From cd92a0ddd69f9b2f9fcde0017127ad64cb410a70 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Fri, 18 Aug 2023 09:48:23 -0400
Subject: [PATCH] Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...-potential-oops-in-cifs_oplock_break.patch | 108 ++++++++++++++++++
 queue-5.15/series                             |   3 +
 ...se-proper-spinlock-for-irq-injection.patch |  64 +++++++++++
 ...mmio-don-t-break-lifecycle-of-vm_dev.patch |  60 ++++++++++
 4 files changed, 235 insertions(+)
 create mode 100644 queue-5.15/cifs-fix-potential-oops-in-cifs_oplock_break.patch
 create mode 100644 queue-5.15/vduse-use-proper-spinlock-for-irq-injection.patch
 create mode 100644 queue-5.15/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch

diff --git a/queue-5.15/cifs-fix-potential-oops-in-cifs_oplock_break.patch b/queue-5.15/cifs-fix-potential-oops-in-cifs_oplock_break.patch
new file mode 100644
index 00000000000..24c7f07b874
--- /dev/null
+++ b/queue-5.15/cifs-fix-potential-oops-in-cifs_oplock_break.patch
@@ -0,0 +1,108 @@
+From ce9d53fa96466a97bc621916650152ebaed0bbd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Aug 2023 15:34:21 -0500
+Subject: cifs: fix potential oops in cifs_oplock_break
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit e8f5f849ffce24490eb9449e98312b66c0dba76f ]
+
+With deferred close we can have closes that race with lease breaks,
+and so with the current checks for whether to send the lease response,
+oplock_response(), this can mean that an unmount (kill_sb) can occur
+just before we were checking if the tcon->ses is valid.  See below:
+
+[Fri Aug  4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs]
+[Fri Aug  4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39
+[Fri Aug  4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206
+[Fri Aug  4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009
+[Fri Aug  4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188
+[Fri Aug  4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900
+[Fri Aug  4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138
+[Fri Aug  4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000
+[Fri Aug  4 04:12:50 2023] FS:  0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000
+[Fri Aug  4 04:12:50 2023] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[Fri Aug  4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0
+[Fri Aug  4 04:12:50 2023] Call Trace:
+[Fri Aug  4 04:12:50 2023]  <TASK>
+[Fri Aug  4 04:12:50 2023]  process_one_work+0x225/0x3d0
+[Fri Aug  4 04:12:50 2023]  worker_thread+0x4d/0x3e0
+[Fri Aug  4 04:12:50 2023]  ? process_one_work+0x3d0/0x3d0
+[Fri Aug  4 04:12:50 2023]  kthread+0x12a/0x150
+[Fri Aug  4 04:12:50 2023]  ? set_kthread_struct+0x50/0x50
+[Fri Aug  4 04:12:50 2023]  ret_from_fork+0x22/0x30
+[Fri Aug  4 04:12:50 2023]  </TASK>
+
+To fix this change the ordering of the checks before sending the oplock_response
+to first check if the openFileList is empty.
+
+Fixes: da787d5b7498 ("SMB3: Do not send lease break acknowledgment if all file handles have been closed")
+Suggested-by: Bharath SM <bharathsm@microsoft.com>
+Reviewed-by: Bharath SM <bharathsm@microsoft.com>
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/file.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index e65fbae9e804b..369620e82b84d 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -4865,9 +4865,11 @@ void cifs_oplock_break(struct work_struct *work)
+ 	struct cifsFileInfo *cfile = container_of(work, struct cifsFileInfo,
+ 						  oplock_break);
+ 	struct inode *inode = d_inode(cfile->dentry);
++	struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
+ 	struct cifsInodeInfo *cinode = CIFS_I(inode);
+-	struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
+-	struct TCP_Server_Info *server = tcon->ses->server;
++	struct cifs_tcon *tcon;
++	struct TCP_Server_Info *server;
++	struct tcon_link *tlink;
+ 	int rc = 0;
+ 	bool purge_cache = false, oplock_break_cancelled;
+ 	__u64 persistent_fid, volatile_fid;
+@@ -4876,6 +4878,12 @@ void cifs_oplock_break(struct work_struct *work)
+ 	wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
+ 			TASK_UNINTERRUPTIBLE);
+ 
++	tlink = cifs_sb_tlink(cifs_sb);
++	if (IS_ERR(tlink))
++		goto out;
++	tcon = tlink_tcon(tlink);
++	server = tcon->ses->server;
++
+ 	server->ops->downgrade_oplock(server, cinode, cfile->oplock_level,
+ 				      cfile->oplock_epoch, &purge_cache);
+ 
+@@ -4925,18 +4933,19 @@ void cifs_oplock_break(struct work_struct *work)
+ 	/*
+ 	 * MS-SMB2 3.2.5.19.1 and 3.2.5.19.2 (and MS-CIFS 3.2.5.42) do not require
+ 	 * an acknowledgment to be sent when the file has already been closed.
+-	 * check for server null, since can race with kill_sb calling tree disconnect.
+ 	 */
+ 	spin_lock(&cinode->open_file_lock);
+-	if (tcon->ses && tcon->ses->server && !oplock_break_cancelled &&
+-					!list_empty(&cinode->openFileList)) {
++	/* check list empty since can race with kill_sb calling tree disconnect */
++	if (!oplock_break_cancelled && !list_empty(&cinode->openFileList)) {
+ 		spin_unlock(&cinode->open_file_lock);
+-		rc = tcon->ses->server->ops->oplock_response(tcon, persistent_fid,
+-						volatile_fid, net_fid, cinode);
++		rc = server->ops->oplock_response(tcon, persistent_fid,
++						  volatile_fid, net_fid, cinode);
+ 		cifs_dbg(FYI, "Oplock release rc = %d\n", rc);
+ 	} else
+ 		spin_unlock(&cinode->open_file_lock);
+ 
++	cifs_put_tlink(tlink);
++out:
+ 	cifs_done_oplock_break(cinode);
+ }
+ 
+-- 
+2.40.1
+
diff --git a/queue-5.15/series b/queue-5.15/series
index 78cd7813e43..0bc574b146d 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -68,3 +68,6 @@ net-ncsi-change-from-ndo_set_mac_address-to-dev_set_.patch
 arm-dts-imx6sll-fixup-of-operating-points.patch
 arm-dts-nxp-imx6sll-fix-wrong-property-name-in-usbph.patch
 btrfs-move-out-now-unused-bg-from-the-reclaim-list.patch
+virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
+vduse-use-proper-spinlock-for-irq-injection.patch
+cifs-fix-potential-oops-in-cifs_oplock_break.patch
diff --git a/queue-5.15/vduse-use-proper-spinlock-for-irq-injection.patch b/queue-5.15/vduse-use-proper-spinlock-for-irq-injection.patch
new file mode 100644
index 00000000000..5f79c1c4e99
--- /dev/null
+++ b/queue-5.15/vduse-use-proper-spinlock-for-irq-injection.patch
@@ -0,0 +1,64 @@
+From 8344cbd21088312bfdc8749fda2bef6e12e3b085 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 13:45:05 +0200
+Subject: vduse: Use proper spinlock for IRQ injection
+
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+
+[ Upstream commit 7ca26efb09a1543fddb29308ea3b63b66cb5d3ee ]
+
+The IRQ injection work used spin_lock_irq() to protect the
+scheduling of the softirq, but spin_lock_bh() should be
+used.
+
+With spin_lock_irq(), we noticed delay of more than 6
+seconds between the time a NAPI polling work is scheduled
+and the time it is executed.
+
+Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
+Cc: xieyongji@bytedance.com
+
+Suggested-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Message-Id: <20230705114505.63274-1-maxime.coquelin@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_user/vduse_dev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
+index 30ae4237f3dd4..564864f039d20 100644
+--- a/drivers/vdpa/vdpa_user/vduse_dev.c
++++ b/drivers/vdpa/vdpa_user/vduse_dev.c
+@@ -879,10 +879,10 @@ static void vduse_dev_irq_inject(struct work_struct *work)
+ {
+ 	struct vduse_dev *dev = container_of(work, struct vduse_dev, inject);
+ 
+-	spin_lock_irq(&dev->irq_lock);
++	spin_lock_bh(&dev->irq_lock);
+ 	if (dev->config_cb.callback)
+ 		dev->config_cb.callback(dev->config_cb.private);
+-	spin_unlock_irq(&dev->irq_lock);
++	spin_unlock_bh(&dev->irq_lock);
+ }
+ 
+ static void vduse_vq_irq_inject(struct work_struct *work)
+@@ -890,10 +890,10 @@ static void vduse_vq_irq_inject(struct work_struct *work)
+ 	struct vduse_virtqueue *vq = container_of(work,
+ 					struct vduse_virtqueue, inject);
+ 
+-	spin_lock_irq(&vq->irq_lock);
++	spin_lock_bh(&vq->irq_lock);
+ 	if (vq->ready && vq->cb.callback)
+ 		vq->cb.callback(vq->cb.private);
+-	spin_unlock_irq(&vq->irq_lock);
++	spin_unlock_bh(&vq->irq_lock);
+ }
+ 
+ static int vduse_dev_queue_irq_work(struct vduse_dev *dev,
+-- 
+2.40.1
+
diff --git a/queue-5.15/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch b/queue-5.15/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
new file mode 100644
index 00000000000..2b12577703e
--- /dev/null
+++ b/queue-5.15/virtio-mmio-don-t-break-lifecycle-of-vm_dev.patch
@@ -0,0 +1,60 @@
+From dbed15d293a094268d90e15b18007a7881a26593 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jun 2023 14:05:26 +0200
+Subject: virtio-mmio: don't break lifecycle of vm_dev
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 55c91fedd03d7b9cf0c5199b2eb12b9b8e95281a ]
+
+vm_dev has a separate lifecycle because it has a 'struct device'
+embedded. Thus, having a release callback for it is correct.
+
+Allocating the vm_dev struct with devres totally breaks this protection,
+though. Instead of waiting for the vm_dev release callback, the memory
+is freed when the platform_device is removed. Resulting in a
+use-after-free when finally the callback is to be called.
+
+To easily see the problem, compile the kernel with
+CONFIG_DEBUG_KOBJECT_RELEASE and unbind with sysfs.
+
+The fix is easy, don't use devres in this case.
+
+Found during my research about object lifetime problems.
+
+Fixes: 7eb781b1bbb7 ("virtio_mmio: add cleanup for virtio_mmio_probe")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20230629120526.7184-1-wsa+renesas@sang-engineering.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_mmio.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c
+index fe696aafaed86..f4d43d60d710f 100644
+--- a/drivers/virtio/virtio_mmio.c
++++ b/drivers/virtio/virtio_mmio.c
+@@ -572,9 +572,8 @@ static void virtio_mmio_release_dev(struct device *_d)
+ 	struct virtio_device *vdev =
+ 			container_of(_d, struct virtio_device, dev);
+ 	struct virtio_mmio_device *vm_dev = to_virtio_mmio_device(vdev);
+-	struct platform_device *pdev = vm_dev->pdev;
+ 
+-	devm_kfree(&pdev->dev, vm_dev);
++	kfree(vm_dev);
+ }
+ 
+ /* Platform device */
+@@ -585,7 +584,7 @@ static int virtio_mmio_probe(struct platform_device *pdev)
+ 	unsigned long magic;
+ 	int rc;
+ 
+-	vm_dev = devm_kzalloc(&pdev->dev, sizeof(*vm_dev), GFP_KERNEL);
++	vm_dev = kzalloc(sizeof(*vm_dev), GFP_KERNEL);
+ 	if (!vm_dev)
+ 		return -ENOMEM;
+ 
+-- 
+2.40.1
+
-- 
2.47.3