From d6aa550751dc235c06966ed515443c4fd5ff9cad Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 20 Aug 2021 19:49:31 -0400 Subject: [PATCH] Fixes for 5.10 Signed-off-by: Sasha Levin --- ...se-correct-wait-queue-when-removing-.patch | 77 +++++++++++++++++++ queue-5.10/series | 1 + 2 files changed, 78 insertions(+) create mode 100644 queue-5.10/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch diff --git a/queue-5.10/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch b/queue-5.10/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch new file mode 100644 index 00000000000..3232e2b28c9 --- /dev/null +++ b/queue-5.10/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch @@ -0,0 +1,77 @@ +From 111cbc519f3b1b973b42dc06d07df15a889e9966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Oct 2020 13:15:44 +0200 +Subject: Bluetooth: hidp: use correct wait queue when removing ctrl_wait +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ole Bjørn Midtbø + +[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ] + +A different wait queue was used when removing ctrl_wait than when adding +it. This effectively made the remove operation without locking compared +to other operations on the wait queue ctrl_wait was part of. This caused +issues like below where dead000000000100 is LIST_POISON1 and +dead000000000200 is LIST_POISON2. + + list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \ + but was dead000000000200. (next=ffffffc03ac77de0). + ------------[ cut here ]------------ + CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G O 4.4.238+ #9 + ... + ---[ end trace 0adc2158f0646eac ]--- + Call trace: + [] __list_add+0x38/0xb0 + [] add_wait_queue+0x4c/0x68 + [] __pollwait+0xec/0x100 + [] bt_sock_poll+0x74/0x200 + [] sock_poll+0x110/0x128 + [] do_sys_poll+0x220/0x480 + [] SyS_poll+0x80/0x138 + [] __sys_trace_return+0x0/0x4 + + Unable to handle kernel paging request at virtual address dead000000000100 + ... + CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G W O 4.4.238+ #9 + ... + Call trace: + [] __wake_up_common+0x7c/0xa8 + [] __wake_up+0x50/0x70 + [] sock_def_wakeup+0x58/0x60 + [] l2cap_sock_teardown_cb+0x200/0x224 + [] l2cap_chan_del+0xa4/0x298 + [] l2cap_conn_del+0x118/0x198 + [] l2cap_disconn_cfm+0x6c/0x78 + [] hci_event_packet+0x564/0x2e30 + [] hci_rx_work+0x10c/0x360 + [] process_one_work+0x268/0x460 + [] worker_thread+0x268/0x480 + [] kthread+0x118/0x128 + [] ret_from_fork+0x10/0x20 + ---[ end trace 0adc2158f0646ead ]--- + +Signed-off-by: Ole Bjørn Midtbø +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 3b4fa27a44e6..0db48c812662 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -1290,7 +1290,7 @@ static int hidp_session_thread(void *arg) + + /* cleanup runtime environment */ + remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); +- remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait); ++ remove_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait); + wake_up_interruptible(&session->report_queue); + hidp_del_timer(session); + +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 9108d59d179..f7e062f19d2 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -31,3 +31,4 @@ net-usb-pegasus-check-the-return-value-of-get_gerist.patch net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch drm-amd-display-fix-dynamic-bpp-issue-with-8k30-with.patch drm-amd-display-workaround-for-hard-hang-on-hpd-on-n.patch +bluetooth-hidp-use-correct-wait-queue-when-removing-.patch -- 2.47.3