From 401adbfe34f04f27c213259c14c4d629472bee7f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 3 Feb 2024 07:58:48 -0800 Subject: [PATCH] drop xhci patch, it broke things :( --- queue-5.15/series | 1 - ...e-null-pointer-deref-during-xhci-urb.patch | 98 ------------------- queue-6.1/series | 1 - ...e-null-pointer-deref-during-xhci-urb.patch | 98 ------------------- queue-6.6/series | 1 - ...e-null-pointer-deref-during-xhci-urb.patch | 98 ------------------- queue-6.7/series | 1 - ...e-null-pointer-deref-during-xhci-urb.patch | 98 ------------------- 8 files changed, 396 deletions(-) delete mode 100644 queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch delete mode 100644 queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch delete mode 100644 queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch delete mode 100644 queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch diff --git a/queue-5.15/series b/queue-5.15/series index 0221cf091ad..aa59ec8bf0a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -253,7 +253,6 @@ mailbox-arm_mhuv2-fix-a-bug-for-mhuv2_sender_interru.patch pci-only-override-amd-usb-controller-if-required.patch pci-switchtec-fix-stdev_release-crash-after-surprise.patch perf-cs-etm-bump-minimum-opencsd-version-to-ensure-a.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch selftests-sgx-fix-linker-script-asserts.patch tty-allow-tiocslcktrmios-with-cap_checkpoint_restore.patch diff --git a/queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index cda6650463c..00000000000 --- a/queue-5.15/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 0245712b9b11a1e2fdbaa04fb6a99fceff62e2ea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 5c9d3be136d2..6c8c9cbcd05d 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1644,24 +1644,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1700,12 +1683,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - diff --git a/queue-6.1/series b/queue-6.1/series index ce918e4ae00..ac1c86db549 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -156,7 +156,6 @@ mailbox-arm_mhuv2-fix-a-bug-for-mhuv2_sender_interru.patch pci-only-override-amd-usb-controller-if-required.patch pci-switchtec-fix-stdev_release-crash-after-surprise.patch perf-cs-etm-bump-minimum-opencsd-version-to-ensure-a.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch usb-hub-add-quirk-to-decrease-in-ep-poll-interval-fo.patch selftests-sgx-fix-linker-script-asserts.patch diff --git a/queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index 0ac00fc00dd..00000000000 --- a/queue-6.1/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 20c7e1ef816adf0f0b1236e56927c11b856154d7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index c02ad4f76bb3..127fbad32a75 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1654,24 +1654,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1710,12 +1693,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 1a2fa501b2e..e069e2975b5 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -229,7 +229,6 @@ mailbox-arm_mhuv2-fix-a-bug-for-mhuv2_sender_interru.patch pci-only-override-amd-usb-controller-if-required.patch pci-switchtec-fix-stdev_release-crash-after-surprise.patch perf-cs-etm-bump-minimum-opencsd-version-to-ensure-a.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch extcon-fix-possible-name-leak-in-extcon_dev_register.patch usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch usb-hub-add-quirk-to-decrease-in-ep-poll-interval-fo.patch diff --git a/queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index 25b9622ff96..00000000000 --- a/queue-6.6/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 160ef5b4740f0bc272b0996ec76446db9ddbf20a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 132b76fa7ca6..e39c5ba9b7c7 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1498,24 +1498,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1554,12 +1537,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - diff --git a/queue-6.7/series b/queue-6.7/series index fcfb22307b2..6503cb541a7 100644 --- a/queue-6.7/series +++ b/queue-6.7/series @@ -250,7 +250,6 @@ mailbox-arm_mhuv2-fix-a-bug-for-mhuv2_sender_interru.patch pci-only-override-amd-usb-controller-if-required.patch pci-switchtec-fix-stdev_release-crash-after-surprise.patch perf-cs-etm-bump-minimum-opencsd-version-to-ensure-a.patch -xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch extcon-fix-possible-name-leak-in-extcon_dev_register.patch usb-hub-replace-hardcoded-quirk-value-with-bit-macro.patch usb-hub-add-quirk-to-decrease-in-ep-poll-interval-fo.patch diff --git a/queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch b/queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch deleted file mode 100644 index 1bd91eb4507..00000000000 --- a/queue-6.7/xhci-fix-possible-null-pointer-deref-during-xhci-urb.patch +++ /dev/null @@ -1,98 +0,0 @@ -From e4de6fe8519e6ef1a17bd225b132081fbbfe5608 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Dec 2023 17:06:47 +0200 -Subject: xhci: fix possible null pointer deref during xhci urb enqueue - -From: Mathias Nyman - -[ Upstream commit e2e2aacf042f52854c92775b7800ba668e0bdfe4 ] - -There is a short gap between urb being submitted and actually added to the -endpoint queue (linked). If the device is disconnected during this time -then usb core is not yet aware of the pending urb, and device may be freed -just before xhci_urq_enqueue() continues, dereferencing the freed device. - -Freeing the device is protected by the xhci spinlock, so make sure we take -and keep the lock while checking that device exists, dereference it, and -add the urb to the queue. - -Remove the unnecessary URB check, usb core checks it before calling -xhci_urb_enqueue() - -Suggested-by: Kuen-Han Tsai -Signed-off-by: Mathias Nyman -Link: https://lore.kernel.org/r/20231201150647.1307406-20-mathias.nyman@linux.intel.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++----------------- - 1 file changed, 23 insertions(+), 17 deletions(-) - -diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c -index 884b0898d9c9..ddb686301af5 100644 ---- a/drivers/usb/host/xhci.c -+++ b/drivers/usb/host/xhci.c -@@ -1522,24 +1522,7 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - struct urb_priv *urb_priv; - int num_tds; - -- if (!urb) -- return -EINVAL; -- ret = xhci_check_args(hcd, urb->dev, urb->ep, -- true, true, __func__); -- if (ret <= 0) -- return ret ? ret : -EINVAL; -- -- slot_id = urb->dev->slot_id; - ep_index = xhci_get_endpoint_index(&urb->ep->desc); -- ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -- -- if (!HCD_HW_ACCESSIBLE(hcd)) -- return -ESHUTDOWN; -- -- if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -- xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -- return -ENODEV; -- } - - if (usb_endpoint_xfer_isoc(&urb->ep->desc)) - num_tds = urb->number_of_packets; -@@ -1578,12 +1561,35 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag - - spin_lock_irqsave(&xhci->lock, flags); - -+ ret = xhci_check_args(hcd, urb->dev, urb->ep, -+ true, true, __func__); -+ if (ret <= 0) { -+ ret = ret ? ret : -EINVAL; -+ goto free_priv; -+ } -+ -+ slot_id = urb->dev->slot_id; -+ -+ if (!HCD_HW_ACCESSIBLE(hcd)) { -+ ret = -ESHUTDOWN; -+ goto free_priv; -+ } -+ -+ if (xhci->devs[slot_id]->flags & VDEV_PORT_ERROR) { -+ xhci_dbg(xhci, "Can't queue urb, port error, link inactive\n"); -+ ret = -ENODEV; -+ goto free_priv; -+ } -+ - if (xhci->xhc_state & XHCI_STATE_DYING) { - xhci_dbg(xhci, "Ep 0x%x: URB %p submitted for non-responsive xHCI host.\n", - urb->ep->desc.bEndpointAddress, urb); - ret = -ESHUTDOWN; - goto free_priv; - } -+ -+ ep_state = &xhci->devs[slot_id]->eps[ep_index].ep_state; -+ - if (*ep_state & (EP_GETTING_STREAMS | EP_GETTING_NO_STREAMS)) { - xhci_warn(xhci, "WARN: Can't enqueue URB, ep in streams transition state %x\n", - *ep_state); --- -2.43.0 - -- 2.47.3