From: Greg Kroah-Hartman Date: Sat, 10 Sep 2022 06:36:57 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.19.9~57 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21da6f5647df5ce2471aa4da9c1a96ee3f41f93b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch scsi-mpt3sas-fix-use-after-free-warning.patch --- diff --git a/queue-4.9/driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch b/queue-4.9/driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch new file mode 100644 index 00000000000..d335e4fa77b --- /dev/null +++ b/queue-4.9/driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch @@ -0,0 +1,67 @@ +From 25e9fbf0fd38868a429feabc38abebfc6dbf6542 Mon Sep 17 00:00:00 2001 +From: "Isaac J. Manjarres" +Date: Wed, 17 Aug 2022 11:40:26 -0700 +Subject: driver core: Don't probe devices after bus_type.match() probe deferral + +From: Isaac J. Manjarres + +commit 25e9fbf0fd38868a429feabc38abebfc6dbf6542 upstream. + +Both __device_attach_driver() and __driver_attach() check the return +code of the bus_type.match() function to see if the device needs to be +added to the deferred probe list. After adding the device to the list, +the logic attempts to bind the device to the driver anyway, as if the +device had matched with the driver, which is not correct. + +If __device_attach_driver() detects that the device in question is not +ready to match with a driver on the bus, then it doesn't make sense for +the device to attempt to bind with the current driver or continue +attempting to match with any of the other drivers on the bus. So, update +the logic in __device_attach_driver() to reflect this. + +If __driver_attach() detects that a driver tried to match with a device +that is not ready to match yet, then the driver should not attempt to bind +with the device. However, the driver can still attempt to match and bind +with other devices on the bus, as drivers can be bound to multiple +devices. So, update the logic in __driver_attach() to reflect this. + +Fixes: 656b8035b0ee ("ARM: 8524/1: driver cohandle -EPROBE_DEFER from bus_type.match()") +Cc: stable@vger.kernel.org +Cc: Saravana Kannan +Reported-by: Guenter Roeck +Tested-by: Guenter Roeck +Tested-by: Linus Walleij +Reviewed-by: Saravana Kannan +Signed-off-by: Isaac J. Manjarres +Link: https://lore.kernel.org/r/20220817184026.3468620-1-isaacmanjarres@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/dd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -590,6 +590,11 @@ static int __device_attach_driver(struct + } else if (ret == -EPROBE_DEFER) { + dev_dbg(dev, "Device match requests probe deferral\n"); + driver_deferred_probe_add(dev); ++ /* ++ * Device can't match with a driver right now, so don't attempt ++ * to match or bind with other drivers on the bus. ++ */ ++ return ret; + } else if (ret < 0) { + dev_dbg(dev, "Bus failed to match device: %d", ret); + return ret; +@@ -732,6 +737,11 @@ static int __driver_attach(struct device + } else if (ret == -EPROBE_DEFER) { + dev_dbg(dev, "Device match requests probe deferral\n"); + driver_deferred_probe_add(dev); ++ /* ++ * Driver could not match with device, but may match with ++ * another device on the bus. ++ */ ++ return 0; + } else if (ret < 0) { + dev_dbg(dev, "Bus failed to match device: %d", ret); + return ret; diff --git a/queue-4.9/scsi-mpt3sas-fix-use-after-free-warning.patch b/queue-4.9/scsi-mpt3sas-fix-use-after-free-warning.patch new file mode 100644 index 00000000000..5a50509c27f --- /dev/null +++ b/queue-4.9/scsi-mpt3sas-fix-use-after-free-warning.patch @@ -0,0 +1,41 @@ +From 991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34 Mon Sep 17 00:00:00 2001 +From: Sreekanth Reddy +Date: Tue, 6 Sep 2022 19:19:08 +0530 +Subject: scsi: mpt3sas: Fix use-after-free warning + +From: Sreekanth Reddy + +commit 991df3dd5144f2e6b1c38b8d20ed3d4d21e20b34 upstream. + +Fix the following use-after-free warning which is observed during +controller reset: + +refcount_t: underflow; use-after-free. +WARNING: CPU: 23 PID: 5399 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0xf0 + +Link: https://lore.kernel.org/r/20220906134908.1039-2-sreekanth.reddy@broadcom.com +Signed-off-by: Sreekanth Reddy +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -2776,6 +2776,7 @@ static struct fw_event_work *dequeue_nex + fw_event = list_first_entry(&ioc->fw_event_list, + struct fw_event_work, list); + list_del_init(&fw_event->list); ++ fw_event_work_put(fw_event); + } + spin_unlock_irqrestore(&ioc->fw_event_lock, flags); + +@@ -2812,7 +2813,6 @@ _scsih_fw_event_cleanup_queue(struct MPT + if (cancel_work_sync(&fw_event->work)) + fw_event_work_put(fw_event); + +- fw_event_work_put(fw_event); + } + } + diff --git a/queue-4.9/series b/queue-4.9/series index 409eb038a7f..89ee481caea 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -29,3 +29,5 @@ fbdev-chipsfb-add-missing-pci_disable_device-in-chip.patch alsa-emu10k1-fix-out-of-bounds-access-in-snd_emu10k1_pcm_channel_alloc.patch alsa-aloop-fix-random-zeros-in-capture-data-when-using-jiffies-timer.patch alsa-usb-audio-fix-an-out-of-bounds-bug-in-__snd_usb_parse_audio_interface.patch +scsi-mpt3sas-fix-use-after-free-warning.patch +driver-core-don-t-probe-devices-after-bus_type.match-probe-deferral.patch