From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 17:40:46 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.12.24~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8d0acbf75256d7591bdbb81a52a90edb90ce391b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bluetooth-hci_uart-fix-another-race-during-initialization.patch pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch --- diff --git a/queue-5.10/bluetooth-hci_uart-fix-another-race-during-initialization.patch b/queue-5.10/bluetooth-hci_uart-fix-another-race-during-initialization.patch new file mode 100644 index 0000000000..5c148d0087 --- /dev/null +++ b/queue-5.10/bluetooth-hci_uart-fix-another-race-during-initialization.patch @@ -0,0 +1,134 @@ +From 5df5dafc171b90d0b8d51547a82657cd5a1986c7 Mon Sep 17 00:00:00 2001 +From: Arseniy Krasnov +Date: Wed, 12 Feb 2025 18:59:46 +0300 +Subject: Bluetooth: hci_uart: Fix another race during initialization + +From: Arseniy Krasnov + +commit 5df5dafc171b90d0b8d51547a82657cd5a1986c7 upstream. + +Do not set 'HCI_UART_PROTO_READY' before call 'hci_uart_register_dev()'. +Possible race is when someone calls 'hci_tty_uart_close()' after this bit +is set, but 'hci_uart_register_dev()' wasn't done. This leads to access +to uninitialized fields. To fix it let's set this bit after device was +registered (as before patch c411c62cc133) and to fix previous problem let's +add one more bit in addition to 'HCI_UART_PROTO_READY' which allows to +perform power up without original bit set (pls see commit c411c62cc133). + +Crash backtrace from syzbot report: + +RIP: 0010:skb_queue_empty_lockless include/linux/skbuff.h:1887 [inline] +RIP: 0010:skb_queue_purge_reason+0x6d/0x140 net/core/skbuff.c:3936 + +Call Trace: + + skb_queue_purge include/linux/skbuff.h:3364 [inline] + mrvl_close+0x2f/0x90 drivers/bluetooth/hci_mrvl.c:100 + hci_uart_tty_close+0xb6/0x120 drivers/bluetooth/hci_ldisc.c:557 + tty_ldisc_close drivers/tty/tty_ldisc.c:455 [inline] + tty_ldisc_kill+0x66/0xc0 drivers/tty/tty_ldisc.c:613 + tty_ldisc_release+0xc9/0x120 drivers/tty/tty_ldisc.c:781 + tty_release_struct+0x10/0x80 drivers/tty/tty_io.c:1690 + tty_release+0x4ef/0x640 drivers/tty/tty_io.c:1861 + __fput+0x86/0x2a0 fs/file_table.c:450 + task_work_run+0x82/0xb0 kernel/task_work.c:239 + resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] + exit_to_user_mode_loop kernel/entry/common.c:114 [inline] + exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] + __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] + syscall_exit_to_user_mode+0xa3/0x1b0 kernel/entry/common.c:218 + do_syscall_64+0x9a/0x190 arch/x86/entry/common.c:89 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Signed-off-by: Arseniy Krasnov +Reported-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com +Tested-by: syzbot+683f8cb11b94b1824c77@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-bluetooth/d159c57f-8490-4c26-79da-6ad3612c4a14@salutedevices.com/ +Fixes: 366ceff495f9 ("Bluetooth: hci_uart: fix race during initialization") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_ldisc.c | 20 ++++++++++++++------ + drivers/bluetooth/hci_uart.h | 1 + + 2 files changed, 15 insertions(+), 6 deletions(-) + +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -102,7 +102,8 @@ static inline struct sk_buff *hci_uart_d + if (!skb) { + percpu_down_read(&hu->proto_lock); + +- if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) ++ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || ++ test_bit(HCI_UART_PROTO_INIT, &hu->flags)) + skb = hu->proto->dequeue(hu); + + percpu_up_read(&hu->proto_lock); +@@ -124,7 +125,8 @@ int hci_uart_tx_wakeup(struct hci_uart * + if (!percpu_down_read_trylock(&hu->proto_lock)) + return 0; + +- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) ++ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && ++ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) + goto no_schedule; + + set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); +@@ -278,7 +280,8 @@ static int hci_uart_send_frame(struct hc + + percpu_down_read(&hu->proto_lock); + +- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { ++ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && ++ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { + percpu_up_read(&hu->proto_lock); + return -EUNATCH; + } +@@ -579,7 +582,8 @@ static void hci_uart_tty_wakeup(struct t + if (tty != hu->tty) + return; + +- if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) ++ if (test_bit(HCI_UART_PROTO_READY, &hu->flags) || ++ test_bit(HCI_UART_PROTO_INIT, &hu->flags)) + hci_uart_tx_wakeup(hu); + } + +@@ -605,7 +609,8 @@ static void hci_uart_tty_receive(struct + + percpu_down_read(&hu->proto_lock); + +- if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) { ++ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags) && ++ !test_bit(HCI_UART_PROTO_INIT, &hu->flags)) { + percpu_up_read(&hu->proto_lock); + return; + } +@@ -706,13 +711,16 @@ static int hci_uart_set_proto(struct hci + + hu->proto = p; + +- set_bit(HCI_UART_PROTO_READY, &hu->flags); ++ set_bit(HCI_UART_PROTO_INIT, &hu->flags); + + err = hci_uart_register_dev(hu); + if (err) { + return err; + } + ++ set_bit(HCI_UART_PROTO_READY, &hu->flags); ++ clear_bit(HCI_UART_PROTO_INIT, &hu->flags); ++ + return 0; + } + +--- a/drivers/bluetooth/hci_uart.h ++++ b/drivers/bluetooth/hci_uart.h +@@ -89,6 +89,7 @@ struct hci_uart { + #define HCI_UART_PROTO_SET 0 + #define HCI_UART_REGISTERED 1 + #define HCI_UART_PROTO_READY 2 ++#define HCI_UART_PROTO_INIT 4 + + /* TX states */ + #define HCI_UART_SENDING 1 diff --git a/queue-5.10/pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch b/queue-5.10/pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch new file mode 100644 index 0000000000..ff04a262bf --- /dev/null +++ b/queue-5.10/pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch @@ -0,0 +1,44 @@ +From aa3c668f2f98856af96e13f44da6ca4f26f0b98c Mon Sep 17 00:00:00 2001 +From: Daniel Golle +Date: Fri, 2 Dec 2022 19:35:08 +0100 +Subject: pwm: mediatek: always use bus clock for PWM on MT7622 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Golle + +commit aa3c668f2f98856af96e13f44da6ca4f26f0b98c upstream. + +According to MT7622 Reference Manual for Development Board v1.0 the PWM +unit found in the MT7622 SoC also comes with the PWM_CK_26M_SEL register +at offset 0x210 just like other modern MediaTek ARM64 SoCs. +And also MT7622 sets that register to 0x00000001 on reset which is +described as 'Select 26M fix CLK as BCLK' in the datasheet. +Hence set has_ck_26m_sel to true also for MT7622 which results in the +driver writing 0 to the PWM_CK_26M_SEL register which is described as +'Select bus CLK as BCLK'. + +Fixes: 0c0ead76235db0 ("pwm: mediatek: Always use bus clock") +Signed-off-by: Daniel Golle +Reviewed-by: AngeloGioacchino Del Regno +Acked-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/Y1iF2slvSblf6bYK@makrotopia.org +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mediatek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pwm/pwm-mediatek.c ++++ b/drivers/pwm/pwm-mediatek.c +@@ -297,7 +297,7 @@ static const struct pwm_mediatek_of_data + static const struct pwm_mediatek_of_data mt7622_pwm_data = { + .num_pwms = 6, + .pwm45_fixup = false, +- .has_ck_26m_sel = false, ++ .has_ck_26m_sel = true, + }; + + static const struct pwm_mediatek_of_data mt7623_pwm_data = { diff --git a/queue-5.10/series b/queue-5.10/series index 5669bd3190..76ee9f4dff 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -96,3 +96,5 @@ pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch pci-fix-reference-leak-in-pci_alloc_child_bus.patch pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch x86-e820-fix-handling-of-subpage-regions-when-calculating-nosave-ranges-in-e820__register_nosave_regions.patch +bluetooth-hci_uart-fix-another-race-during-initialization.patch +pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch