From 387a2af437f6865258d35803f93b0d6edd1bfd32 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 28 Jul 2021 20:05:49 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	io_uring-fix-link-timeout-refs.patch
---
 .../io_uring-fix-link-timeout-refs.patch      | 53 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 queue-5.10/io_uring-fix-link-timeout-refs.patch

diff --git a/queue-5.10/io_uring-fix-link-timeout-refs.patch b/queue-5.10/io_uring-fix-link-timeout-refs.patch
new file mode 100644
index 00000000000..97eea145993
--- /dev/null
+++ b/queue-5.10/io_uring-fix-link-timeout-refs.patch
@@ -0,0 +1,53 @@
+From asml.silence@gmail.com  Wed Jul 28 20:02:10 2021
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 26 Jul 2021 16:17:20 +0100
+Subject: [PATCH] io_uring: fix link timeout refs
+To: stable@vger.kernel.org
+Cc: Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com
+Message-ID: <caf9dc2dc29367bb38fee4064b7d562d9837e441.1627312513.git.asml.silence@gmail.com>
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
+
+WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
+RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
+Call Trace:
+ __refcount_sub_and_test include/linux/refcount.h:283 [inline]
+ __refcount_dec_and_test include/linux/refcount.h:315 [inline]
+ refcount_dec_and_test include/linux/refcount.h:333 [inline]
+ io_put_req fs/io_uring.c:2140 [inline]
+ io_queue_linked_timeout fs/io_uring.c:6300 [inline]
+ __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354
+ io_submit_sqe fs/io_uring.c:6534 [inline]
+ io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660
+ __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]
+ __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
+
+io_link_timeout_fn() should put only one reference of the linked timeout
+request, however in case of racing with the master request's completion
+first io_req_complete() puts one and then io_put_req_deferred() is
+called.
+
+Cc: stable@vger.kernel.org # 5.12+
+Fixes: 9ae1f8dd372e0 ("io_uring: fix inconsistent lock state")
+Reported-by: syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/ff51018ff29de5ffa76f09273ef48cb24c720368.1620417627.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -6266,7 +6266,6 @@ static enum hrtimer_restart io_link_time
+ 	if (prev) {
+ 		io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
+ 		io_put_req_deferred(prev, 1);
+-		io_put_req_deferred(req, 1);
+ 	} else {
+ 		io_cqring_add_event(req, -ETIME, 0);
+ 		io_put_req_deferred(req, 1);
diff --git a/queue-5.10/series b/queue-5.10/series
index 8fd3d79a1e3..f1af7b804a3 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1 +1,2 @@
 tools-allow-proper-cc-cxx-...-override-with-llvm-1-in-makefile.include.patch
+io_uring-fix-link-timeout-refs.patch
-- 
2.47.3