Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > This is the start of the stable review cycle for the 5.10.180 release. > There are 381 patches in this series, all will be posted as a response > to this one. If anyone has any issues with these being applied, please > let me know. > > Responses should be made by Wed, 17 May 2023 16:16:37 +0000. > Anything received after that time might be too late. > > The whole patch series can be found in one patch at: > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.180-rc1.gz > or in the git tree and branch at: > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y > and the diffstat can be found below. > > thanks, > > greg k-h > > ------------- > Pseudo-Shortlog of commits: [...] > Baokun Li <libaokun1@xxxxxxxxxx> > writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs Sorry for not noticing this sooner, but I think there's a benign issue in this backport. v5.10.180 commit 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs") contains: +static void cgwb_free_rcu(struct rcu_head *rcu_head) +{ + struct bdi_writeback *wb = container_of(rcu_head, + struct bdi_writeback, rcu); + + percpu_ref_exit(&wb->refcnt); + kfree(wb); +} [...] @@ -397,7 +406,7 @@ static void cgwb_release_workfn(struct work_struct *work) fprop_local_destroy_percpu(&wb->memcg_completions); percpu_ref_exit(&wb->refcnt); wb_exit(wb); - kfree_rcu(wb, rcu); + call_rcu(&wb->rcu, cgwb_free_rcu); } Notice there are now 2 percpu_ref_exit() calls. The upstream, and 5.15.y patches remove the cgwb_release_workfn() calls to percpu_ref_exit(). The 5.10.y fixup is below. It's not essential but might be worth applying to track upstream. >From 416e0e8ab5ff41676d04dc819bd667c6ad3f7555 Mon Sep 17 00:00:00 2001 From: Greg Thelen <gthelen@xxxxxxxxxx> Date: Sat, 20 May 2023 12:46:24 -0700 Subject: [PATCH] writeback, cgroup: remove extra percpu_ref_exit() 5.10 stable commit 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs") is a backport of upstream 6.3 commit 1ba1199ec574. In the 5.10 stable commit backport percpu_ref_exit() is called twice: first in cgwb_release_workfn() and then in cgwb_free_rcu(). The 2nd call is benign as percpu_ref_exit() internally detects there's nothing to do. This fixes an non-upstream issue that only applies to 5.10.y. Fixes: 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs") Signed-off-by: Greg Thelen <gthelen@xxxxxxxxxx> --- mm/backing-dev.c | 1 - 1 file changed, 1 deletion(-) diff --git a/mm/backing-dev.c b/mm/backing-dev.c index b28f629c3527..dd08ab928e07 100644 --- a/mm/backing-dev.c +++ b/mm/backing-dev.c @@ -404,7 +404,6 @@ static void cgwb_release_workfn(struct work_struct *work) blkcg_unpin_online(blkcg); fprop_local_destroy_percpu(&wb->memcg_completions); - percpu_ref_exit(&wb->refcnt); wb_exit(wb); call_rcu(&wb->rcu, cgwb_free_rcu); } -- 2.40.1.698.g37aff9b760-goog
