From: Greg Kroah-Hartman Date: Mon, 9 Aug 2021 08:54:11 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.280~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0624d8da6cef5982c51c839d6aa2d7f24b4d1a51;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: usb-otg-fsm-fix-hrtimer-list-corruption.patch --- diff --git a/queue-4.9/series b/queue-4.9/series index df2c6d41066..70074d89e08 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,4 @@ usb-usbtmc-fix-rcu-stall-warning.patch usb-serial-option-add-telit-fd980-composition-0x1056.patch usb-serial-ch341-fix-character-loss-at-high-transfer-rates.patch usb-serial-ftdi_sio-add-device-id-for-auto-m3-op-com-v2.patch +usb-otg-fsm-fix-hrtimer-list-corruption.patch diff --git a/queue-4.9/usb-otg-fsm-fix-hrtimer-list-corruption.patch b/queue-4.9/usb-otg-fsm-fix-hrtimer-list-corruption.patch new file mode 100644 index 00000000000..808aabcea1a --- /dev/null +++ b/queue-4.9/usb-otg-fsm-fix-hrtimer-list-corruption.patch @@ -0,0 +1,64 @@ +From bf88fef0b6f1488abeca594d377991171c00e52a Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sat, 17 Jul 2021 21:21:27 +0300 +Subject: usb: otg-fsm: Fix hrtimer list corruption + +From: Dmitry Osipenko + +commit bf88fef0b6f1488abeca594d377991171c00e52a upstream. + +The HNP work can be re-scheduled while it's still in-fly. This results in +re-initialization of the busy work, resetting the hrtimer's list node of +the work and crashing kernel with null dereference within kernel/timer +once work's timer is expired. It's very easy to trigger this problem by +re-plugging USB cable quickly. Initialize HNP work only once to fix this +trouble. + + Unable to handle kernel NULL pointer dereference at virtual address 00000126) + ... + PC is at __run_timers.part.0+0x150/0x228 + LR is at __next_timer_interrupt+0x51/0x9c + ... + (__run_timers.part.0) from [] (run_timer_softirq+0x2f/0x50) + (run_timer_softirq) from [] (__do_softirq+0xd5/0x2f0) + (__do_softirq) from [] (irq_exit+0xab/0xb8) + (irq_exit) from [] (handle_domain_irq+0x45/0x60) + (handle_domain_irq) from [] (gic_handle_irq+0x6b/0x7c) + (gic_handle_irq) from [] (__irq_svc+0x65/0xac) + +Cc: stable@vger.kernel.org +Acked-by: Peter Chen +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/20210717182134.30262-6-digetx@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/usb-otg-fsm.c | 6 +++++- + include/linux/usb/otg-fsm.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/common/usb-otg-fsm.c ++++ b/drivers/usb/common/usb-otg-fsm.c +@@ -199,7 +199,11 @@ static void otg_start_hnp_polling(struct + if (!fsm->host_req_flag) + return; + +- INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work); ++ if (!fsm->hnp_work_inited) { ++ INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work); ++ fsm->hnp_work_inited = true; ++ } ++ + schedule_delayed_work(&fsm->hnp_polling_work, + msecs_to_jiffies(T_HOST_REQ_POLL)); + } +--- a/include/linux/usb/otg-fsm.h ++++ b/include/linux/usb/otg-fsm.h +@@ -210,6 +210,7 @@ struct otg_fsm { + struct mutex lock; + u8 *host_req_flag; + struct delayed_work hnp_polling_work; ++ bool hnp_work_inited; + bool state_changed; + }; +