From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Aug 2023 11:45:17 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v6.4.12~60
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0663785d7d6f4d7ce0f584c1bf15d61dade6915f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	cifs-release-folio-lock-on-fscache-read-hit.patch
	mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
---

diff --git a/queue-4.14/cifs-release-folio-lock-on-fscache-read-hit.patch b/queue-4.14/cifs-release-folio-lock-on-fscache-read-hit.patch
new file mode 100644
index 00000000000..564827884b1
--- /dev/null
+++ b/queue-4.14/cifs-release-folio-lock-on-fscache-read-hit.patch
@@ -0,0 +1,65 @@
+From 69513dd669e243928f7450893190915a88f84a2b Mon Sep 17 00:00:00 2001
+From: Russell Harmon via samba-technical <samba-technical@lists.samba.org>
+Date: Thu, 10 Aug 2023 00:19:22 -0700
+Subject: cifs: Release folio lock on fscache read hit.
+
+From: Russell Harmon via samba-technical <samba-technical@lists.samba.org>
+
+commit 69513dd669e243928f7450893190915a88f84a2b upstream.
+
+Under the current code, when cifs_readpage_worker is called, the call
+contract is that the callee should unlock the page. This is documented
+in the read_folio section of Documentation/filesystems/vfs.rst as:
+
+> The filesystem should unlock the folio once the read has completed,
+> whether it was successful or not.
+
+Without this change, when fscache is in use and cache hit occurs during
+a read, the page lock is leaked, producing the following stack on
+subsequent reads (via mmap) to the page:
+
+$ cat /proc/3890/task/12864/stack
+[<0>] folio_wait_bit_common+0x124/0x350
+[<0>] filemap_read_folio+0xad/0xf0
+[<0>] filemap_fault+0x8b1/0xab0
+[<0>] __do_fault+0x39/0x150
+[<0>] do_fault+0x25c/0x3e0
+[<0>] __handle_mm_fault+0x6ca/0xc70
+[<0>] handle_mm_fault+0xe9/0x350
+[<0>] do_user_addr_fault+0x225/0x6c0
+[<0>] exc_page_fault+0x84/0x1b0
+[<0>] asm_exc_page_fault+0x27/0x30
+
+This requires a reboot to resolve; it is a deadlock.
+
+Note however that the call to cifs_readpage_from_fscache does mark the
+page clean, but does not free the folio lock. This happens in
+__cifs_readpage_from_fscache on success. Releasing the lock at that
+point however is not appropriate as cifs_readahead also calls
+cifs_readpage_from_fscache and *does* unconditionally release the lock
+after its return. This change therefore effectively makes
+cifs_readpage_worker work like cifs_readahead.
+
+Signed-off-by: Russell Harmon <russ@har.mn>
+Acked-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/file.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -3939,9 +3939,9 @@ static int cifs_readpage_worker(struct f
+ 
+ io_error:
+ 	kunmap(page);
+-	unlock_page(page);
+ 
+ read_complete:
++	unlock_page(page);
+ 	return rc;
+ }
+ 
diff --git a/queue-4.14/mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch b/queue-4.14/mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
new file mode 100644
index 00000000000..6c7687a9ee7
--- /dev/null
+++ b/queue-4.14/mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch
@@ -0,0 +1,33 @@
+From d83035433701919ac6db15f7737cbf554c36c1a6 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Mon, 7 Aug 2023 20:44:42 +0800
+Subject: mmc: wbsd: fix double mmc_free_host() in wbsd_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit d83035433701919ac6db15f7737cbf554c36c1a6 upstream.
+
+mmc_free_host() has already be called in wbsd_free_mmc(),
+remove the mmc_free_host() in error path in wbsd_init().
+
+Fixes: dc5b9b50fc9d ("mmc: wbsd: fix return value check of mmc_add_host()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230807124443.3431366-1-yangyingliang@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/wbsd.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/mmc/host/wbsd.c
++++ b/drivers/mmc/host/wbsd.c
+@@ -1723,8 +1723,6 @@ static int wbsd_init(struct device *dev,
+ 
+ 		wbsd_release_resources(host);
+ 		wbsd_free_mmc(dev);
+-
+-		mmc_free_host(mmc);
+ 		return ret;
+ 	}
+ 
diff --git a/queue-4.14/series b/queue-4.14/series
index e67850f7cd2..4814374cf29 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -27,3 +27,5 @@ i40e-fix-misleading-debug-logs.patch
 sock-fix-misuse-of-sk_under_memory_pressure.patch
 net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch
 alsa-usb-audio-add-support-for-mythware-xa001au-capture-and-playback-interfaces.patch
+cifs-release-folio-lock-on-fscache-read-hit.patch
+mmc-wbsd-fix-double-mmc_free_host-in-wbsd_init.patch