4.4-stable patches

added patches:
	mt7601u-fix-kernel-crash-unplugging-the-device.patch
	mt7601u-fix-rx-buffer-refcounting.patch

diff --git a/queue-4.4/mt7601u-fix-kernel-crash-unplugging-the-device.patch b/queue-4.4/mt7601u-fix-kernel-crash-unplugging-the-device.patch
new file mode 100644 (file)
index 0000000..ea5a4ce
--- /dev/null
+++ b/queue-4.4/mt7601u-fix-kernel-crash-unplugging-the-device.patch
@@ -0,0 +1,78 @@
+From 0acb20a5438c36e0cf2b8bf255f314b59fcca6ef Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sun, 17 Jan 2021 22:46:01 +0100
+Subject: mt7601u: fix kernel crash unplugging the device
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit 0acb20a5438c36e0cf2b8bf255f314b59fcca6ef upstream.
+
+The following crash log can occur unplugging the usb dongle since,
+after the urb poison in mt7601u_free_tx_queue(), usb_submit_urb() will
+always fail resulting in a skb kfree while the skb has been already
+queued.
+
+Fix the issue enqueuing the skb only if usb_submit_urb() succeed.
+
+Hardware name: Hewlett-Packard 500-539ng/2B2C, BIOS 80.06 04/01/2015
+Workqueue: usb_hub_wq hub_event
+RIP: 0010:skb_trim+0x2c/0x30
+RSP: 0000:ffffb4c88005bba8 EFLAGS: 00010206
+RAX: 000000004ad483ee RBX: ffff9a236625dee0 RCX: 000000000000662f
+RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff9a2343179300
+RBP: ffff9a2343179300 R08: 0000000000000001 R09: 0000000000000000
+R10: ffff9a23748f7840 R11: 0000000000000001 R12: ffff9a236625e4d4
+R13: ffff9a236625dee0 R14: 0000000000001080 R15: 0000000000000008
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fd410a34ef8 CR3: 00000001416ee001 CR4: 00000000001706f0
+Call Trace:
+ mt7601u_tx_status+0x3e/0xa0 [mt7601u]
+ mt7601u_dma_cleanup+0xca/0x110 [mt7601u]
+ mt7601u_cleanup+0x22/0x30 [mt7601u]
+ mt7601u_disconnect+0x22/0x60 [mt7601u]
+ usb_unbind_interface+0x8a/0x270
+ ? kernfs_find_ns+0x35/0xd0
+ __device_release_driver+0x17a/0x230
+ device_release_driver+0x24/0x30
+ bus_remove_device+0xdb/0x140
+ device_del+0x18b/0x430
+ ? kobject_put+0x98/0x1d0
+ usb_disable_device+0xc6/0x1f0
+ usb_disconnect.cold+0x7e/0x20a
+ hub_event+0xbf3/0x1870
+ process_one_work+0x1b6/0x350
+ worker_thread+0x53/0x3e0
+ ? process_one_work+0x350/0x350
+ kthread+0x11b/0x140
+ ? __kthread_bind_mask+0x60/0x60
+ ret_from_fork+0x22/0x30
+
+Fixes: 23377c200b2eb ("mt7601u: fix possible memory leak when the device is disconnected")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/3b85219f669a63a8ced1f43686de05915a580489.1610919247.git.lorenzo@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -318,7 +318,6 @@ static int mt7601u_dma_submit_tx(struct
+       }
+ 
+       e = &q->e[q->end];
+-      e->skb = skb;
+       usb_fill_bulk_urb(e->urb, usb_dev, snd_pipe, skb->data, skb->len,
+                         mt7601u_complete_tx, q);
+       ret = usb_submit_urb(e->urb, GFP_ATOMIC);
+@@ -336,6 +335,7 @@ static int mt7601u_dma_submit_tx(struct
+ 
+       q->end = (q->end + 1) % q->entries;
+       q->used++;
++      e->skb = skb;
+ 
+       if (q->used >= q->entries)
+               ieee80211_stop_queue(dev->hw, skb_get_queue_mapping(skb));

diff --git a/queue-4.4/mt7601u-fix-rx-buffer-refcounting.patch b/queue-4.4/mt7601u-fix-rx-buffer-refcounting.patch
new file mode 100644 (file)
index 0000000..a9a2cb5
--- /dev/null
+++ b/queue-4.4/mt7601u-fix-rx-buffer-refcounting.patch
@@ -0,0 +1,74 @@
+From d24c790577ef01bfa01da2b131313a38c843a634 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Thu, 14 Jan 2021 18:10:52 +0100
+Subject: mt7601u: fix rx buffer refcounting
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit d24c790577ef01bfa01da2b131313a38c843a634 upstream.
+
+Fix the following crash due to erroneous page refcounting:
+
+[   32.445919] BUG: Bad page state in process swapper/1  pfn:11f65a
+[   32.447409] page:00000000938f0632 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x11f65a
+[   32.449605] flags: 0x8000000000000000()
+[   32.450421] raw: 8000000000000000 ffffffff825b0148 ffffea00045ae988 0000000000000000
+[   32.451795] raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000
+[   32.452999] page dumped because: nonzero mapcount
+[   32.453888] Modules linked in:
+[   32.454492] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-rc2+ #1976
+[   32.455695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1.fc33 04/01/2014
+[   32.457157] Call Trace:
+[   32.457636]  <IRQ>
+[   32.457993]  dump_stack+0x77/0x97
+[   32.458576]  bad_page.cold+0x65/0x96
+[   32.459198]  get_page_from_freelist+0x46a/0x11f0
+[   32.460008]  __alloc_pages_nodemask+0x10a/0x2b0
+[   32.460794]  mt7601u_rx_tasklet+0x651/0x720
+[   32.461505]  tasklet_action_common.constprop.0+0x6b/0xd0
+[   32.462343]  __do_softirq+0x152/0x46c
+[   32.462928]  asm_call_irq_on_stack+0x12/0x20
+[   32.463610]  </IRQ>
+[   32.463953]  do_softirq_own_stack+0x5b/0x70
+[   32.464582]  irq_exit_rcu+0x9f/0xe0
+[   32.465028]  common_interrupt+0xae/0x1a0
+[   32.465536]  asm_common_interrupt+0x1e/0x40
+[   32.466071] RIP: 0010:default_idle+0x18/0x20
+[   32.468981] RSP: 0018:ffffc90000077f00 EFLAGS: 00000246
+[   32.469648] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
+[   32.470550] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81aac3dd
+[   32.471463] RBP: ffff88810022ab00 R08: 0000000000000001 R09: 0000000000000001
+[   32.472335] R10: 0000000000000046 R11: 0000000000005aa0 R12: 0000000000000000
+[   32.473235] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[   32.474139]  ? default_idle_call+0x4d/0x200
+[   32.474681]  default_idle_call+0x74/0x200
+[   32.475192]  do_idle+0x1d5/0x250
+[   32.475612]  cpu_startup_entry+0x19/0x20
+[   32.476114]  secondary_startup_64_no_verify+0xb0/0xbb
+[   32.476765] Disabling lock debugging due to kernel taint
+
+Fixes: c869f77d6abb ("add mt7601u driver")
+Co-developed-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/62b2380c8c2091834cfad05e1059b55f945bd114.1610643952.git.lorenzo@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt7601u/dma.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
+@@ -160,8 +160,7 @@ mt7601u_rx_process_entry(struct mt7601u_
+ 
+       if (new_p) {
+               /* we have one extra ref from the allocator */
+-              __free_pages(e->p, MT_RX_ORDER);
+-
++              put_page(e->p);
+               e->p = new_p;
+       }
+ }

diff --git a/queue-4.4/series b/queue-4.4/series
index 37682760dca148b81564dcfa6105ebcc29e85f6d..61f871655889731ba4a3a42d8a49de47aaa33c04 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -2,3 +2,5 @@ acpi-sysfs-prefer-compatible-modalias.patch
 wext-fix-null-ptr-dereference-with-cfg80211-s-lack-of-commit.patch
 net-usb-qmi_wwan-added-support-for-thales-cinterion-plsx3-modem-family.patch
 kvm-x86-pmu-fix-hw_ref_cpu_cycles-event-pseudo-encoding-in-intel_arch_events.patch
+mt7601u-fix-kernel-crash-unplugging-the-device.patch
+mt7601u-fix-rx-buffer-refcounting.patch