Fixes for 6.11

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.11/nfsd-initialize-struct-nfsd4_copy-earlier.patch b/queue-6.11/nfsd-initialize-struct-nfsd4_copy-earlier.patch
new file mode 100644 (file)
index 0000000..3ed580c
--- /dev/null
+++ b/queue-6.11/nfsd-initialize-struct-nfsd4_copy-earlier.patch
@@ -0,0 +1,48 @@
+From 99d6671cbed2cce39028a90463a177597deb5fc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 12:02:38 -0400
+Subject: NFSD: Initialize struct nfsd4_copy earlier
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 63fab04cbd0f96191b6e5beedc3b643b01c15889 ]
+
+Ensure the refcount and async_copies fields are initialized early.
+cleanup_async_copy() will reference these fields if an error occurs
+in nfsd4_copy(). If they are not correctly initialized, at the very
+least, a refcount underflow occurs.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Fixes: aadc3bbea163 ("NFSD: Limit the number of concurrent async COPY operations")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 5768b2ff1d1d1..81a1e3bf06b97 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1838,14 +1838,14 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+               if (!async_copy)
+                       goto out_err;
+               async_copy->cp_nn = nn;
++              INIT_LIST_HEAD(&async_copy->copies);
++              refcount_set(&async_copy->refcount, 1);
+               /* Arbitrary cap on number of pending async copy operations */
+               if (atomic_inc_return(&nn->pending_async_copies) >
+                               (int)rqstp->rq_pool->sp_nrthreads) {
+                       atomic_dec(&nn->pending_async_copies);
+                       goto out_err;
+               }
+-              INIT_LIST_HEAD(&async_copy->copies);
+-              refcount_set(&async_copy->refcount, 1);
+               async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL);
+               if (!async_copy->cp_src)
+                       goto out_err;
+-- 
+2.43.0
+

diff --git a/queue-6.11/nfsd-never-decrement-pending_async_copies-on-error.patch b/queue-6.11/nfsd-never-decrement-pending_async_copies-on-error.patch
new file mode 100644 (file)
index 0000000..4906a7c
--- /dev/null
+++ b/queue-6.11/nfsd-never-decrement-pending_async_copies-on-error.patch
@@ -0,0 +1,39 @@
+From 0fd07d8a88acd45df2ca40b18e81638f2f527d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 15:27:19 -0400
+Subject: NFSD: Never decrement pending_async_copies on error
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 8286f8b622990194207df9ab852e0f87c60d35e9 ]
+
+The error flow in nfsd4_copy() calls cleanup_async_copy(), which
+already decrements nn->pending_async_copies.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Fixes: aadc3bbea163 ("NFSD: Limit the number of concurrent async COPY operations")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 81a1e3bf06b97..8b78d493e301f 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1842,10 +1842,8 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
+               refcount_set(&async_copy->refcount, 1);
+               /* Arbitrary cap on number of pending async copy operations */
+               if (atomic_inc_return(&nn->pending_async_copies) >
+-                              (int)rqstp->rq_pool->sp_nrthreads) {
+-                      atomic_dec(&nn->pending_async_copies);
++                              (int)rqstp->rq_pool->sp_nrthreads)
+                       goto out_err;
+-              }
+               async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL);
+               if (!async_copy->cp_src)
+                       goto out_err;
+-- 
+2.43.0
+

diff --git a/queue-6.11/rpcrdma-always-release-the-rpcrdma_device-s-xa_array.patch b/queue-6.11/rpcrdma-always-release-the-rpcrdma_device-s-xa_array.patch
new file mode 100644 (file)
index 0000000..ea4b4e6
--- /dev/null
+++ b/queue-6.11/rpcrdma-always-release-the-rpcrdma_device-s-xa_array.patch
@@ -0,0 +1,37 @@
+From ed40d614ff243ccfca53ae6118ee3c4b1b841831 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 16:11:30 -0400
+Subject: rpcrdma: Always release the rpcrdma_device's xa_array
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 63a81588cd2025e75fbaf30b65930b76825c456f ]
+
+Dai pointed out that the xa_init_flags() in rpcrdma_add_one() needs
+to have a matching xa_destroy() in rpcrdma_remove_one() to release
+underlying memory that the xarray might have accrued during
+operation.
+
+Reported-by: Dai Ngo <dai.ngo@oracle.com>
+Fixes: 7e86845a0346 ("rpcrdma: Implement generic device removal")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtrdma/ib_client.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/xprtrdma/ib_client.c b/net/sunrpc/xprtrdma/ib_client.c
+index 8507cd4d89217..28c68b5f68238 100644
+--- a/net/sunrpc/xprtrdma/ib_client.c
++++ b/net/sunrpc/xprtrdma/ib_client.c
+@@ -153,6 +153,7 @@ static void rpcrdma_remove_one(struct ib_device *device,
+       }
+ 
+       trace_rpcrdma_client_remove_one_done(device);
++      xa_destroy(&rd->rd_xa);
+       kfree(rd);
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.11/series b/queue-6.11/series
index 82a36c9390d99db9be75832153753eb0ec59cf57..ccfd7bc73d934a609adff26b2809d27fb71fa4e0 100644 (file)
--- a/queue-6.11/series
+++ b/queue-6.11/series
@@ -108,3 +108,6 @@ thermal-intel-int340x-processor-add-mmio-rapl-pl4-su.patch
 net-amd-mvme147-fix-probe-banner-message.patch
 nfs-remove-revoked-delegation-from-server-s-delegati.patch
 misc-sgi-gru-don-t-disable-preemption-in-gru-driver.patch
+nfsd-initialize-struct-nfsd4_copy-earlier.patch
+nfsd-never-decrement-pending_async_copies-on-error.patch
+rpcrdma-always-release-the-rpcrdma_device-s-xa_array.patch