diff --git a/patches/misc/cgroup1-fix-leaked-context-root-causing-sporadic-NUL.patch b/patches/misc/cgroup1-fix-leaked-context-root-causing-sporadic-NUL.patch deleted file mode 100644 index 94cb03f284f16fc6fb035708c310d42fe0c2ec8c..0000000000000000000000000000000000000000 --- a/patches/misc/cgroup1-fix-leaked-context-root-causing-sporadic-NUL.patch +++ /dev/null @@ -1,134 +0,0 @@ -From ab49d2db98bdee2c8c6e17fb59ded9e5292b0f41 Mon Sep 17 00:00:00 2001 -From: Paul Gortmaker <paul.gortmaker@windriver.com> -Date: Wed, 16 Jun 2021 08:51:57 -0400 -Subject: [PATCH] cgroup1: fix leaked context root causing sporadic NULL deref - in LTP -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Richard reported sporadic (roughly one in 10 or so) null dereferences and -other strange behaviour for a set of automated LTP tests. Things like: - - BUG: kernel NULL pointer dereference, address: 0000000000000008 - #PF: supervisor read access in kernel mode - #PF: error_code(0x0000) - not-present page - PGD 0 P4D 0 - Oops: 0000 [#1] PREEMPT SMP PTI - CPU: 0 PID: 1516 Comm: umount Not tainted 5.10.0-yocto-standard #1 - Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 - RIP: 0010:kernfs_sop_show_path+0x1b/0x60 - -...or these others: - - RIP: 0010:do_mkdirat+0x6a/0xf0 - RIP: 0010:d_alloc_parallel+0x98/0x510 - RIP: 0010:do_readlinkat+0x86/0x120 - -There were other less common instances of some kind of a general scribble -but the common theme was mount and cgroup and a dubious dentry triggering -the NULL dereference. I was only able to reproduce it under qemu by -replicating Richard's setup as closely as possible - I never did get it -to happen on bare metal, even while keeping everything else the same. - -In commit 71d883c37e8d ("cgroup_do_mount(): massage calling conventions") -we see this as a part of the overall change: - - -------------- - struct cgroup_subsys *ss; - - struct dentry *dentry; - - [...] - - - dentry = cgroup_do_mount(&cgroup_fs_type, fc->sb_flags, root, - - CGROUP_SUPER_MAGIC, ns); - - [...] - - - if (percpu_ref_is_dying(&root->cgrp.self.refcnt)) { - - struct super_block *sb = dentry->d_sb; - - dput(dentry); - + ret = cgroup_do_mount(fc, CGROUP_SUPER_MAGIC, ns); - + if (!ret && percpu_ref_is_dying(&root->cgrp.self.refcnt)) { - + struct super_block *sb = fc->root->d_sb; - + dput(fc->root); - deactivate_locked_super(sb); - msleep(10); - return restart_syscall(); - } - -------------- - -In changing from the local "*dentry" variable to using fc->root, we now -export/leave that dentry pointer in the file context after doing the dput() -in the unlikely "is_dying" case. With LTP doing a crazy amount of back to -back mount/unmount [testcases/bin/cgroup_regression_5_1.sh] the unlikely -becomes slightly likely and then bad things happen. - -A fix would be to not leave the stale reference in fc->root as follows: - - -------------- - Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â dput(fc->root); - + fc->root = NULL; - Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â deactivate_locked_super(sb); - -------------- - -...but then we are just open-coding a duplicate of fc_drop_locked() so we -simply use that instead. - -Cc: Al Viro <viro@zeniv.linux.org.uk> -Cc: Tejun Heo <tj@kernel.org> -Cc: Zefan Li <lizefan.x@bytedance.com> -Cc: Johannes Weiner <hannes@cmpxchg.org> -Cc: stable@vger.kernel.org # v5.1+ -Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org> -Fixes: 71d883c37e8d ("cgroup_do_mount(): massage calling conventions") -Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> -Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> ---- - fs/internal.h | 1 - - include/linux/fs_context.h | 1 + - kernel/cgroup/cgroup-v1.c | 4 +--- - 3 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/fs/internal.h b/fs/internal.h -index a7cd0f64faa4..5155f6ce95c7 100644 ---- a/fs/internal.h -+++ b/fs/internal.h -@@ -64,7 +64,6 @@ extern void __init chrdev_init(void); - */ - extern const struct fs_context_operations legacy_fs_context_ops; - extern int parse_monolithic_mount_data(struct fs_context *, void *); --extern void fc_drop_locked(struct fs_context *); - extern void vfs_clean_context(struct fs_context *fc); - extern int finish_clean_context(struct fs_context *fc); - -diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h -index 37e1e8f7f08d..5b44b0195a28 100644 ---- a/include/linux/fs_context.h -+++ b/include/linux/fs_context.h -@@ -139,6 +139,7 @@ extern int vfs_parse_fs_string(struct fs_context *fc, const char *key, - extern int generic_parse_monolithic(struct fs_context *fc, void *data); - extern int vfs_get_tree(struct fs_context *fc); - extern void put_fs_context(struct fs_context *fc); -+extern void fc_drop_locked(struct fs_context *fc); - - /* - * sget() wrappers to be called from the ->get_tree() op. -diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c -index a5751784ad74..5f7f893187f6 100644 ---- a/kernel/cgroup/cgroup-v1.c -+++ b/kernel/cgroup/cgroup-v1.c -@@ -1219,9 +1219,7 @@ int cgroup1_get_tree(struct fs_context *fc) - ret = cgroup_do_get_tree(fc); - - if (!ret && percpu_ref_is_dying(&ctx->root->cgrp.self.refcnt)) { -- struct super_block *sb = fc->root->d_sb; -- dput(fc->root); -- deactivate_locked_super(sb); -+ fc_drop_locked(fc); - ret = 1; - } - --- -2.19.1 - diff --git a/patches/misc/misc.scc b/patches/misc/misc.scc index e3774c86563b6aeafb651ff572c8fb2807563947..ff54bbaf3e21b8b34beaad23d55465e5c3238242 100644 --- a/patches/misc/misc.scc +++ b/patches/misc/misc.scc @@ -10,6 +10,5 @@ patch arm64-perf-fix-backtrace-for-AAPCS-with-FP-enabled.patch patch defconfigs-drop-obselete-options.patch patch arm64-perf-Fix-wrong-cast-that-may-cause-wrong-trunc.patch patch net-dccp-make-it-depend-on-CONFIG_BROKEN-CVE-2020-16.patch -patch cgroup1-fix-leaked-context-root-causing-sporadic-NUL.patch patch rcu-Fix-stall-warning-deadlock-due-to-non-release-of.patch patch iwlwifi-select-MAC80211_LEDS-conditionally.patch