From 52c272c0475f37d49b797e8dd2787dc01eda0b42 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 16:12:40 +0200 Subject: [PATCH] 5.10-stable patches added patches: drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch perf-fix-perf_pending_task-uaf.patch s390-dasd-fix-double-module-refcount-decrement.patch --- ...ock-in-rtw_surveydone_event_callback.patch | 67 ++++++++++++ .../perf-fix-perf_pending_task-uaf.patch | 100 ++++++++++++++++++ ...fix-double-module-refcount-decrement.patch | 56 ++++++++++ queue-5.10/series | 3 + 4 files changed, 226 insertions(+) create mode 100644 queue-5.10/drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch create mode 100644 queue-5.10/perf-fix-perf_pending_task-uaf.patch create mode 100644 queue-5.10/s390-dasd-fix-double-module-refcount-decrement.patch diff --git a/queue-5.10/drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch b/queue-5.10/drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch new file mode 100644 index 0000000000..9d51d5a390 --- /dev/null +++ b/queue-5.10/drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch @@ -0,0 +1,67 @@ +From cc7ad0d77b51c872d629bcd98aea463a3c4109e7 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Sat, 9 Apr 2022 14:18:35 +0800 +Subject: drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() + +From: Duoming Zhou + +commit cc7ad0d77b51c872d629bcd98aea463a3c4109e7 upstream. + +There is a deadlock in rtw_surveydone_event_callback(), +which is shown below: + + (Thread 1) | (Thread 2) + | _set_timer() +rtw_surveydone_event_callback()| mod_timer() + spin_lock_bh() //(1) | (wait a time) + ... | rtw_scan_timeout_handler() + del_timer_sync() | spin_lock_bh() //(2) + (wait timer to stop) | ... + +We hold pmlmepriv->lock in position (1) of thread 1 and use +del_timer_sync() to wait timer to stop, but timer handler +also need pmlmepriv->lock in position (2) of thread 2. +As a result, rtw_surveydone_event_callback() will block forever. + +This patch extracts del_timer_sync() from the protection of +spin_lock_bh(), which could let timer handler to obtain +the needed lock. What`s more, we change spin_lock_bh() in +rtw_scan_timeout_handler() to spin_lock_irq(). Otherwise, +spin_lock_bh() will also cause deadlock() in timer handler. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220409061836.60529-1-duoming@zju.edu.cn +[Minor context change fixed] +Signed-off-by: Feng Liu +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c +@@ -826,7 +826,9 @@ void rtw_surveydone_event_callback(struc + RT_TRACE(_module_rtl871x_mlme_c_, _drv_info_, ("rtw_surveydone_event_callback: fw_state:%x\n\n", get_fwstate(pmlmepriv))); + + if (check_fwstate(pmlmepriv, _FW_UNDER_SURVEY)) { ++ spin_unlock_bh(&pmlmepriv->lock); + del_timer_sync(&pmlmepriv->scan_to_timer); ++ spin_lock_bh(&pmlmepriv->lock); + _clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY); + } else { + +@@ -1753,11 +1755,11 @@ void rtw_scan_timeout_handler(struct tim + + DBG_871X(FUNC_ADPT_FMT" fw_state =%x\n", FUNC_ADPT_ARG(adapter), get_fwstate(pmlmepriv)); + +- spin_lock_bh(&pmlmepriv->lock); ++ spin_lock_irq(&pmlmepriv->lock); + + _clr_fwstate_(pmlmepriv, _FW_UNDER_SURVEY); + +- spin_unlock_bh(&pmlmepriv->lock); ++ spin_unlock_irq(&pmlmepriv->lock); + + rtw_indicate_scan_done(adapter, true); + } diff --git a/queue-5.10/perf-fix-perf_pending_task-uaf.patch b/queue-5.10/perf-fix-perf_pending_task-uaf.patch new file mode 100644 index 0000000000..e9417b1ee5 --- /dev/null +++ b/queue-5.10/perf-fix-perf_pending_task-uaf.patch @@ -0,0 +1,100 @@ +From 517e6a301f34613bff24a8e35b5455884f2d83d8 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 24 Nov 2022 12:49:12 +0100 +Subject: perf: Fix perf_pending_task() UaF + +From: Peter Zijlstra + +commit 517e6a301f34613bff24a8e35b5455884f2d83d8 upstream. + +Per syzbot it is possible for perf_pending_task() to run after the +event is free()'d. There are two related but distinct cases: + + - the task_work was already queued before destroying the event; + - destroying the event itself queues the task_work. + +The first cannot be solved using task_work_cancel() since +perf_release() itself might be called from a task_work (____fput), +which means the current->task_works list is already empty and +task_work_cancel() won't be able to find the perf_pending_task() +entry. + +The simplest alternative is extending the perf_event lifetime to cover +the task_work. + +The second is just silly, queueing a task_work while you know the +event is going away makes no sense and is easily avoided by +re-arranging how the event is marked STATE_DEAD and ensuring it goes +through STATE_OFF on the way down. + +Reported-by: syzbot+9228d6098455bb209ec8@syzkaller.appspotmail.com +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Marco Elver +[ Discard the changes in event_sched_out() due to 5.10 don't have the + commit: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events") + and commit: ca6c21327c6a ("perf: Fix missing SIGTRAPs") ] +Signed-off-by: Xiangyu Chen +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2419,6 +2419,7 @@ group_sched_out(struct perf_event *group + } + + #define DETACH_GROUP 0x01UL ++#define DETACH_DEAD 0x04UL + + /* + * Cross CPU call to remove a performance event +@@ -2439,10 +2440,18 @@ __perf_remove_from_context(struct perf_e + update_cgrp_time_from_cpuctx(cpuctx, false); + } + ++ /* ++ * Ensure event_sched_out() switches to OFF, at the very least ++ * this avoids raising perf_pending_task() at this time. ++ */ ++ if (flags & DETACH_DEAD) ++ event->pending_disable = 1; + event_sched_out(event, cpuctx, ctx); + if (flags & DETACH_GROUP) + perf_group_detach(event); + list_del_event(event, ctx); ++ if (flags & DETACH_DEAD) ++ event->state = PERF_EVENT_STATE_DEAD; + + if (!ctx->nr_events && ctx->is_active) { + if (ctx == &cpuctx->ctx) +@@ -5111,9 +5120,7 @@ int perf_event_release_kernel(struct per + + ctx = perf_event_ctx_lock(event); + WARN_ON_ONCE(ctx->parent_ctx); +- perf_remove_from_context(event, DETACH_GROUP); + +- raw_spin_lock_irq(&ctx->lock); + /* + * Mark this event as STATE_DEAD, there is no external reference to it + * anymore. +@@ -5125,8 +5132,7 @@ int perf_event_release_kernel(struct per + * Thus this guarantees that we will in fact observe and kill _ALL_ + * child events. + */ +- event->state = PERF_EVENT_STATE_DEAD; +- raw_spin_unlock_irq(&ctx->lock); ++ perf_remove_from_context(event, DETACH_GROUP|DETACH_DEAD); + + perf_event_ctx_unlock(event, ctx); + +@@ -6533,6 +6539,8 @@ static void perf_pending_event(struct ir + + if (rctx >= 0) + perf_swevent_put_recursion_context(rctx); ++ ++ put_event(event); + } + + /* diff --git a/queue-5.10/s390-dasd-fix-double-module-refcount-decrement.patch b/queue-5.10/s390-dasd-fix-double-module-refcount-decrement.patch new file mode 100644 index 0000000000..84e745ff50 --- /dev/null +++ b/queue-5.10/s390-dasd-fix-double-module-refcount-decrement.patch @@ -0,0 +1,56 @@ +From c3116e62ddeff79cae342147753ce596f01fcf06 Mon Sep 17 00:00:00 2001 +From: Miroslav Franc +Date: Fri, 9 Feb 2024 13:45:22 +0100 +Subject: s390/dasd: fix double module refcount decrement +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miroslav Franc + +commit c3116e62ddeff79cae342147753ce596f01fcf06 upstream. + +Once the discipline is associated with the device, deleting the device +takes care of decrementing the module's refcount. Doing it manually on +this error path causes refcount to artificially decrease on each error +while it should just stay the same. + +Fixes: c020d722b110 ("s390/dasd: fix panic during offline processing") +Signed-off-by: Miroslav Franc +Signed-off-by: Jan Höppner +Signed-off-by: Stefan Haberland +Link: https://lore.kernel.org/r/20240209124522.3697827-3-sth@linux.ibm.com +Signed-off-by: Jens Axboe +[Minor context change fixed] +Signed-off-by: Feng Liu +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -3637,12 +3637,11 @@ int dasd_generic_set_online(struct ccw_d + dasd_delete_device(device); + return -EINVAL; + } ++ device->base_discipline = base_discipline; + if (!try_module_get(discipline->owner)) { +- module_put(base_discipline->owner); + dasd_delete_device(device); + return -EINVAL; + } +- device->base_discipline = base_discipline; + device->discipline = discipline; + + /* check_device will allocate block device if necessary */ +@@ -3650,8 +3649,6 @@ int dasd_generic_set_online(struct ccw_d + if (rc) { + pr_warn("%s Setting the DASD online with discipline %s failed with rc=%i\n", + dev_name(&cdev->dev), discipline->name, rc); +- module_put(discipline->owner); +- module_put(base_discipline->owner); + dasd_delete_device(device); + return rc; + } diff --git a/queue-5.10/series b/queue-5.10/series index f9284d0e4b..f10f5ba6e2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -188,3 +188,6 @@ kernel-resource-fix-kfree-of-bootmem-memory-again.patch drm-i915-gt-cleanup-partial-engine-discovery-failures.patch fs-proc-do_task_stat-use-sig-stats_lock-to-gather-the-threads-children-stats.patch mm-fix-apply_to_existing_page_range.patch +perf-fix-perf_pending_task-uaf.patch +drivers-staging-rtl8723bs-fix-deadlock-in-rtw_surveydone_event_callback.patch +s390-dasd-fix-double-module-refcount-decrement.patch -- 2.47.3