From: Sasha Levin Date: Fri, 20 Aug 2021 23:49:32 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.13.13~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3bff764f60c0da1f10f7fa52e720bc6ff119255d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch b/queue-4.19/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch new file mode 100644 index 00000000000..1751b32c7d3 --- /dev/null +++ b/queue-4.19/bluetooth-hidp-use-correct-wait-queue-when-removing-.patch @@ -0,0 +1,77 @@ +From dfa4d7ed561cdb5fbffe523c1e7de032f8a33285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Oct 2020 13:15:44 +0200 +Subject: Bluetooth: hidp: use correct wait queue when removing ctrl_wait +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ole Bjørn Midtbø + +[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ] + +A different wait queue was used when removing ctrl_wait than when adding +it. This effectively made the remove operation without locking compared +to other operations on the wait queue ctrl_wait was part of. This caused +issues like below where dead000000000100 is LIST_POISON1 and +dead000000000200 is LIST_POISON2. + + list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \ + but was dead000000000200. (next=ffffffc03ac77de0). + ------------[ cut here ]------------ + CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G O 4.4.238+ #9 + ... + ---[ end trace 0adc2158f0646eac ]--- + Call trace: + [] __list_add+0x38/0xb0 + [] add_wait_queue+0x4c/0x68 + [] __pollwait+0xec/0x100 + [] bt_sock_poll+0x74/0x200 + [] sock_poll+0x110/0x128 + [] do_sys_poll+0x220/0x480 + [] SyS_poll+0x80/0x138 + [] __sys_trace_return+0x0/0x4 + + Unable to handle kernel paging request at virtual address dead000000000100 + ... + CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G W O 4.4.238+ #9 + ... + Call trace: + [] __wake_up_common+0x7c/0xa8 + [] __wake_up+0x50/0x70 + [] sock_def_wakeup+0x58/0x60 + [] l2cap_sock_teardown_cb+0x200/0x224 + [] l2cap_chan_del+0xa4/0x298 + [] l2cap_conn_del+0x118/0x198 + [] l2cap_disconn_cfm+0x6c/0x78 + [] hci_event_packet+0x564/0x2e30 + [] hci_rx_work+0x10c/0x360 + [] process_one_work+0x268/0x460 + [] worker_thread+0x268/0x480 + [] kthread+0x118/0x128 + [] ret_from_fork+0x10/0x20 + ---[ end trace 0adc2158f0646ead ]--- + +Signed-off-by: Ole Bjørn Midtbø +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c +index 253975cce943..0cbd0bca971f 100644 +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -1282,7 +1282,7 @@ static int hidp_session_thread(void *arg) + + /* cleanup runtime environment */ + remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); +- remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait); ++ remove_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait); + wake_up_interruptible(&session->report_queue); + hidp_del_timer(session); + +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series index 69f25e03ede..542bf668b99 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -56,3 +56,4 @@ scsi-scsi_dh_rdac-avoid-crash-during-rdac_bus_attach.patch scsi-core-avoid-printing-an-error-if-target_alloc-re.patch arm-dts-nomadik-fix-up-interrupt-controller-node-nam.patch net-usb-lan78xx-don-t-modify-phy_device-state-concur.patch +bluetooth-hidp-use-correct-wait-queue-when-removing-.patch