Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch b/queue-5.4/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch
new file mode 100644 (file)
index 0000000..198daab
--- /dev/null
+++ b/queue-5.4/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch
@@ -0,0 +1,77 @@
+From 8f40804247d669cd88edb66b2367ac4d4cc62e05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Oct 2020 13:15:44 +0200
+Subject: Bluetooth: hidp: use correct wait queue when removing ctrl_wait
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ole Bjørn Midtbø <omidtbo@cisco.com>
+
+[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]
+
+A different wait queue was used when removing ctrl_wait than when adding
+it. This effectively made the remove operation without locking compared
+to other operations on the wait queue ctrl_wait was part of. This caused
+issues like below where dead000000000100 is LIST_POISON1 and
+dead000000000200 is LIST_POISON2.
+
+ list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \
+       but was dead000000000200. (next=ffffffc03ac77de0).
+ ------------[ cut here ]------------
+ CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G           O    4.4.238+ #9
+ ...
+ ---[ end trace 0adc2158f0646eac ]---
+ Call trace:
+ [<ffffffc000443f78>] __list_add+0x38/0xb0
+ [<ffffffc0000f0d04>] add_wait_queue+0x4c/0x68
+ [<ffffffc00020eecc>] __pollwait+0xec/0x100
+ [<ffffffc000d1556c>] bt_sock_poll+0x74/0x200
+ [<ffffffc000bdb8a8>] sock_poll+0x110/0x128
+ [<ffffffc000210378>] do_sys_poll+0x220/0x480
+ [<ffffffc0002106f0>] SyS_poll+0x80/0x138
+ [<ffffffc00008510c>] __sys_trace_return+0x0/0x4
+
+ Unable to handle kernel paging request at virtual address dead000000000100
+ ...
+ CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G        W  O    4.4.238+ #9
+ ...
+ Call trace:
+  [<ffffffc0000f079c>] __wake_up_common+0x7c/0xa8
+  [<ffffffc0000f0818>] __wake_up+0x50/0x70
+  [<ffffffc000be11b0>] sock_def_wakeup+0x58/0x60
+  [<ffffffc000de5e10>] l2cap_sock_teardown_cb+0x200/0x224
+  [<ffffffc000d3f2ac>] l2cap_chan_del+0xa4/0x298
+  [<ffffffc000d45ea0>] l2cap_conn_del+0x118/0x198
+  [<ffffffc000d45f8c>] l2cap_disconn_cfm+0x6c/0x78
+  [<ffffffc000d29934>] hci_event_packet+0x564/0x2e30
+  [<ffffffc000d19b0c>] hci_rx_work+0x10c/0x360
+  [<ffffffc0000c2218>] process_one_work+0x268/0x460
+  [<ffffffc0000c2678>] worker_thread+0x268/0x480
+  [<ffffffc0000c94e0>] kthread+0x118/0x128
+  [<ffffffc000085070>] ret_from_fork+0x10/0x20
+  ---[ end trace 0adc2158f0646ead ]---
+
+Signed-off-by: Ole Bjørn Midtbø <omidtbo@cisco.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hidp/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
+index bef84b95e2c4..ac98e3b37ab4 100644
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -1290,7 +1290,7 @@ static int hidp_session_thread(void *arg)
+ 
+       /* cleanup runtime environment */
+       remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait);
+-      remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait);
++      remove_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait);
+       wake_up_interruptible(&session->report_queue);
+       hidp_del_timer(session);
+ 
+-- 
+2.30.2
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 7959381b0bd16a5661d0c00f45ac9f2faa2f0b83..7f9d8073fe6bec0fd98c9170a83baeb920e9ce93 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -21,3 +21,4 @@ scsi-core-fix-capacity-set-to-zero-after-offlinining.patch
 arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch
 net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch
 drm-amd-display-fix-dynamic-bpp-issue-with-8k30-with.patch
+bluetooth-hidp-use-correct-wait-queue-when-removing-.patch