From: Greg Kroah-Hartman Date: Sat, 20 Mar 2021 12:34:35 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.4.263~67 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c2897163948c0522e2cb6ce373ab3eb7d32d0cd2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch net-qrtr-fix-__netdev_alloc_skb-call.patch pstore-fix-warning-in-pstore_kill_sb.patch --- diff --git a/queue-5.10/io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch b/queue-5.10/io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch new file mode 100644 index 00000000000..b317d492e11 --- /dev/null +++ b/queue-5.10/io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch @@ -0,0 +1,101 @@ +From 3ebba796fa251d042be42b929a2d916ee5c34a49 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 28 Feb 2021 15:32:18 -0700 +Subject: io_uring: ensure that SQPOLL thread is started for exit + +From: Jens Axboe + +commit 3ebba796fa251d042be42b929a2d916ee5c34a49 upstream. + +If we create it in a disabled state because IORING_SETUP_R_DISABLED is +set on ring creation, we need to ensure that we've kicked the thread if +we're exiting before it's been explicitly disabled. Otherwise we can run +into a deadlock where exit is waiting go park the SQPOLL thread, but the +SQPOLL thread itself is waiting to get a signal to start. + +That results in the below trace of both tasks hung, waiting on each other: + +INFO: task syz-executor458:8401 blocked for more than 143 seconds. + Not tainted 5.11.0-next-20210226-syzkaller #0 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:syz-executor458 state:D stack:27536 pid: 8401 ppid: 8400 flags:0x00004004 +Call Trace: + context_switch kernel/sched/core.c:4324 [inline] + __schedule+0x90c/0x21a0 kernel/sched/core.c:5075 + schedule+0xcf/0x270 kernel/sched/core.c:5154 + schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868 + do_wait_for_common kernel/sched/completion.c:85 [inline] + __wait_for_common kernel/sched/completion.c:106 [inline] + wait_for_common kernel/sched/completion.c:117 [inline] + wait_for_completion+0x168/0x270 kernel/sched/completion.c:138 + io_sq_thread_park fs/io_uring.c:7115 [inline] + io_sq_thread_park+0xd5/0x130 fs/io_uring.c:7103 + io_uring_cancel_task_requests+0x24c/0xd90 fs/io_uring.c:8745 + __io_uring_files_cancel+0x110/0x230 fs/io_uring.c:8840 + io_uring_files_cancel include/linux/io_uring.h:47 [inline] + do_exit+0x299/0x2a60 kernel/exit.c:780 + do_group_exit+0x125/0x310 kernel/exit.c:922 + __do_sys_exit_group kernel/exit.c:933 [inline] + __se_sys_exit_group kernel/exit.c:931 [inline] + __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:931 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x43e899 +RSP: 002b:00007ffe89376d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 +RAX: ffffffffffffffda RBX: 00000000004af2f0 RCX: 000000000043e899 +RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 +RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000010000000 +R10: 0000000000008011 R11: 0000000000000246 R12: 00000000004af2f0 +R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 +INFO: task iou-sqp-8401:8402 can't die for more than 143 seconds. +task:iou-sqp-8401 state:D stack:30272 pid: 8402 ppid: 8400 flags:0x00004004 +Call Trace: + context_switch kernel/sched/core.c:4324 [inline] + __schedule+0x90c/0x21a0 kernel/sched/core.c:5075 + schedule+0xcf/0x270 kernel/sched/core.c:5154 + schedule_timeout+0x1db/0x250 kernel/time/timer.c:1868 + do_wait_for_common kernel/sched/completion.c:85 [inline] + __wait_for_common kernel/sched/completion.c:106 [inline] + wait_for_common kernel/sched/completion.c:117 [inline] + wait_for_completion+0x168/0x270 kernel/sched/completion.c:138 + io_sq_thread+0x27d/0x1ae0 fs/io_uring.c:6717 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 +INFO: task iou-sqp-8401:8402 blocked for more than 143 seconds. + +Reported-by: syzbot+fb5458330b4442f2090d@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2085,6 +2085,7 @@ static void __io_req_task_submit(struct + __io_req_task_cancel(req, -EFAULT); + mutex_unlock(&ctx->uring_lock); + ++ ctx->flags &= ~IORING_SETUP_R_DISABLED; + if (ctx->flags & IORING_SETUP_SQPOLL) + io_sq_thread_drop_mm(); + } +@@ -8684,6 +8685,8 @@ static void io_disable_sqo_submit(struct + { + mutex_lock(&ctx->uring_lock); + ctx->sqo_dead = 1; ++ if (ctx->flags & IORING_SETUP_R_DISABLED) ++ io_sq_offload_start(ctx); + mutex_unlock(&ctx->uring_lock); + + /* make sure callers enter the ring to get error */ +@@ -9662,10 +9665,7 @@ static int io_register_enable_rings(stru + if (ctx->restrictions.registered) + ctx->restricted = 1; + +- ctx->flags &= ~IORING_SETUP_R_DISABLED; +- + io_sq_offload_start(ctx); +- + return 0; + } + diff --git a/queue-5.10/net-qrtr-fix-__netdev_alloc_skb-call.patch b/queue-5.10/net-qrtr-fix-__netdev_alloc_skb-call.patch new file mode 100644 index 00000000000..647b1e24730 --- /dev/null +++ b/queue-5.10/net-qrtr-fix-__netdev_alloc_skb-call.patch @@ -0,0 +1,54 @@ +From 093b036aa94e01a0bea31a38d7f0ee28a2749023 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Mon, 1 Mar 2021 02:22:40 +0300 +Subject: net/qrtr: fix __netdev_alloc_skb call + +From: Pavel Skripkin + +commit 093b036aa94e01a0bea31a38d7f0ee28a2749023 upstream. + +syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= MAX_ORDER. +It was caused by a huge length value passed from userspace to qrtr_tun_write_iter(), +which tries to allocate skb. Since the value comes from the untrusted source +there is no need to raise a warning in __alloc_pages_nodemask(). + +[1] WARNING in __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5014 +Call Trace: + __alloc_pages include/linux/gfp.h:511 [inline] + __alloc_pages_node include/linux/gfp.h:524 [inline] + alloc_pages_node include/linux/gfp.h:538 [inline] + kmalloc_large_node+0x60/0x110 mm/slub.c:3999 + __kmalloc_node_track_caller+0x319/0x3f0 mm/slub.c:4496 + __kmalloc_reserve net/core/skbuff.c:150 [inline] + __alloc_skb+0x4e4/0x5a0 net/core/skbuff.c:210 + __netdev_alloc_skb+0x70/0x400 net/core/skbuff.c:446 + netdev_alloc_skb include/linux/skbuff.h:2832 [inline] + qrtr_endpoint_post+0x84/0x11b0 net/qrtr/qrtr.c:442 + qrtr_tun_write_iter+0x11f/0x1a0 net/qrtr/tun.c:98 + call_write_iter include/linux/fs.h:1901 [inline] + new_sync_write+0x426/0x650 fs/read_write.c:518 + vfs_write+0x791/0xa30 fs/read_write.c:605 + ksys_write+0x12d/0x250 fs/read_write.c:658 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+80dccaee7c6630fa9dcf@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Acked-by: Alexander Lobakin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -433,7 +433,7 @@ int qrtr_endpoint_post(struct qrtr_endpo + if (len == 0 || len & 3) + return -EINVAL; + +- skb = netdev_alloc_skb(NULL, len); ++ skb = __netdev_alloc_skb(NULL, len, GFP_ATOMIC | __GFP_NOWARN); + if (!skb) + return -ENOMEM; + diff --git a/queue-5.10/pstore-fix-warning-in-pstore_kill_sb.patch b/queue-5.10/pstore-fix-warning-in-pstore_kill_sb.patch new file mode 100644 index 00000000000..ae2c14f65f1 --- /dev/null +++ b/queue-5.10/pstore-fix-warning-in-pstore_kill_sb.patch @@ -0,0 +1,39 @@ +From 9c7d83ae6ba67d6c6199cce24573983db3b56332 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sun, 14 Feb 2021 12:13:07 +0900 +Subject: pstore: Fix warning in pstore_kill_sb() + +From: Tetsuo Handa + +commit 9c7d83ae6ba67d6c6199cce24573983db3b56332 upstream. + +syzbot is hitting WARN_ON(pstore_sb != sb) at pstore_kill_sb() [1], for the +assumption that pstore_sb != NULL is wrong because pstore_fill_super() will +not assign pstore_sb = sb when new_inode() for d_make_root() returned NULL +(due to memory allocation fault injection). + +Since mount_single() calls pstore_kill_sb() when pstore_fill_super() +failed, pstore_kill_sb() needs to be aware of such failure path. + +[1] https://syzkaller.appspot.com/bug?id=6abacb8da5137cb47a416f2bef95719ed60508a0 + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20210214031307.57903-1-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Greg Kroah-Hartman +--- + fs/pstore/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/pstore/inode.c ++++ b/fs/pstore/inode.c +@@ -467,7 +467,7 @@ static struct dentry *pstore_mount(struc + static void pstore_kill_sb(struct super_block *sb) + { + mutex_lock(&pstore_sb_lock); +- WARN_ON(pstore_sb != sb); ++ WARN_ON(pstore_sb && pstore_sb != sb); + + kill_litter_super(sb); + pstore_sb = NULL; diff --git a/queue-5.10/series b/queue-5.10/series index db0497021ee..7ed18040d47 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -47,3 +47,6 @@ vfio-iommu_api-should-be-selected.patch vhost_vdpa-fix-the-missing-irq_bypass_unregister_producer-invocation.patch sunrpc-fix-refcount-leak-for-rpc-auth-modules.patch i915-perf-start-hrtimer-only-if-sampling-the-oa-buffer.patch +pstore-fix-warning-in-pstore_kill_sb.patch +io_uring-ensure-that-sqpoll-thread-is-started-for-exit.patch +net-qrtr-fix-__netdev_alloc_skb-call.patch