From: Greg Kroah-Hartman Date: Sun, 11 Sep 2022 05:44:37 +0000 (+0200) Subject: drop queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch X-Git-Tag: v5.19.9~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4186b64cb83c82286733b5d9f3433efd0f516a5b;p=thirdparty%2Fkernel%2Fstable-queue.git drop queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch --- diff --git a/queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index a37ca2dc85f..00000000000 --- a/queue-4.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From bbacb2bb921f81d43278c35bbd9060d7d41eaf67 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 5bb5384f36125..9d5320562e81f 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -173,6 +173,14 @@ static int dwc3_qcom_register_extcon(struct dwc3_qcom *qcom) - return 0; - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static void dwc3_qcom_disable_interrupts(struct dwc3_qcom *qcom) - { - if (qcom->hs_phy_irq) { -@@ -280,7 +288,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index 1a3878a3be78f..124e9f80dccd8 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -142,4 +142,5 @@ void dwc3_host_exit(struct dwc3 *dwc) - phy_remove_lookup(dwc->usb3_generic_phy, "usb3-phy", - dev_name(dwc->dev)); - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 -