--- /dev/null
+From 0b45231d28747aa042aada5ed6ba6349d14cfff2 Mon Sep 17 00:00:00 2001
+From: Matthias Schwarzott <zzam@gentoo.org>
+Date: Mon, 30 Oct 2017 06:07:29 -0400
+Subject: media: em28xx: Fix use-after-free when disconnecting
+
+[ Upstream commit 910b0797fa9e8af09c44a3fa36cb310ba7a7218d ]
+
+Fix bug by moving the i2c_unregister_device calls after deregistration
+of dvb frontend.
+
+The new style i2c drivers already destroys the frontend object at
+i2c_unregister_device time.
+When the dvb frontend is unregistered afterwards it leads to this oops:
+
+ [ 6058.866459] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f8
+ [ 6058.866578] IP: dvb_frontend_stop+0x30/0xd0 [dvb_core]
+ [ 6058.866644] PGD 0
+ [ 6058.866646] P4D 0
+
+ [ 6058.866726] Oops: 0000 [#1] SMP
+ [ 6058.866768] Modules linked in: rc_pinnacle_pctv_hd(O) em28xx_rc(O) si2157(O) si2168(O) em28xx_dvb(O) em28xx(O) si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) videobuf2_core(O) videodev(O) media(O) bluetooth ecdh_generic ums_realtek uas rtl8192cu rtl_usb rtl8192c_common rtlwifi usb_storage snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic i2c_mux snd_hda_intel snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core kvm_intel kvm irqbypass [last unloaded: videobuf2_memops]
+ [ 6058.867497] CPU: 2 PID: 7349 Comm: kworker/2:0 Tainted: G W O 4.13.9-gentoo #1
+ [ 6058.867595] Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014
+ [ 6058.867692] Workqueue: usb_hub_wq hub_event
+ [ 6058.867746] task: ffff88011a15e040 task.stack: ffffc90003074000
+ [ 6058.867825] RIP: 0010:dvb_frontend_stop+0x30/0xd0 [dvb_core]
+ [ 6058.867896] RSP: 0018:ffffc90003077b58 EFLAGS: 00010293
+ [ 6058.867964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000010040001f
+ [ 6058.868056] RDX: ffff88011a15e040 RSI: ffffea000464e400 RDI: ffff88001cbe3028
+ [ 6058.868150] RBP: ffffc90003077b68 R08: ffff880119390380 R09: 000000010040001f
+ [ 6058.868241] R10: ffffc90003077b18 R11: 000000000001e200 R12: ffff88001cbe3028
+ [ 6058.868330] R13: ffff88001cbe68d0 R14: ffff8800cf734000 R15: ffff8800cf734098
+ [ 6058.868419] FS: 0000000000000000(0000) GS:ffff88011fb00000(0000) knlGS:0000000000000000
+ [ 6058.868511] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 6058.868578] CR2: 00000000000001f8 CR3: 00000001113c5000 CR4: 00000000001406e0
+ [ 6058.868662] Call Trace:
+ [ 6058.868705] dvb_unregister_frontend+0x2a/0x80 [dvb_core]
+ [ 6058.868774] em28xx_dvb_fini+0x132/0x220 [em28xx_dvb]
+ [ 6058.868840] em28xx_close_extension+0x34/0x90 [em28xx]
+ [ 6058.868902] em28xx_usb_disconnect+0x4e/0x70 [em28xx]
+ [ 6058.868968] usb_unbind_interface+0x6d/0x260
+ [ 6058.869025] device_release_driver_internal+0x150/0x210
+ [ 6058.869094] device_release_driver+0xd/0x10
+ [ 6058.869150] bus_remove_device+0xe4/0x160
+ [ 6058.869204] device_del+0x1ce/0x2f0
+ [ 6058.869253] usb_disable_device+0x99/0x270
+ [ 6058.869306] usb_disconnect+0x8d/0x260
+ [ 6058.869359] hub_event+0x93d/0x1520
+ [ 6058.869408] ? dequeue_task_fair+0xae5/0xd20
+ [ 6058.869467] process_one_work+0x1d9/0x3e0
+ [ 6058.869522] worker_thread+0x43/0x3e0
+ [ 6058.869576] kthread+0x104/0x140
+ [ 6058.869602] ? trace_event_raw_event_workqueue_work+0x80/0x80
+ [ 6058.869640] ? kthread_create_on_node+0x40/0x40
+ [ 6058.869673] ret_from_fork+0x22/0x30
+ [ 6058.869698] Code: 54 49 89 fc 53 48 8b 9f 18 03 00 00 0f 1f 44 00 00 41 83 bc 24 04 05 00 00 02 74 0c 41 c7 84 24 04 05 00 00 01 00 00 00 0f ae f0 <48> 8b bb f8 01 00 00 48 85 ff 74 5c e8 df 40 f0 e0 48 8b 93 f8
+ [ 6058.869850] RIP: dvb_frontend_stop+0x30/0xd0 [dvb_core] RSP: ffffc90003077b58
+ [ 6058.869894] CR2: 00000000000001f8
+ [ 6058.875880] ---[ end trace 717eecf7193b3fc6 ]---
+
+Signed-off-by: Matthias Schwarzott <zzam@gentoo.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-dvb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
+index 357be76c7a55..5502a0fb94fd 100644
+--- a/drivers/media/usb/em28xx/em28xx-dvb.c
++++ b/drivers/media/usb/em28xx/em28xx-dvb.c
+@@ -1806,6 +1806,8 @@ static int em28xx_dvb_fini(struct em28xx *dev)
+ }
+ }
+
++ em28xx_unregister_dvb(dvb);
++
+ /* remove I2C SEC */
+ client = dvb->i2c_client_sec;
+ if (client) {
+@@ -1827,7 +1829,6 @@ static int em28xx_dvb_fini(struct em28xx *dev)
+ i2c_unregister_device(client);
+ }
+
+- em28xx_unregister_dvb(dvb);
+ kfree(dvb);
+ dev->dvb = NULL;
+ kref_put(&dev->ref, em28xx_free_device);
+--
+2.17.1
+
--- /dev/null
+From c0245f296d84970f990b9cc771480252629e6c4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Dec 2018 10:03:24 -0500
+Subject: Revert "wlcore: Add missing PM call for
+ wlcore_cmd_wait_for_event_or_timeout()"
+
+This reverts commit 3fdd34643ffc378b5924941fad40352c04610294 which was
+upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1.
+
+From Dietmar May's report on the stable mailing list
+(https://www.spinics.net/lists/stable/msg272201.html):
+
+> I've run into some problems which appear due to (a) recent patch(es) on
+> the wlcore wifi driver.
+>
+> 4.4.160 - commit 3fdd34643ffc378b5924941fad40352c04610294
+> 4.9.131 - commit afeeecc764436f31d4447575bb9007732333818c
+>
+> Earlier versions (4.9.130 and 4.4.159 - tested back to 4.4.49) do not
+> exhibit this problem. It is still present in 4.9.141.
+>
+> master as of 4.20.0-rc4 does not exhibit this problem.
+>
+> Basically, during client association when in AP mode (running hostapd),
+> handshake may or may not complete following a noticeable delay. If
+> successful, then the driver fails consistently in warn_slowpath_null
+> during disassociation. If unsuccessful, the wifi client attempts multiple
+> times, sometimes failing repeatedly. I've had clients unable to connect
+> for 3-5 minutes during testing, with the syslog filled with dozens of
+> backtraces. syslog details are below.
+>
+> I'm working on an embedded device with a TI 3352 ARM processor and a
+> murata wl1271 module in sdio mode. We're running a fully patched ubuntu
+> 18.04 ARM build, with a kernel built from kernel.org's stable/linux repo <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=afeeecc764436f31d4447575bb9007732333818c>.
+> Relevant parts of the kernel config are included below.
+>
+> The commit message states:
+>
+> > /I've only seen this few times with the runtime PM patches enabled so
+> > this one is probably not needed before that. This seems to work
+> > currently based on the current PM implementation timer. Let's apply
+> > this separately though in case others are hitting this issue./
+> We're not doing anything explicit with power management. The device is an
+> IoT edge gateway with battery backup, normally running on wall power. The
+> battery is currently used solely to shut down the system cleanly to avoid
+> filesystem corruption.
+>
+> The device tree is configured to keep power in suspend; but the device
+> should never suspend, so in our case, there is no need to call
+> wl1271_ps_elp_wakeup() or wl1271_ps_elp_sleep(), as occurs in the patch.
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/cmd.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/cmd.c b/drivers/net/wireless/ti/wlcore/cmd.c
+index 15dc7a398b90..f01d24baff7c 100644
+--- a/drivers/net/wireless/ti/wlcore/cmd.c
++++ b/drivers/net/wireless/ti/wlcore/cmd.c
+@@ -35,7 +35,6 @@
+ #include "wl12xx_80211.h"
+ #include "cmd.h"
+ #include "event.h"
+-#include "ps.h"
+ #include "tx.h"
+ #include "hw_ops.h"
+
+@@ -192,10 +191,6 @@ int wlcore_cmd_wait_for_event_or_timeout(struct wl1271 *wl,
+
+ timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT);
+
+- ret = wl1271_ps_elp_wakeup(wl);
+- if (ret < 0)
+- return ret;
+-
+ do {
+ if (time_after(jiffies, timeout_time)) {
+ wl1271_debug(DEBUG_CMD, "timeout waiting for event %d",
+@@ -227,7 +222,6 @@ int wlcore_cmd_wait_for_event_or_timeout(struct wl1271 *wl,
+ } while (!event);
+
+ out:
+- wl1271_ps_elp_sleep(wl);
+ kfree(events_vector);
+ return ret;
+ }
+--
+2.17.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
