5.10-stable patches

added patches:
	io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch
	net-qrtr-fix-__netdev_alloc_skb-call.patch
	pstore-fix-warning-in-pstore_kill_sb.patch

diff --git a/queue-5.10/io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch b/queue-5.10/io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch
new file mode 100644 (file)
index 0000000..b317d49
--- /dev/null
+++ b/queue-5.10/io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch
@@ -0,0 +1,101 @@
+From 3ebba796fa251d042be42b929a2d916ee5c34a49 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Sun, 28 Feb 2021 15:32:18 -0700
+Subject: io_uring: ensure that SQPOLL thread is started for exit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 3ebba796fa251d042be42b929a2d916ee5c34a49 upstream.
+
+If we create it in a disabled state because IORING_SETUP_R_DISABLED is
+set on ring creation, we need to ensure that we've kicked the thread if
+we're exiting before it's been explicitly disabled. Otherwise we can run
+into a deadlock where exit is waiting go park the SQPOLL thread, but the
+SQPOLL thread itself is waiting to get a signal to start.
+
+That results in the below trace of both tasks hung, waiting on each other:
+
+INFO: task syz-executor458:8401 blocked for more than 143 seconds.
+      Not tainted 5.11.0-next-20210226-syzkaller #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor458 state:D stack:27536 pid: 8401 ppid:  8400 flags:0x00004004
+Call Trace:
+ context_switch kernel/sched/core.c:4324 [inline]
+ __schedule+0x90c/0x21a0 kernel/sched/core.c:5075
+ schedule+0xcf/0x270 kernel/sched/core.c:5154
+ schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
+ do_wait_for_common kernel/sched/completion.c:85 [inline]
+ __wait_for_common kernel/sched/completion.c:106 [inline]
+ wait_for_common kernel/sched/completion.c:117 [inline]
+ wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
+ io_sq_thread_park fs/io_uring.c:7115 [inline]
+ io_sq_thread_park+0xd5/0x130 fs/io_uring.c:7103
+ io_uring_cancel_task_requests+0x24c/0xd90 fs/io_uring.c:8745
+ __io_uring_files_cancel+0x110/0x230 fs/io_uring.c:8840
+ io_uring_files_cancel include/linux/io_uring.h:47 [inline]
+ do_exit+0x299/0x2a60 kernel/exit.c:780
+ do_group_exit+0x125/0x310 kernel/exit.c:922
+ __do_sys_exit_group kernel/exit.c:933 [inline]
+ __se_sys_exit_group kernel/exit.c:931 [inline]
+ __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x43e899
+RSP: 002b:00007ffe89376d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 00000000004af2f0 RCX: 000000000043e899
+RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
+RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000010000000
+R10: 0000000000008011 R11: 0000000000000246 R12: 00000000004af2f0
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
+INFO: task iou-sqp-8401:8402 can't die for more than 143 seconds.
+task:iou-sqp-8401    state:D stack:30272 pid: 8402 ppid:  8400 flags:0x00004004
+Call Trace:
+ context_switch kernel/sched/core.c:4324 [inline]
+ __schedule+0x90c/0x21a0 kernel/sched/core.c:5075
+ schedule+0xcf/0x270 kernel/sched/core.c:5154
+ schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868
+ do_wait_for_common kernel/sched/completion.c:85 [inline]
+ __wait_for_common kernel/sched/completion.c:106 [inline]
+ wait_for_common kernel/sched/completion.c:117 [inline]
+ wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
+ io_sq_thread+0x27d/0x1ae0 fs/io_uring.c:6717
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+INFO: task iou-sqp-8401:8402 blocked for more than 143 seconds.
+
+Reported-by: syzbot+fb5458330b4442f2090d@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2085,6 +2085,7 @@ static void __io_req_task_submit(struct
+               __io_req_task_cancel(req, -EFAULT);
+       mutex_unlock(&ctx->uring_lock);
+ 
++      ctx->flags &= ~IORING_SETUP_R_DISABLED;
+       if (ctx->flags & IORING_SETUP_SQPOLL)
+               io_sq_thread_drop_mm();
+ }
+@@ -8684,6 +8685,8 @@ static void io_disable_sqo_submit(struct
+ {
+       mutex_lock(&ctx->uring_lock);
+       ctx->sqo_dead = 1;
++      if (ctx->flags & IORING_SETUP_R_DISABLED)
++              io_sq_offload_start(ctx);
+       mutex_unlock(&ctx->uring_lock);
+ 
+       /* make sure callers enter the ring to get error */
+@@ -9662,10 +9665,7 @@ static int io_register_enable_rings(stru
+       if (ctx->restrictions.registered)
+               ctx->restricted = 1;
+ 
+-      ctx->flags &= ~IORING_SETUP_R_DISABLED;
+-
+       io_sq_offload_start(ctx);
+-
+       return 0;
+ }
+ 

diff --git a/queue-5.10/net-qrtr-fix-__netdev_alloc_skb-call.patch b/queue-5.10/net-qrtr-fix-__netdev_alloc_skb-call.patch
new file mode 100644 (file)
index 0000000..647b1e2
--- /dev/null
+++ b/queue-5.10/net-qrtr-fix-__netdev_alloc_skb-call.patch
@@ -0,0 +1,54 @@
+From 093b036aa94e01a0bea31a38d7f0ee28a2749023 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Mon, 1 Mar 2021 02:22:40 +0300
+Subject: net/qrtr: fix __netdev_alloc_skb call
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream.
+
+syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER.
+It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(),
+which tries to allocate skb. Since the value comes from the untrusted source
+there is no need to raise a warning in __alloc_pages_nodemask().
+
+[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014
+Call Trace:
+ __alloc_pages include/linux/gfp.h:511 [inline]
+ __alloc_pages_node include/linux/gfp.h:524 [inline]
+ alloc_pages_node include/linux/gfp.h:538 [inline]
+ kmalloc_large_node+0x60/0x110 mm/slub.c:3999
+ __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496
+ __kmalloc_reserve net/core/skbuff.c:150 [inline]
+ __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210
+ __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446
+ netdev_alloc_skb include/linux/skbuff.h:2832 [inline]
+ qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442
+ qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write+0x426/0x650 fs/read_write.c:518
+ vfs_write+0x791/0xa30 fs/read_write.c:605
+ ksys_write+0x12d/0x250 fs/read_write.c:658
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Acked-by: Alexander Lobakin <alobakin@pm.me>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -433,7 +433,7 @@ int qrtr_endpoint_post(struct qrtr_endpo
+       if (len == 0 || len & 3)
+               return -EINVAL;
+ 
+-      skb = netdev_alloc_skb(NULL, len);
++      skb = __netdev_alloc_skb(NULL, len, GFP_ATOMIC | __GFP_NOWARN);
+       if (!skb)
+               return -ENOMEM;
+ 

diff --git a/queue-5.10/pstore-fix-warning-in-pstore_kill_sb.patch b/queue-5.10/pstore-fix-warning-in-pstore_kill_sb.patch
new file mode 100644 (file)
index 0000000..ae2c14f
--- /dev/null
+++ b/queue-5.10/pstore-fix-warning-in-pstore_kill_sb.patch
@@ -0,0 +1,39 @@
+From 9c7d83ae6ba67d6c6199cce24573983db3b56332 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sun, 14 Feb 2021 12:13:07 +0900
+Subject: pstore: Fix warning in pstore_kill_sb()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 9c7d83ae6ba67d6c6199cce24573983db3b56332 upstream.
+
+syzbot is hitting WARN_ON(pstore_sb != sb) at pstore_kill_sb() [1], for the
+assumption that pstore_sb != NULL is wrong because pstore_fill_super() will
+not assign pstore_sb = sb when new_inode() for d_make_root() returned NULL
+(due to memory allocation fault injection).
+
+Since mount_single() calls pstore_kill_sb() when pstore_fill_super()
+failed, pstore_kill_sb() needs to be aware of such failure path.
+
+[1] https://syzkaller.appspot.com/bug?id=6abacb8da5137cb47a416f2bef95719ed60508a0
+
+Reported-by: syzbot <syzbot+d0cf0ad6513e9a1da5df@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210214031307.57903-1-penguin-kernel@I-love.SAKURA.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pstore/inode.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/pstore/inode.c
++++ b/fs/pstore/inode.c
+@@ -467,7 +467,7 @@ static struct dentry *pstore_mount(struc
+ static void pstore_kill_sb(struct super_block *sb)
+ {
+       mutex_lock(&pstore_sb_lock);
+-      WARN_ON(pstore_sb != sb);
++      WARN_ON(pstore_sb && pstore_sb != sb);
+ 
+       kill_litter_super(sb);
+       pstore_sb = NULL;

diff --git a/queue-5.10/series b/queue-5.10/series
index db0497021ee495c340d10553872f68f21c9e400d..7ed18040d475fb308752f1caf296649055290767 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -47,3 +47,6 @@ vfio-iommu_api-should-be-selected.patch
 vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch
 sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch
 i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch
+pstore-fix-warning-in-pstore_kill_sb.patch
+io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch
+net-qrtr-fix-__netdev_alloc_skb-call.patch