From edba87c9a44d83d5101c5d48a3841db21a184c66 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 Jan 2022 16:43:46 +0100 Subject: [PATCH] 4.14-stable patches added patches: drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch --- ...tt-destroy-callback-on-alloc-failure.patch | 71 +++++++++++++++++++ queue-4.14/fuse-fix-bad-inode.patch | 67 ++++++++++++++--- .../fuse-fix-live-lock-in-fuse_iget.patch | 13 ++-- queue-4.14/series | 5 +- 4 files changed, 138 insertions(+), 18 deletions(-) create mode 100644 queue-4.14/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch diff --git a/queue-4.14/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch b/queue-4.14/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch new file mode 100644 index 00000000000..76b932b2b28 --- /dev/null +++ b/queue-4.14/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch @@ -0,0 +1,71 @@ +From 5de5b6ecf97a021f29403aa272cb4e03318ef586 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 28 Jul 2020 14:17:36 +1000 +Subject: drm/ttm/nouveau: don't call tt destroy callback on alloc failure. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dave Airlie + +commit 5de5b6ecf97a021f29403aa272cb4e03318ef586 upstream. + +This is confusing, and from my reading of all the drivers only +nouveau got this right. + +Just make the API act under driver control of it's own allocation +failing, and don't call destroy, if the page table fails to +create there is nothing to cleanup here. + +(I'm willing to believe I've missed something here, so please +review deeply). + +Reviewed-by: Christian König +Signed-off-by: Dave Airlie +Link: https://patchwork.freedesktop.org/patch/msgid/20200728041736.20689-1-airlied@gmail.com +[bwh: Backported to 4.14: + - Drop change in ttm_sg_tt_init() + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_sgdma.c | 9 +++------ + drivers/gpu/drm/ttm/ttm_tt.c | 2 -- + 2 files changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_sgdma.c ++++ b/drivers/gpu/drm/nouveau/nouveau_sgdma.c +@@ -106,12 +106,9 @@ nouveau_sgdma_create_ttm(struct ttm_bo_d + else + nvbe->ttm.ttm.func = &nv50_sgdma_backend; + +- if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) +- /* +- * A failing ttm_dma_tt_init() will call ttm_tt_destroy() +- * and thus our nouveau_sgdma_destroy() hook, so we don't need +- * to free nvbe here. +- */ ++ if (ttm_dma_tt_init(&nvbe->ttm, bdev, size, page_flags, dummy_read_page)) { ++ kfree(nvbe); + return NULL; ++ } + return &nvbe->ttm.ttm; + } +--- a/drivers/gpu/drm/ttm/ttm_tt.c ++++ b/drivers/gpu/drm/ttm/ttm_tt.c +@@ -199,7 +199,6 @@ int ttm_tt_init(struct ttm_tt *ttm, stru + + ttm_tt_alloc_page_directory(ttm); + if (!ttm->pages) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } +@@ -232,7 +231,6 @@ int ttm_dma_tt_init(struct ttm_dma_tt *t + INIT_LIST_HEAD(&ttm_dma->pages_list); + ttm_dma_tt_alloc_page_directory(ttm_dma); + if (!ttm->pages) { +- ttm_tt_destroy(ttm); + pr_err("Failed allocating page table\n"); + return -ENOMEM; + } diff --git a/queue-4.14/fuse-fix-bad-inode.patch b/queue-4.14/fuse-fix-bad-inode.patch index 454f065cb0a..c5789f46bee 100644 --- a/queue-4.14/fuse-fix-bad-inode.patch +++ b/queue-4.14/fuse-fix-bad-inode.patch @@ -1,7 +1,11 @@ -From 5d069dbe8aaf2a197142558b6fb2978189ba3454 Mon Sep 17 00:00:00 2001 -From: Miklos Szeredi -Date: Thu, 10 Dec 2020 15:33:14 +0100 +From foo@baz Mon Jan 24 04:40:51 PM CET 2022 +From: Ben Hutchings +Date: Mon, 24 Jan 2022 16:17:18 +0100 Subject: fuse: fix bad inode +To: stable@vger.kernel.org +Cc: Miklos Szeredi , Jan Kara +Message-ID: +Content-Disposition: inline From: Miklos Szeredi @@ -29,17 +33,21 @@ Reported-by: syzbot+f427adf9324b92652ccc@syzkaller.appspotmail.com Signed-off-by: Miklos Szeredi Tested-by: Jan Kara Cc: -[adjusted for missing fs/fuse/readdir.c and changes in fuse_evict_inode() in 4.14] -Signed-off-by: Samuel Mendoza-Jonas +[bwh: Backported to 4.19: + - Drop changes in fuse_dir_fsync(), fuse_readahead(), fuse_evict_inode() + - In fuse_get_link(), return ERR_PTR(-EIO) for bad inodes + - Convert some additional calls to is_bad_inode() + - Adjust filename, context] +Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- fs/fuse/acl.c | 6 ++++++ - fs/fuse/dir.c | 37 ++++++++++++++++++++++++++++++++----- - fs/fuse/file.c | 21 +++++++++++++++------ + fs/fuse/dir.c | 40 +++++++++++++++++++++++++++++++++++----- + fs/fuse/file.c | 27 ++++++++++++++++++--------- fs/fuse/fuse_i.h | 12 ++++++++++++ fs/fuse/inode.c | 2 +- fs/fuse/xattr.c | 9 +++++++++ - 6 files changed, 75 insertions(+), 12 deletions(-) + 6 files changed, 81 insertions(+), 15 deletions(-) --- a/fs/fuse/acl.c +++ b/fs/fuse/acl.c @@ -171,7 +179,17 @@ Signed-off-by: Greg Kroah-Hartman return -EIO; req = fuse_get_req(fc, 1); -@@ -1703,7 +1724,7 @@ int fuse_do_setattr(struct dentry *dentr +@@ -1405,6 +1426,9 @@ static const char *fuse_get_link(struct + if (!dentry) + return ERR_PTR(-ECHILD); + ++ if (fuse_is_bad(inode)) ++ return ERR_PTR(-EIO); ++ + link = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (!link) + return ERR_PTR(-ENOMEM); +@@ -1703,7 +1727,7 @@ int fuse_do_setattr(struct dentry *dentr if (fuse_invalid_attr(&outarg.attr) || (inode->i_mode ^ outarg.attr.mode) & S_IFMT) { @@ -180,7 +198,7 @@ Signed-off-by: Greg Kroah-Hartman err = -EIO; goto error; } -@@ -1759,6 +1780,9 @@ static int fuse_setattr(struct dentry *e +@@ -1759,6 +1783,9 @@ static int fuse_setattr(struct dentry *e struct file *file = (attr->ia_valid & ATTR_FILE) ? attr->ia_file : NULL; int ret; @@ -190,7 +208,7 @@ Signed-off-by: Greg Kroah-Hartman if (!fuse_allow_current_process(get_fuse_conn(inode))) return -EACCES; -@@ -1817,6 +1841,9 @@ static int fuse_getattr(const struct pat +@@ -1817,6 +1844,9 @@ static int fuse_getattr(const struct pat struct inode *inode = d_inode(path->dentry); struct fuse_conn *fc = get_fuse_conn(inode); @@ -258,6 +276,15 @@ Signed-off-by: Greg Kroah-Hartman /* * In auto invalidate mode, always update attributes on read. * Otherwise, only update if we attempt to read past EOF (to ensure +@@ -1127,7 +1133,7 @@ static ssize_t fuse_perform_write(struct + int err = 0; + ssize_t res = 0; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + if (inode->i_size < pos + iov_iter_count(ii)) @@ -1184,6 +1190,9 @@ static ssize_t fuse_file_write_iter(stru ssize_t err; loff_t endbyte = 0; @@ -268,6 +295,24 @@ Signed-off-by: Greg Kroah-Hartman if (get_fuse_conn(inode)->writeback_cache) { /* Update size (EOF optimization) and mode (SUID clearing) */ err = fuse_update_attributes(mapping->host, file); +@@ -1420,7 +1429,7 @@ static ssize_t __fuse_direct_read(struct + ssize_t res; + struct inode *inode = file_inode(io->iocb->ki_filp); + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + res = fuse_direct_io(io, iter, ppos, 0); +@@ -1442,7 +1451,7 @@ static ssize_t fuse_direct_write_iter(st + struct fuse_io_priv io = FUSE_IO_PRIV_SYNC(iocb); + ssize_t res; + +- if (is_bad_inode(inode)) ++ if (fuse_is_bad(inode)) + return -EIO; + + /* Don't allow parallel writes to the same file */ @@ -1916,7 +1925,7 @@ static int fuse_writepages(struct addres int err; diff --git a/queue-4.14/fuse-fix-live-lock-in-fuse_iget.patch b/queue-4.14/fuse-fix-live-lock-in-fuse_iget.patch index ab64dc5ea63..bb3e83a9e8b 100644 --- a/queue-4.14/fuse-fix-live-lock-in-fuse_iget.patch +++ b/queue-4.14/fuse-fix-live-lock-in-fuse_iget.patch @@ -1,7 +1,11 @@ -From 775c5033a0d164622d9d10dd0f0a5531639ed3ed Mon Sep 17 00:00:00 2001 -From: Amir Goldstein -Date: Thu, 4 Mar 2021 11:09:12 +0200 +From foo@baz Mon Jan 24 04:40:51 PM CET 2022 +From: Ben Hutchings +Date: Mon, 24 Jan 2022 16:18:28 +0100 Subject: fuse: fix live lock in fuse_iget() +To: stable@vger.kernel.org +Cc: Amir Goldstein , Miklos Szeredi , Jan Kara +Message-ID: +Content-Disposition: inline From: Amir Goldstein @@ -32,10 +36,9 @@ kmsg snip: [ ] fuse_iget+0x96/0x1b0 Fixes: 5d069dbe8aaf ("fuse: fix bad inode") -Cc: stable@vger.kernel.org # 5.10+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi -Signed-off-by: Samuel Mendoza-Jonas +Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- fs/fuse/fuse_i.h | 1 + diff --git a/queue-4.14/series b/queue-4.14/series index c8135259c9a..780328192af 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -155,8 +155,6 @@ ext4-set-csum-seed-in-tmp-inode-while-migrating-to-extents.patch ext4-fix-bug_on-in-ext4_bread-when-write-quota-data.patch ext4-don-t-use-the-orphan-list-when-migrating-an-inode.patch crypto-stm32-crc32-fix-kernel-bug-triggered-in-probe.patch -fuse-fix-bad-inode.patch -fuse-fix-live-lock-in-fuse_iget.patch drm-radeon-fix-error-handling-in-radeon_driver_open_kms.patch firmware-update-kconfig-help-text-for-google-firmware.patch lib-kconfig.debug-make-test_kmod-depend-on-page_size_less_than_256kb.patch @@ -181,3 +179,6 @@ bcmgenet-add-wol-irq-check.patch scripts-dtc-dtx_diff-remove-broken-example-from-help-text.patch lib82596-fix-irq-check-in-sni_82596_probe.patch mips-s390-sh-sparc-gup-work-around-the-cow-can-break-either-way-issue.patch +drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-alloc-failure.patch +fuse-fix-bad-inode.patch +fuse-fix-live-lock-in-fuse_iget.patch -- 2.47.2