Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 5.10.180 release. There are 381 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 17 May 2023 16:16:37 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.180-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y and the diffstat can be found below.
thanks,
greg k-h
Pseudo-Shortlog of commits:
[...]
Baokun Li libaokun1@huawei.com writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs
Sorry for not noticing this sooner, but I think there's a benign issue in this backport.
v5.10.180 commit 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs") contains:
+static void cgwb_free_rcu(struct rcu_head *rcu_head) +{ + struct bdi_writeback *wb = container_of(rcu_head, + struct bdi_writeback, rcu); + + percpu_ref_exit(&wb->refcnt); + kfree(wb); +}
[...]
@@ -397,7 +406,7 @@ static void cgwb_release_workfn(struct work_struct *work) fprop_local_destroy_percpu(&wb->memcg_completions); percpu_ref_exit(&wb->refcnt); wb_exit(wb); - kfree_rcu(wb, rcu); + call_rcu(&wb->rcu, cgwb_free_rcu); }
Notice there are now 2 percpu_ref_exit() calls. The upstream, and 5.15.y patches remove the cgwb_release_workfn() calls to percpu_ref_exit(). The 5.10.y fixup is below. It's not essential but might be worth applying to track upstream.
From 416e0e8ab5ff41676d04dc819bd667c6ad3f7555 Mon Sep 17 00:00:00 2001 From: Greg Thelen gthelen@google.com Date: Sat, 20 May 2023 12:46:24 -0700 Subject: [PATCH] writeback, cgroup: remove extra percpu_ref_exit()
5.10 stable commit 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs") is a backport of upstream 6.3 commit 1ba1199ec574.
In the 5.10 stable commit backport percpu_ref_exit() is called twice: first in cgwb_release_workfn() and then in cgwb_free_rcu(). The 2nd call is benign as percpu_ref_exit() internally detects there's nothing to do.
This fixes an non-upstream issue that only applies to 5.10.y.
Fixes: 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs") Signed-off-by: Greg Thelen gthelen@google.com --- mm/backing-dev.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/mm/backing-dev.c b/mm/backing-dev.c index b28f629c3527..dd08ab928e07 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -404,7 +404,6 @@ static void cgwb_release_workfn(struct work_struct *work) blkcg_unpin_online(blkcg);
fprop_local_destroy_percpu(&wb->memcg_completions); - percpu_ref_exit(&wb->refcnt); wb_exit(wb); call_rcu(&wb->rcu, cgwb_free_rcu); }