From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 22 Sep 2019 08:27:49 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.3.2~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1cf0500cf0e7af8db536280d6f625dad9ebf3b94;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	rdma-restrack-protect-from-reentry-to-resource-return-path.patch
---

diff --git a/queue-4.19/rdma-restrack-protect-from-reentry-to-resource-return-path.patch b/queue-4.19/rdma-restrack-protect-from-reentry-to-resource-return-path.patch
new file mode 100644
index 00000000000..ec4d5ca082e
--- /dev/null
+++ b/queue-4.19/rdma-restrack-protect-from-reentry-to-resource-return-path.patch
@@ -0,0 +1,101 @@
+From fe9bc1644918aa1d02a889b4ca788bfb67f90816 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leon@kernel.org>
+Date: Thu, 11 Oct 2018 22:10:10 +0300
+Subject: RDMA/restrack: Protect from reentry to resource return path
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit fe9bc1644918aa1d02a889b4ca788bfb67f90816 upstream.
+
+Nullify the resource task struct pointer to ensure that subsequent calls
+won't try to release task_struct again.
+
+------------[ cut here ]------------
+ODEBUG: free active (active state 1) object type: rcu_head hint:
+(null)
+WARNING: CPU: 0 PID: 6048 at lib/debugobjects.c:329
+debug_print_object+0x16a/0x210 lib/debugobjects.c:326
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 0 PID: 6048 Comm: syz-executor022 Not tainted
+4.19.0-rc7-next-20181008+ #89
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+  __dump_stack lib/dump_stack.c:77 [inline]
+  dump_stack+0x244/0x3ab lib/dump_stack.c:113
+  panic+0x238/0x4e7 kernel/panic.c:184
+  __warn.cold.8+0x163/0x1ba kernel/panic.c:536
+  report_bug+0x254/0x2d0 lib/bug.c:186
+  fixup_bug arch/x86/kernel/traps.c:178 [inline]
+  do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
+  do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
+  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
+RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
+Code: 41 88 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14
+dd
+60 02 41 88 4c 89 fe 48 c7 c7 00 f8 40 88 e8 36 2f b4 fd <0f> 0b 83 05
+a9
+f4 5e 06 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f
+RSP: 0018:ffff8801d8c3eda8 EFLAGS: 00010086
+RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff8164d235 RDI: 0000000000000005
+RBP: ffff8801d8c3ede8 R08: ffff8801d70aa280 R09: ffffed003b5c3eda
+R10: ffffed003b5c3eda R11: ffff8801dae1f6d7 R12: 0000000000000001
+R13: ffffffff8939a760 R14: 0000000000000000 R15: ffffffff8840fca0
+  __debug_check_no_obj_freed lib/debugobjects.c:786 [inline]
+  debug_check_no_obj_freed+0x3ae/0x58d lib/debugobjects.c:818
+  kmem_cache_free+0x202/0x290 mm/slab.c:3759
+  free_task_struct kernel/fork.c:163 [inline]
+  free_task+0x16e/0x1f0 kernel/fork.c:457
+  __put_task_struct+0x2e6/0x620 kernel/fork.c:730
+  put_task_struct include/linux/sched/task.h:96 [inline]
+  finish_task_switch+0x66c/0x900 kernel/sched/core.c:2715
+  context_switch kernel/sched/core.c:2834 [inline]
+  __schedule+0x8d7/0x21d0 kernel/sched/core.c:3480
+  schedule+0xfe/0x460 kernel/sched/core.c:3524
+  freezable_schedule include/linux/freezer.h:172 [inline]
+  futex_wait_queue_me+0x3f9/0x840 kernel/futex.c:2530
+  futex_wait+0x45c/0xa50 kernel/futex.c:2645
+  do_futex+0x31a/0x26d0 kernel/futex.c:3528
+  __do_sys_futex kernel/futex.c:3589 [inline]
+  __se_sys_futex kernel/futex.c:3557 [inline]
+  __x64_sys_futex+0x472/0x6a0 kernel/futex.c:3557
+  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x446549
+Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f3a998f5da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
+RAX: ffffffffffffffda RBX: 00000000006dbc38 RCX: 0000000000446549
+RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38
+RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c
+R13: 2f646e6162696e69 R14: 666e692f7665642f R15: 00000000006dbd2c
+Kernel Offset: disabled
+
+Reported-by: syzbot+71aff6ea121ffefc280f@syzkaller.appspotmail.com
+Fixes: ed7a01fd3fd7 ("RDMA/restrack: Release task struct which was hold by CM_ID object")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Cc: Pavel Machek <pavel@denx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/restrack.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/restrack.c
++++ b/drivers/infiniband/core/restrack.c
+@@ -225,7 +225,9 @@ void rdma_restrack_del(struct rdma_restr
+ 	up_write(&dev->res.rwsem);
+ 
+ out:
+-	if (res->task)
++	if (res->task) {
+ 		put_task_struct(res->task);
++		res->task = NULL;
++	}
+ }
+ EXPORT_SYMBOL(rdma_restrack_del);
diff --git a/queue-4.19/series b/queue-4.19/series
index bd4c1c39413..992c4b0930c 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -1,2 +1,3 @@
 revert-bluetooth-validate-ble-connection-interval-up.patch
 net-ibmvnic-free-reset-work-of-removed-device-from-q.patch
+rdma-restrack-protect-from-reentry-to-resource-return-path.patch