From: Sasha Levin Date: Sun, 2 Dec 2018 15:57:04 +0000 (-0500) Subject: patches for 4.9 X-Git-Tag: v4.19.7~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bb3ac5b17ee0e242acfee073ad3e35418f27deb;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/media-em28xx-fix-use-after-free-when-disconnecting.patch b/queue-4.9/media-em28xx-fix-use-after-free-when-disconnecting.patch new file mode 100644 index 00000000000..377af330061 --- /dev/null +++ b/queue-4.9/media-em28xx-fix-use-after-free-when-disconnecting.patch @@ -0,0 +1,91 @@ +From 3d19717ec9d1822676d36e4c3f037dfed0a9c37c Mon Sep 17 00:00:00 2001 +From: Matthias Schwarzott +Date: Mon, 30 Oct 2017 06:07:29 -0400 +Subject: media: em28xx: Fix use-after-free when disconnecting + +[ Upstream commit 910b0797fa9e8af09c44a3fa36cb310ba7a7218d ] + +Fix bug by moving the i2c_unregister_device calls after deregistration +of dvb frontend. + +The new style i2c drivers already destroys the frontend object at +i2c_unregister_device time. +When the dvb frontend is unregistered afterwards it leads to this oops: + + [ 6058.866459] BUG: unable to handle kernel NULL pointer dereference at 00000000000001f8 + [ 6058.866578] IP: dvb_frontend_stop+0x30/0xd0 [dvb_core] + [ 6058.866644] PGD 0 + [ 6058.866646] P4D 0 + + [ 6058.866726] Oops: 0000 [#1] SMP + [ 6058.866768] Modules linked in: rc_pinnacle_pctv_hd(O) em28xx_rc(O) si2157(O) si2168(O) em28xx_dvb(O) em28xx(O) si2165(O) a8293(O) tda10071(O) tea5767(O) tuner(O) cx23885(O) tda18271(O) videobuf2_dvb(O) videobuf2_dma_sg(O) m88ds3103(O) tveeprom(O) cx2341x(O) v4l2_common(O) dvb_core(O) rc_core(O) videobuf2_memops(O) videobuf2_v4l2(O) videobuf2_core(O) videodev(O) media(O) bluetooth ecdh_generic ums_realtek uas rtl8192cu rtl_usb rtl8192c_common rtlwifi usb_storage snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic i2c_mux snd_hda_intel snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core kvm_intel kvm irqbypass [last unloaded: videobuf2_memops] + [ 6058.867497] CPU: 2 PID: 7349 Comm: kworker/2:0 Tainted: G W O 4.13.9-gentoo #1 + [ 6058.867595] Hardware name: MEDION E2050 2391/H81H3-EM2, BIOS H81EM2W08.308 08/25/2014 + [ 6058.867692] Workqueue: usb_hub_wq hub_event + [ 6058.867746] task: ffff88011a15e040 task.stack: ffffc90003074000 + [ 6058.867825] RIP: 0010:dvb_frontend_stop+0x30/0xd0 [dvb_core] + [ 6058.867896] RSP: 0018:ffffc90003077b58 EFLAGS: 00010293 + [ 6058.867964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000010040001f + [ 6058.868056] RDX: ffff88011a15e040 RSI: ffffea000464e400 RDI: ffff88001cbe3028 + [ 6058.868150] RBP: ffffc90003077b68 R08: ffff880119390380 R09: 000000010040001f + [ 6058.868241] R10: ffffc90003077b18 R11: 000000000001e200 R12: ffff88001cbe3028 + [ 6058.868330] R13: ffff88001cbe68d0 R14: ffff8800cf734000 R15: ffff8800cf734098 + [ 6058.868419] FS: 0000000000000000(0000) GS:ffff88011fb00000(0000) knlGS:0000000000000000 + [ 6058.868511] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 6058.868578] CR2: 00000000000001f8 CR3: 00000001113c5000 CR4: 00000000001406e0 + [ 6058.868662] Call Trace: + [ 6058.868705] dvb_unregister_frontend+0x2a/0x80 [dvb_core] + [ 6058.868774] em28xx_dvb_fini+0x132/0x220 [em28xx_dvb] + [ 6058.868840] em28xx_close_extension+0x34/0x90 [em28xx] + [ 6058.868902] em28xx_usb_disconnect+0x4e/0x70 [em28xx] + [ 6058.868968] usb_unbind_interface+0x6d/0x260 + [ 6058.869025] device_release_driver_internal+0x150/0x210 + [ 6058.869094] device_release_driver+0xd/0x10 + [ 6058.869150] bus_remove_device+0xe4/0x160 + [ 6058.869204] device_del+0x1ce/0x2f0 + [ 6058.869253] usb_disable_device+0x99/0x270 + [ 6058.869306] usb_disconnect+0x8d/0x260 + [ 6058.869359] hub_event+0x93d/0x1520 + [ 6058.869408] ? dequeue_task_fair+0xae5/0xd20 + [ 6058.869467] process_one_work+0x1d9/0x3e0 + [ 6058.869522] worker_thread+0x43/0x3e0 + [ 6058.869576] kthread+0x104/0x140 + [ 6058.869602] ? trace_event_raw_event_workqueue_work+0x80/0x80 + [ 6058.869640] ? kthread_create_on_node+0x40/0x40 + [ 6058.869673] ret_from_fork+0x22/0x30 + [ 6058.869698] Code: 54 49 89 fc 53 48 8b 9f 18 03 00 00 0f 1f 44 00 00 41 83 bc 24 04 05 00 00 02 74 0c 41 c7 84 24 04 05 00 00 01 00 00 00 0f ae f0 <48> 8b bb f8 01 00 00 48 85 ff 74 5c e8 df 40 f0 e0 48 8b 93 f8 + [ 6058.869850] RIP: dvb_frontend_stop+0x30/0xd0 [dvb_core] RSP: ffffc90003077b58 + [ 6058.869894] CR2: 00000000000001f8 + [ 6058.875880] ---[ end trace 717eecf7193b3fc6 ]--- + +Signed-off-by: Matthias Schwarzott +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-dvb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c +index 8cedef0daae4..b0aea48907b7 100644 +--- a/drivers/media/usb/em28xx/em28xx-dvb.c ++++ b/drivers/media/usb/em28xx/em28xx-dvb.c +@@ -2016,6 +2016,8 @@ static int em28xx_dvb_fini(struct em28xx *dev) + } + } + ++ em28xx_unregister_dvb(dvb); ++ + /* remove I2C SEC */ + client = dvb->i2c_client_sec; + if (client) { +@@ -2037,7 +2039,6 @@ static int em28xx_dvb_fini(struct em28xx *dev) + i2c_unregister_device(client); + } + +- em28xx_unregister_dvb(dvb); + kfree(dvb); + dev->dvb = NULL; + kref_put(&dev->ref, em28xx_free_device); +-- +2.17.1 + diff --git a/queue-4.9/revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch b/queue-4.9/revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch new file mode 100644 index 00000000000..2e169c88bab --- /dev/null +++ b/queue-4.9/revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch @@ -0,0 +1,90 @@ +From df103a476dbf3e4b9c5411bcd1ac8346e014b114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Dec 2018 10:03:24 -0500 +Subject: Revert "wlcore: Add missing PM call for + wlcore_cmd_wait_for_event_or_timeout()" + +This reverts commit afeeecc764436f31d4447575bb9007732333818c which was +upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1. + +From Dietmar May's report on the stable mailing list +(https://www.spinics.net/lists/stable/msg272201.html): + +> I've run into some problems which appear due to (a) recent patch(es) on +> the wlcore wifi driver. +> +> 4.4.160 - commit 3fdd34643ffc378b5924941fad40352c04610294 +> 4.9.131 - commit afeeecc764436f31d4447575bb9007732333818c +> +> Earlier versions (4.9.130 and 4.4.159 - tested back to 4.4.49) do not +> exhibit this problem. It is still present in 4.9.141. +> +> master as of 4.20.0-rc4 does not exhibit this problem. +> +> Basically, during client association when in AP mode (running hostapd), +> handshake may or may not complete following a noticeable delay. If +> successful, then the driver fails consistently in warn_slowpath_null +> during disassociation. If unsuccessful, the wifi client attempts multiple +> times, sometimes failing repeatedly. I've had clients unable to connect +> for 3-5 minutes during testing, with the syslog filled with dozens of +> backtraces. syslog details are below. +> +> I'm working on an embedded device with a TI 3352 ARM processor and a +> murata wl1271 module in sdio mode. We're running a fully patched ubuntu +> 18.04 ARM build, with a kernel built from kernel.org's stable/linux repo . +> Relevant parts of the kernel config are included below. +> +> The commit message states: +> +> > /I've only seen this few times with the runtime PM patches enabled so +> > this one is probably not needed before that. This seems to work +> > currently based on the current PM implementation timer. Let's apply +> > this separately though in case others are hitting this issue./ +> We're not doing anything explicit with power management. The device is an +> IoT edge gateway with battery backup, normally running on wall power. The +> battery is currently used solely to shut down the system cleanly to avoid +> filesystem corruption. +> +> The device tree is configured to keep power in suspend; but the device +> should never suspend, so in our case, there is no need to call +> wl1271_ps_elp_wakeup() or wl1271_ps_elp_sleep(), as occurs in the patch. + +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/cmd.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/net/wireless/ti/wlcore/cmd.c b/drivers/net/wireless/ti/wlcore/cmd.c +index 96f83f09b8c5..7f4da727bb7b 100644 +--- a/drivers/net/wireless/ti/wlcore/cmd.c ++++ b/drivers/net/wireless/ti/wlcore/cmd.c +@@ -35,7 +35,6 @@ + #include "wl12xx_80211.h" + #include "cmd.h" + #include "event.h" +-#include "ps.h" + #include "tx.h" + #include "hw_ops.h" + +@@ -192,10 +191,6 @@ int wlcore_cmd_wait_for_event_or_timeout(struct wl1271 *wl, + + timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT); + +- ret = wl1271_ps_elp_wakeup(wl); +- if (ret < 0) +- return ret; +- + do { + if (time_after(jiffies, timeout_time)) { + wl1271_debug(DEBUG_CMD, "timeout waiting for event %d", +@@ -227,7 +222,6 @@ int wlcore_cmd_wait_for_event_or_timeout(struct wl1271 *wl, + } while (!event); + + out: +- wl1271_ps_elp_sleep(wl); + kfree(events_vector); + return ret; + } +-- +2.17.1 + diff --git a/queue-4.9/series b/queue-4.9/series index d25bcd1edc8..063d53ee540 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -10,3 +10,5 @@ mm-khugepaged-collapse_shmem-remember-to-clear-holes.patch mm-khugepaged-minor-reorderings-in-collapse_shmem.patch mm-khugepaged-collapse_shmem-without-freezing-new_pa.patch mm-khugepaged-collapse_shmem-do-not-crash-on-compoun.patch +media-em28xx-fix-use-after-free-when-disconnecting.patch +revert-wlcore-add-missing-pm-call-for-wlcore_cmd_wai.patch