&shost->shost_dev); + device_del(&shost->shost_gendev); + out_disable_runtime_pm: + device_disable_async_suspend(&shost->shost_gendev); diff --git a/queue-5.12/series b/queue-5.12/series index 3a3adcf3ea4..66464e70d55 100644 --- a/queue-5.12/series +++ b/queue-5.12/series @@ -165,3 +165,9 @@ pinctrl-qcom-make-it-possible-to-select-sc8180x-tlmm.patch perf-session-correct-buffer-copying-when-peeking-eve.patch kvm-fix-previous-commit-for-32-bit-builds.patch nfs-fix-use-after-free-in-nfs4_init_client.patch +nfsv4-fix-second-deadlock-in-nfs4_evict_inode.patch +nfsv4-nfs4_proc_set_acl-needs-to-restore-nfs_cap_uidgid_nomap-on-error.patch +scsi-core-fix-error-handling-of-scsi_host_alloc.patch +scsi-core-fix-failure-handling-of-scsi_add_host_with_dma.patch +scsi-core-put-.shost_dev-in-failure-path-if-host-state-changes-to-running.patch +scsi-core-only-put-parent-device-if-host-state-differs-from-shost_created.patch