From: Greg Kroah-Hartman Date: Thu, 2 May 2019 12:12:19 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.9.173~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9fbce27142403f565e2f1dd779fec83449d5b270;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: usbnet-ipheth-fix-potential-null-pointer-dereference-in-ipheth_carrier_set.patch usbnet-ipheth-prevent-tx-queue-timeouts-when-device-not-ready.patch --- diff --git a/queue-4.4/series b/queue-4.4/series index 763c76d98b5..028e3c867a1 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -84,3 +84,5 @@ powerpc-fsl-sanitize-the-syscall-table-for-nxp-powerpc-32-bit-platforms.patch powerpc-fsl-fixed-warning-orphan-section-__btb_flush_fixup.patch powerpc-fsl-add-fsl_ppc_book3e-as-supported-arch-for-nospectre_v2-boot-arg.patch documentation-add-nospectre_v1-parameter.patch +usbnet-ipheth-prevent-tx-queue-timeouts-when-device-not-ready.patch +usbnet-ipheth-fix-potential-null-pointer-dereference-in-ipheth_carrier_set.patch diff --git a/queue-4.4/usbnet-ipheth-fix-potential-null-pointer-dereference-in-ipheth_carrier_set.patch b/queue-4.4/usbnet-ipheth-fix-potential-null-pointer-dereference-in-ipheth_carrier_set.patch new file mode 100644 index 00000000000..01a28013ab5 --- /dev/null +++ b/queue-4.4/usbnet-ipheth-fix-potential-null-pointer-dereference-in-ipheth_carrier_set.patch @@ -0,0 +1,45 @@ +From 61c59355e0154a938b28710dfa6c1d8be2ddcefa Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 17 Nov 2017 14:02:09 -0600 +Subject: usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set + +From: Gustavo A. R. Silva + +commit 61c59355e0154a938b28710dfa6c1d8be2ddcefa upstream. + +_dev_ is being dereferenced before it is null checked, hence there +is a potential null pointer dereference. + +Fix this by moving the pointer dereference after _dev_ has been null +checked. + +Addresses-Coverity-ID: 1462020 +Fixes: bb1b40c7cb86 ("usbnet: ipheth: prevent TX queue timeouts when device not ready") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/ipheth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -290,12 +290,15 @@ static void ipheth_sndbulk_callback(stru + + static int ipheth_carrier_set(struct ipheth_device *dev) + { +- struct usb_device *udev = dev->udev; ++ struct usb_device *udev; + int retval; ++ + if (!dev) + return 0; + if (!dev->confirmed_pairing) + return 0; ++ ++ udev = dev->udev; + retval = usb_control_msg(udev, + usb_rcvctrlpipe(udev, IPHETH_CTRL_ENDP), + IPHETH_CMD_CARRIER_CHECK, /* request */ diff --git a/queue-4.4/usbnet-ipheth-prevent-tx-queue-timeouts-when-device-not-ready.patch b/queue-4.4/usbnet-ipheth-prevent-tx-queue-timeouts-when-device-not-ready.patch new file mode 100644 index 00000000000..e3a81841f9a --- /dev/null +++ b/queue-4.4/usbnet-ipheth-prevent-tx-queue-timeouts-when-device-not-ready.patch @@ -0,0 +1,187 @@ +From bb1b40c7cb863f0800a6410c7dcb86cf3f28d3b1 Mon Sep 17 00:00:00 2001 +From: Alexander Kappner +Date: Mon, 13 Nov 2017 17:44:20 -0800 +Subject: usbnet: ipheth: prevent TX queue timeouts when device not ready + +From: Alexander Kappner + +commit bb1b40c7cb863f0800a6410c7dcb86cf3f28d3b1 upstream. + +iOS devices require the host to be "trusted" before servicing network +packets. Establishing trust requires the user to confirm a dialog on the +iOS device.Until trust is established, the iOS device will silently discard +network packets from the host. Currently, the ipheth driver does not detect +whether an iOS device has established trust with the host, and immediately +sets up the transmit queues. + +This causes the following problems: + +- Kernel taint due to WARN() in netdev watchdog. +- Dmesg spam ("TX timeout"). +- Disruption of user space networking activity (dhcpd, etc...) when new +interface comes up but cannot be used. +- Unnecessary host and device wakeups and USB traffic + +Example dmesg output: + +[ 1101.319778] NETDEV WATCHDOG: eth1 (ipheth): transmit queue 0 timed out +[ 1101.319817] ------------[ cut here ]------------ +[ 1101.319828] WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:316 dev_watchdog+0x20f/0x220 +[ 1101.319831] Modules linked in: ipheth usbmon nvidia_drm(PO) nvidia_modeset(PO) nvidia(PO) iwlmvm mac80211 iwlwifi btusb btrtl btbcm btintel qmi_wwan bluetooth cfg80211 ecdh_generic thinkpad_acpi rfkill [last unloaded: ipheth] +[ 1101.319861] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.12.1 #1 +[ 1101.319864] Hardware name: LENOVO 20ENCTO1WW/20ENCTO1WW, BIOS N1EET62W (1.35 ) 11/10/2016 +[ 1101.319867] task: ffffffff81e11500 task.stack: ffffffff81e00000 +[ 1101.319873] RIP: 0010:dev_watchdog+0x20f/0x220 +[ 1101.319876] RSP: 0018:ffff8810a3c03e98 EFLAGS: 00010292 +[ 1101.319880] RAX: 000000000000003a RBX: 0000000000000000 RCX: 0000000000000000 +[ 1101.319883] RDX: ffff8810a3c15c48 RSI: ffffffff81ccbfc2 RDI: 00000000ffffffff +[ 1101.319886] RBP: ffff880c04ebc41c R08: 0000000000000000 R09: 0000000000000379 +[ 1101.319889] R10: 00000100696589d0 R11: 0000000000000378 R12: ffff880c04ebc000 +[ 1101.319892] R13: 0000000000000000 R14: 0000000000000001 R15: ffff880c2865fc80 +[ 1101.319896] FS: 0000000000000000(0000) GS:ffff8810a3c00000(0000) knlGS:0000000000000000 +[ 1101.319899] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1101.319902] CR2: 00007f3ff24ac000 CR3: 0000000001e0a000 CR4: 00000000003406f0 +[ 1101.319905] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1101.319908] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 1101.319910] Call Trace: +[ 1101.319914] +[ 1101.319921] ? dev_graft_qdisc+0x70/0x70 +[ 1101.319928] ? dev_graft_qdisc+0x70/0x70 +[ 1101.319934] ? call_timer_fn+0x2e/0x170 +[ 1101.319939] ? dev_graft_qdisc+0x70/0x70 +[ 1101.319944] ? run_timer_softirq+0x1ea/0x440 +[ 1101.319951] ? timerqueue_add+0x54/0x80 +[ 1101.319956] ? enqueue_hrtimer+0x38/0xa0 +[ 1101.319963] ? __do_softirq+0xed/0x2e7 +[ 1101.319970] ? irq_exit+0xb4/0xc0 +[ 1101.319976] ? smp_apic_timer_interrupt+0x39/0x50 +[ 1101.319981] ? apic_timer_interrupt+0x8c/0xa0 +[ 1101.319983] +[ 1101.319992] ? cpuidle_enter_state+0xfa/0x2a0 +[ 1101.319999] ? do_idle+0x1a3/0x1f0 +[ 1101.320004] ? cpu_startup_entry+0x5f/0x70 +[ 1101.320011] ? start_kernel+0x444/0x44c +[ 1101.320017] ? early_idt_handler_array+0x120/0x120 +[ 1101.320023] ? x86_64_start_kernel+0x145/0x154 +[ 1101.320028] ? secondary_startup_64+0x9f/0x9f +[ 1101.320033] Code: 20 04 00 00 eb 9f 4c 89 e7 c6 05 59 44 71 00 01 e8 a7 df fd ff 89 d9 4c 89 e6 48 c7 c7 70 b7 cd 81 48 89 c2 31 c0 e8 97 64 90 ff <0f> ff eb bf 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 +[ 1101.320103] ---[ end trace 0cc4d251e2b57080 ]--- +[ 1101.320110] ipheth 1-5:4.2: ipheth_tx_timeout: TX timeout + +The last message "TX timeout" is repeated every 5 seconds until trust is +established or the device is disconnected, filling up dmesg. + +The proposed patch eliminates the problem by, upon connection, keeping the +TX queue and carrier disabled until a packet is first received from the iOS +device. This is reflected by the confirmed_pairing variable in the device +structure. Only after at least one packet has been received from the iOS +device, the transmit queue and carrier are brought up during the periodic +device poll in ipheth_carrier_set. Because the iOS device will always send +a packet immediately upon trust being established, this should not delay +the interface becoming useable. To prevent failed UBRs in +ipheth_rcvbulk_callback from perpetually re-enabling the queue if it was +disabled, a new check is added so only successful transfers re-enable the +queue, whereas failed transfers only trigger an immediate poll. + +This has the added benefit of removing the periodic control requests to the +iOS device until trust has been established and thus should reduce wakeup +events on both the host and the iOS device. + +Signed-off-by: Alexander Kappner +Signed-off-by: David S. Miller +[groeck: Fixed context conflict seen because 45611c61dd50 was applied first] +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ipheth.c | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/drivers/net/usb/ipheth.c ++++ b/drivers/net/usb/ipheth.c +@@ -148,6 +148,7 @@ struct ipheth_device { + u8 bulk_in; + u8 bulk_out; + struct delayed_work carrier_work; ++ bool confirmed_pairing; + }; + + static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags); +@@ -259,7 +260,7 @@ static void ipheth_rcvbulk_callback(stru + + dev->net->stats.rx_packets++; + dev->net->stats.rx_bytes += len; +- ++ dev->confirmed_pairing = true; + netif_rx(skb); + ipheth_rx_submit(dev, GFP_ATOMIC); + } +@@ -280,14 +281,21 @@ static void ipheth_sndbulk_callback(stru + dev_err(&dev->intf->dev, "%s: urb status: %d\n", + __func__, status); + +- netif_wake_queue(dev->net); ++ if (status == 0) ++ netif_wake_queue(dev->net); ++ else ++ // on URB error, trigger immediate poll ++ schedule_delayed_work(&dev->carrier_work, 0); + } + + static int ipheth_carrier_set(struct ipheth_device *dev) + { + struct usb_device *udev = dev->udev; + int retval; +- ++ if (!dev) ++ return 0; ++ if (!dev->confirmed_pairing) ++ return 0; + retval = usb_control_msg(udev, + usb_rcvctrlpipe(udev, IPHETH_CTRL_ENDP), + IPHETH_CMD_CARRIER_CHECK, /* request */ +@@ -302,11 +310,14 @@ static int ipheth_carrier_set(struct iph + return retval; + } + +- if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) ++ if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) { + netif_carrier_on(dev->net); +- else ++ if (dev->tx_urb->status != -EINPROGRESS) ++ netif_wake_queue(dev->net); ++ } else { + netif_carrier_off(dev->net); +- ++ netif_stop_queue(dev->net); ++ } + return 0; + } + +@@ -386,7 +397,6 @@ static int ipheth_open(struct net_device + return retval; + + schedule_delayed_work(&dev->carrier_work, IPHETH_CARRIER_CHECK_TIMEOUT); +- netif_start_queue(net); + return retval; + } + +@@ -489,7 +499,7 @@ static int ipheth_probe(struct usb_inter + dev->udev = udev; + dev->net = netdev; + dev->intf = intf; +- ++ dev->confirmed_pairing = false; + /* Set up endpoints */ + hintf = usb_altnum_to_altsetting(intf, IPHETH_ALT_INTFNUM); + if (hintf == NULL) { +@@ -540,7 +550,9 @@ static int ipheth_probe(struct usb_inter + retval = -EIO; + goto err_register_netdev; + } +- ++ // carrier down and transmit queues stopped until packet from device ++ netif_carrier_off(netdev); ++ netif_tx_stop_all_queues(netdev); + dev_info(&intf->dev, "Apple iPhone USB Ethernet device attached\n"); + return 0; +