From: Sasha Levin Date: Mon, 5 Sep 2022 15:07:52 +0000 (-0400) Subject: Drop usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch X-Git-Tag: v5.10.142~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93027149ccac6cc708f15d5de937c5f7929c2d98;p=thirdparty%2Fkernel%2Fstable-queue.git Drop usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/series b/queue-5.10/series index 0f2a7a8d41e..11a0e743389 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -5,7 +5,6 @@ drm-msm-dsi-fix-number-of-regulators-for-sdm660.patch platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch iio-adc-mcp3911-make-use-of-the-sign-bit.patch usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch ieee802154-adf7242-defer-destroy_workqueue-call.patch diff --git a/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index b2ee2380119..00000000000 --- a/queue-5.10/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From a9a03e025fe91afcfb38b9083ec3069d54a4f831 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index d8b47b91ed6f7..456ade31ef795 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -298,6 +298,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) - { - struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -@@ -457,7 +465,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index e195176580de1..b06ab85f8187e 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -130,4 +130,5 @@ int dwc3_host_init(struct dwc3 *dwc) - void dwc3_host_exit(struct dwc3 *dwc) - { - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 - diff --git a/queue-5.15/series b/queue-5.15/series index 3d2ec8d9ec0..78458597f96 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -7,7 +7,6 @@ iio-adc-mcp3911-make-use-of-the-sign-bit.patch skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch ieee802154-adf7242-defer-destroy_workqueue-call.patch diff --git a/queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index 5bcf472b859..00000000000 --- a/queue-5.15/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 856410b417bf56d5ea5abf861125d4571480ba1b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 1a742642211f1..ccbdf7ae906ea 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -298,6 +298,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) - { - struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -@@ -457,7 +465,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index f29a264635aa1..2078e9d702923 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -130,4 +130,5 @@ int dwc3_host_init(struct dwc3 *dwc) - void dwc3_host_exit(struct dwc3 *dwc) - { - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 - diff --git a/queue-5.19/series b/queue-5.19/series index 4375b2b0d6f..a98e622dfc4 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -13,7 +13,6 @@ iio-adc-mcp3911-make-use-of-the-sign-bit.patch skmsg-fix-wrong-last-sg-check-in-sk_msg_recvmsg.patch bpf-restrict-bpf_sys_bpf-to-cap_perfmon.patch usb-dwc3-qcom-add-helper-functions-to-enable-disable.patch -usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch usb-dwc3-qcom-fix-peripheral-and-otg-suspend.patch ip_tunnel-respect-tunnel-key-s-flow_flags-in-ip-tunn.patch bpf-cgroup-fix-kernel-bug-in-purge_effective_progs.patch diff --git a/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch b/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch deleted file mode 100644 index cac382d464b..00000000000 --- a/queue-5.19/usb-dwc3-qcom-fix-use-after-free-on-runtime-pm-wakeu.patch +++ /dev/null @@ -1,82 +0,0 @@ -From f2bcee907ea77917cf12fd034566f10318ce72c0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 17:09:56 +0200 -Subject: usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup - -From: Johan Hovold - -[ Upstream commit a872ab303d5ddd4c965f9cd868677781a33ce35a ] - -The Qualcomm dwc3 runtime-PM implementation checks the xhci -platform-device pointer in the wakeup-interrupt handler to determine -whether the controller is in host mode and if so triggers a resume. - -After a role switch in OTG mode the xhci platform-device would have been -freed and the next wakeup from runtime suspend would access the freed -memory. - -Note that role switching is executed from a freezable workqueue, which -guarantees that the pointer is stable during suspend. - -Also note that runtime PM has been broken since commit 2664deb09306 -("usb: dwc3: qcom: Honor wakeup enabled/disabled state"), which -incidentally also prevents this issue from being triggered. - -Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver") -Cc: stable@vger.kernel.org # 4.18 -Reviewed-by: Matthias Kaehlcke -Reviewed-by: Manivannan Sadhasivam -Signed-off-by: Johan Hovold -Link: https://lore.kernel.org/r/20220804151001.23612-5-johan+linaro@kernel.org -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/dwc3/dwc3-qcom.c | 14 +++++++++++++- - drivers/usb/dwc3/host.c | 1 + - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c -index 19642d0df419c..25ae37b1a39df 100644 ---- a/drivers/usb/dwc3/dwc3-qcom.c -+++ b/drivers/usb/dwc3/dwc3-qcom.c -@@ -298,6 +298,14 @@ static void dwc3_qcom_interconnect_exit(struct dwc3_qcom *qcom) - icc_put(qcom->icc_path_apps); - } - -+/* Only usable in contexts where the role can not change. */ -+static bool dwc3_qcom_is_host(struct dwc3_qcom *qcom) -+{ -+ struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -+ -+ return dwc->xhci; -+} -+ - static enum usb_device_speed dwc3_qcom_read_usb2_speed(struct dwc3_qcom *qcom) - { - struct dwc3 *dwc = platform_get_drvdata(qcom->dwc3); -@@ -457,7 +465,11 @@ static irqreturn_t qcom_dwc3_resume_irq(int irq, void *data) - if (qcom->pm_suspended) - return IRQ_HANDLED; - -- if (dwc->xhci) -+ /* -+ * This is safe as role switching is done from a freezable workqueue -+ * and the wakeup interrupts are disabled as part of resume. -+ */ -+ if (dwc3_qcom_is_host(qcom)) - pm_runtime_resume(&dwc->xhci->dev); - - return IRQ_HANDLED; -diff --git a/drivers/usb/dwc3/host.c b/drivers/usb/dwc3/host.c -index f56c30cf151e4..f6f13e7f1ba14 100644 ---- a/drivers/usb/dwc3/host.c -+++ b/drivers/usb/dwc3/host.c -@@ -135,4 +135,5 @@ int dwc3_host_init(struct dwc3 *dwc) - void dwc3_host_exit(struct dwc3 *dwc) - { - platform_device_unregister(dwc->xhci); -+ dwc->xhci = NULL; - } --- -2.35.1 -