From: Greg Kroah-Hartman Date: Mon, 26 Feb 2024 07:13:45 +0000 (+0100) Subject: drop xhci patch, again. X-Git-Tag: v4.19.308~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35f64d8e59982e5c91cb45d88c71bbcfc1a37086;p=thirdparty%2Fkernel%2Fstable-queue.git drop xhci patch, again. --- diff --git a/queue-5.15/series b/queue-5.15/series index 890b4cb2a17..1494b1d25ba 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -15,7 +15,6 @@ zonefs-improve-error-handling.patch x86-fpu-stop-relying-on-userspace-for-info-to-fault-in-xsave-buffer.patch sched-rt-fix-sysctl_sched_rr_timeslice-intial-value.patch sched-rt-disallow-writing-invalid-values-to-sched_rt_period_us.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch scsi-target-core-add-tmf-to-tmr_list-handling.patch dmaengine-shdma-increase-size-of-dev_id.patch dmaengine-fsl-qdma-increase-size-of-irq_name.patch diff --git a/queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index 0c88a106a24..00000000000 --- a/queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From ed623a29a39d156867e55ce7070b77edc411766f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 5c9d3be136d2c..6c8c9cbcd05da 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1644,24 +1644,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1700,12 +1683,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 0bc331fc6b3..bd1abc7012e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -5,7 +5,6 @@ sched-rt-disallow-writing-invalid-values-to-sched_rt_period_us.patch sched-rt-sysctl_sched_rr_timeslice-show-default-timeslice-after-reset.patch pci-dwc-fix-a-64bit-bug-in-dw_pcie_ep_raise_msix_irq.patch riscv-efistub-ensure-gp-relative-addressing-is-not-used.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch dmaengine-apple-admac-keep-upper-bits-of-reg_bus_wid.patch scsi-target-core-add-tmf-to-tmr_list-handling.patch cifs-open_cached_dir-should-not-rely-on-primary-chan.patch diff --git a/queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index 2ddeebab45f..00000000000 --- a/queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From e887066276129cc5b0b8350d2283dfac07c0a76f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index c02ad4f76bb3c..127fbad32a75f 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1654,24 +1654,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1710,12 +1693,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - diff --git a/queue-6.6/series b/queue-6.6/series index bee9b4371cd..e398022c667 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,7 +1,6 @@ sched-rt-disallow-writing-invalid-values-to-sched_rt_period_us.patch pci-dwc-fix-a-64bit-bug-in-dw_pcie_ep_raise_msix_irq.patch riscv-efistub-ensure-gp-relative-addressing-is-not-used.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch dmaengine-apple-admac-keep-upper-bits-of-reg_bus_wid.patch scsi-smartpqi-add-new-controller-pci-ids.patch scsi-smartpqi-fix-logical-volume-rescan-race-conditi.patch diff --git a/queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index cb855bb5b3b..00000000000 --- a/queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 7cf220348e0433cc6254ec3b8f891f3fc2a941b5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 132b76fa7ca60..e39c5ba9b7c76 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1498,24 +1498,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1554,12 +1537,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - diff --git a/queue-6.7/series b/queue-6.7/series index 424ce296c74..a2206837f71 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -1,5 +1,4 @@ drm-amd-stop-evicting-resources-on-apus-in-suspend.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch dmaengine-apple-admac-keep-upper-bits-of-reg_bus_wid.patch scsi-smartpqi-add-new-controller-pci-ids.patch scsi-smartpqi-fix-logical-volume-rescan-race-conditi.patch diff --git a/queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index 6afd04768be..00000000000 --- a/queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From fb9100c2c6b7b172650ba25283cc4cf9af1d082c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 884b0898d9c95..ddb686301af5d 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1522,24 +1522,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1578,12 +1561,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 -