--- /dev/null
+From cc7ad0d77b51c872d629bcd98aea463a3c4109e7 Mon Sep 17 00:00:00 2001
+From: Duoming Zhou <duoming@zju.edu.cn>
+Date: Sat, 9 Apr 2022 14:18:35 +0800
+Subject: drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+commit cc7ad0d77b51c872d629bcd98aea463a3c4109e7 upstream.
+
+There is a deadlock in rtw_surveydone_event_callback(),
+which is shown below:
+
+ (Thread 1) | (Thread 2)
+ | _set_timer()
+rtw_surveydone_event_callback()| mod_timer()
+ spin_lock_bh() //(1) | (wait a time)
+ ... | rtw_scan_timeout_handler()
+ del_timer_sync() | spin_lock_bh() //(2)
+ (wait timer to stop) | ...
+
+We hold pmlmepriv->lock in position (1) of thread 1 and use
+del_timer_sync() to wait timer to stop, but timer handler
+also need pmlmepriv->lock in position (2) of thread 2.
+As a result, rtw_surveydone_event_callback() will block forever.
+
+This patch extracts del_timer_sync() from the protection of
+spin_lock_bh(), which could let timer handler to obtain
+the needed lock. What`s more, we change spin_lock_bh() in
+rtw_scan_timeout_handler() to spin_lock_irq(). Otherwise,
+spin_lock_bh() will also cause deadlock() in timer handler.
+
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Link: https://lore.kernel.org/r/20220409061836.60529-1-duoming@zju.edu.cn
+[Minor context change fixed]
+Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
+Signed-off-by: He Zhe <Zhe.He@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
+@@ -826,7 +826,9 @@ void rtw_surveydone_event_callback(struc
+ RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_surveydone_event_callback: fw_state:%x\n\n", get_fwstate(pmlmepriv)));
+
+ if (check_fwstate(pmlmepriv, _FW_UNDER_SURVEY)) {
++ spin_unlock_bh(&pmlmepriv->lock);
+ del_timer_sync(&pmlmepriv->scan_to_timer);
++ spin_lock_bh(&pmlmepriv->lock);
+ _clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY);
+ } else {
+
+@@ -1753,11 +1755,11 @@ void rtw_scan_timeout_handler(struct tim
+
+ DBG_871X(FUNC_ADPT_FMT" fw_state =%x\n", FUNC_ADPT_ARG(adapter), get_fwstate(pmlmepriv));
+
+- spin_lock_bh(&pmlmepriv->lock);
++ spin_lock_irq(&pmlmepriv->lock);
+
+ _clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY);
+
+- spin_unlock_bh(&pmlmepriv->lock);
++ spin_unlock_irq(&pmlmepriv->lock);
+
+ rtw_indicate_scan_done(adapter, true);
+ }
--- /dev/null
+From 517e6a301f34613bff24a8e35b5455884f2d83d8 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 24 Nov 2022 12:49:12 +0100
+Subject: perf: Fix perf_pending_task() UaF
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 517e6a301f34613bff24a8e35b5455884f2d83d8 upstream.
+
+Per syzbot it is possible for perf_pending_task() to run after the
+event is free()'d. There are two related but distinct cases:
+
+ - the task_work was already queued before destroying the event;
+ - destroying the event itself queues the task_work.
+
+The first cannot be solved using task_work_cancel() since
+perf_release() itself might be called from a task_work (____fput),
+which means the current->task_works list is already empty and
+task_work_cancel() won't be able to find the perf_pending_task()
+entry.
+
+The simplest alternative is extending the perf_event lifetime to cover
+the task_work.
+
+The second is just silly, queueing a task_work while you know the
+event is going away makes no sense and is easily avoided by
+re-arranging how the event is marked STATE_DEAD and ensuring it goes
+through STATE_OFF on the way down.
+
+Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Marco Elver <elver@google.com>
+[ Discard the changes in event_sched_out() due to 5.10 don't have the
+ commit: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
+ and commit: ca6c21327c6a ("perf: Fix missing SIGTRAPs") ]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -2419,6 +2419,7 @@ group_sched_out(struct perf_event *group
+ }
+
+ #define DETACH_GROUP 0x01UL
++#define DETACH_DEAD 0x04UL
+
+ /*
+ * Cross CPU call to remove a performance event
+@@ -2439,10 +2440,18 @@ __perf_remove_from_context(struct perf_e
+ update_cgrp_time_from_cpuctx(cpuctx, false);
+ }
+
++ /*
++ * Ensure event_sched_out() switches to OFF, at the very least
++ * this avoids raising perf_pending_task() at this time.
++ */
++ if (flags & DETACH_DEAD)
++ event->pending_disable = 1;
+ event_sched_out(event, cpuctx, ctx);
+ if (flags & DETACH_GROUP)
+ perf_group_detach(event);
+ list_del_event(event, ctx);
++ if (flags & DETACH_DEAD)
++ event->state = PERF_EVENT_STATE_DEAD;
+
+ if (!ctx->nr_events && ctx->is_active) {
+ if (ctx == &cpuctx->ctx)
+@@ -5111,9 +5120,7 @@ int perf_event_release_kernel(struct per
+
+ ctx = perf_event_ctx_lock(event);
+ WARN_ON_ONCE(ctx->parent_ctx);
+- perf_remove_from_context(event, DETACH_GROUP);
+
+- raw_spin_lock_irq(&ctx->lock);
+ /*
+ * Mark this event as STATE_DEAD, there is no external reference to it
+ * anymore.
+@@ -5125,8 +5132,7 @@ int perf_event_release_kernel(struct per
+ * Thus this guarantees that we will in fact observe and kill _ALL_
+ * child events.
+ */
+- event->state = PERF_EVENT_STATE_DEAD;
+- raw_spin_unlock_irq(&ctx->lock);
++ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD);
+
+ perf_event_ctx_unlock(event, ctx);
+
+@@ -6533,6 +6539,8 @@ static void perf_pending_event(struct ir
+
+ if (rctx >= 0)
+ perf_swevent_put_recursion_context(rctx);
++
++ put_event(event);
+ }
+
+ /*
--- /dev/null
+From c3116e62ddeff79cae342147753ce596f01fcf06 Mon Sep 17 00:00:00 2001
+From: Miroslav Franc <mfranc@suse.cz>
+Date: Fri, 9 Feb 2024 13:45:22 +0100
+Subject: s390/dasd: fix double module refcount decrement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miroslav Franc <mfranc@suse.cz>
+
+commit c3116e62ddeff79cae342147753ce596f01fcf06 upstream.
+
+Once the discipline is associated with the device, deleting the device
+takes care of decrementing the module's refcount. Doing it manually on
+this error path causes refcount to artificially decrease on each error
+while it should just stay the same.
+
+Fixes: c020d722b110 ("s390/dasd: fix panic during offline processing")
+Signed-off-by: Miroslav Franc <mfranc@suse.cz>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240209124522.3697827-3-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[Minor context change fixed]
+Signed-off-by: Feng Liu <Feng.Liu3@windriver.com>
+Signed-off-by: He Zhe <Zhe.He@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/block/dasd.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/s390/block/dasd.c
++++ b/drivers/s390/block/dasd.c
+@@ -3637,12 +3637,11 @@ int dasd_generic_set_online(struct ccw_d
+ dasd_delete_device(device);
+ return -EINVAL;
+ }
++ device->base_discipline = base_discipline;
+ if (!try_module_get(discipline->owner)) {
+- module_put(base_discipline->owner);
+ dasd_delete_device(device);
+ return -EINVAL;
+ }
+- device->base_discipline = base_discipline;
+ device->discipline = discipline;
+
+ /* check_device will allocate block device if necessary */
+@@ -3650,8 +3649,6 @@ int dasd_generic_set_online(struct ccw_d
+ if (rc) {
+ pr_warn("%s Setting the DASD online with discipline %s failed with rc=%i\n",
+ dev_name(&cdev->dev), discipline->name, rc);
+- module_put(discipline->owner);
+- module_put(base_discipline->owner);
+ dasd_delete_device(device);
+ return rc;
+ }
drm-i915-gt-cleanup-partial-engine-discovery-failures.patch
fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch
mm-fix-apply_to_existing_page_range.patch
+perf-fix-perf_pending_task-uaf.patch
+drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch
+s390-dasd-fix-double-module-refcount-decrement.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
