From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 14 Jul 2025 09:12:19 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v5.15.188~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=edcc963f4370150debffb8a0a6dd884df0369b5c;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch
	smb-server-make-use-of-rdma_destroy_qp.patch
---

diff --git a/queue-6.1/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch b/queue-6.1/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch
new file mode 100644
index 0000000000..fd865bf043
--- /dev/null
+++ b/queue-6.1/ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch
@@ -0,0 +1,34 @@
+From 277627b431a0a6401635c416a21b2a0f77a77347 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 6 Jul 2025 02:26:45 +0100
+Subject: ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 277627b431a0a6401635c416a21b2a0f77a77347 upstream.
+
+If the call of ksmbd_vfs_lock_parent() fails, we drop the parent_path
+references and return an error.  We need to drop the write access we
+just got on parent_path->mnt before we drop the mount reference - callers
+assume that ksmbd_vfs_kern_path_locked() returns with mount write
+access grabbed if and only if it has returned 0.
+
+Fixes: 864fb5d37163 ("ksmbd: fix possible deadlock in smb2_open")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -1283,6 +1283,7 @@ out1:
+ 
+ 		err = ksmbd_vfs_lock_parent(parent_path->dentry, path->dentry);
+ 		if (err) {
++			mnt_drop_write(parent_path->mnt);
+ 			path_put(path);
+ 			path_put(parent_path);
+ 		}
diff --git a/queue-6.1/series b/queue-6.1/series
index 5bd88623f1..4d1c347f17 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -38,3 +38,5 @@ revert-acpi-battery-negate-current-when-discharging.patch
 kallsyms-fix-build-without-execinfo.patch
 maple_tree-fix-mt_destroy_walk-on-root-leaf-node.patch
 pwm-mediatek-ensure-to-disable-clocks-in-error-path.patch
+smb-server-make-use-of-rdma_destroy_qp.patch
+ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch
diff --git a/queue-6.1/smb-server-make-use-of-rdma_destroy_qp.patch b/queue-6.1/smb-server-make-use-of-rdma_destroy_qp.patch
new file mode 100644
index 0000000000..27d420c690
--- /dev/null
+++ b/queue-6.1/smb-server-make-use-of-rdma_destroy_qp.patch
@@ -0,0 +1,67 @@
+From 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 2 Jul 2025 09:18:05 +0200
+Subject: smb: server: make use of rdma_destroy_qp()
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit 0c2b53997e8f5e2ec9e0fbd17ac0436466b65488 upstream.
+
+The qp is created by rdma_create_qp() as t->cm_id->qp
+and t->qp is just a shortcut.
+
+rdma_destroy_qp() also calls ib_destroy_qp(cm_id->qp) internally,
+but it is protected by a mutex, clears the cm_id and also calls
+trace_cm_qp_destroy().
+
+This should make the tracing more useful as both
+rdma_create_qp() and rdma_destroy_qp() are traces and it makes
+the code look more sane as functions from the same layer are used
+for the specific qp object.
+
+trace-cmd stream -e rdma_cma:cm_qp_create -e rdma_cma:cm_qp_destroy
+shows this now while doing a mount and unmount from a client:
+
+  <...>-80   [002] 378.514182: cm_qp_create:  cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 pd.id=0 qp_type=RC send_wr=867 recv_wr=255 qp_num=1 rc=0
+  <...>-6283 [001] 381.686172: cm_qp_destroy: cm.id=1 src=172.31.9.167:5445 dst=172.31.9.166:37113 tos=0 qp_num=1
+
+Before we only saw the first line.
+
+Cc: Namjae Jeon <linkinjeon@kernel.org>
+Cc: Steve French <stfrench@microsoft.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Hyunchul Lee <hyc.lee@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: linux-cifs@vger.kernel.org
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Tom Talpey <tom@talpey.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_rdma.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/transport_rdma.c
++++ b/fs/smb/server/transport_rdma.c
+@@ -426,7 +426,8 @@ static void free_transport(struct smb_di
+ 	if (t->qp) {
+ 		ib_drain_qp(t->qp);
+ 		ib_mr_pool_destroy(t->qp, &t->qp->rdma_mrs);
+-		ib_destroy_qp(t->qp);
++		t->qp = NULL;
++		rdma_destroy_qp(t->cm_id);
+ 	}
+ 
+ 	ksmbd_debug(RDMA, "drain the reassembly queue\n");
+@@ -1934,8 +1935,8 @@ static int smb_direct_create_qpair(struc
+ 	return 0;
+ err:
+ 	if (t->qp) {
+-		ib_destroy_qp(t->qp);
+ 		t->qp = NULL;
++		rdma_destroy_qp(t->cm_id);
+ 	}
+ 	if (t->recv_cq) {
+ 		ib_destroy_cq(t->recv_cq);