From 3f4f0770512b286523a398e3f9f3eb6441f44b17 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 10 Jul 2020 00:15:42 -0400 Subject: gnu: linux-libre: Fix regression with Atheros 9271. * gnu/packages/patches/linux-libre-fix-atheros-9271.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/linux.scm (%linux-libre-fix-atheros-9271-patch): New variable. (linux-libre-4.4-source, linux-libre-4.9-source) (linux-libre-4.14-source, linux-libre-4.19-source) (linux-libre-5.4-source, linux-libre-5.7-source): Add the patch. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 19 +- .../patches/linux-libre-fix-atheros-9271.patch | 225 +++++++++++++++++++++ 3 files changed, 240 insertions(+), 5 deletions(-) create mode 100644 gnu/packages/patches/linux-libre-fix-atheros-9271.patch diff --git a/gnu/local.mk b/gnu/local.mk index cecc8bc4b1..5c3b391960 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1238,6 +1238,7 @@ dist_patch_DATA = \ %D%/packages/patches/lierolibre-try-building-other-arch.patch \ %D%/packages/patches/linkchecker-tests-require-network.patch \ %D%/packages/patches/linphoneqt-tabbutton.patch \ + %D%/packages/patches/linux-libre-fix-atheros-9271.patch \ %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \ %D%/packages/patches/linux-pam-no-setfsuid.patch \ %D%/packages/patches/lirc-localstatedir.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index d0fe5ee57a..bd7cbf183f 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -443,6 +443,9 @@ (define %linux-libre-arm-export-__sync_icache_dcache-patch (sha256 (base32 "1ifnfhpakzffn4b8n7x7w5cps9mzjxlkcfz9zqak2vaw8nzvl39f")))) +(define %linux-libre-fix-atheros-9271-patch + (search-patch "linux-libre-fix-atheros-9271.patch")) + (define (source-with-patches source patches) (origin (inherit source) @@ -452,12 +455,14 @@ (define (source-with-patches source patches) (define-public linux-libre-5.7-source (source-with-patches linux-libre-5.7-pristine-source (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch))) + %linux-libre-arm-export-__sync_icache_dcache-patch + %linux-libre-fix-atheros-9271-patch))) (define-public linux-libre-5.4-source (source-with-patches linux-libre-5.4-pristine-source (list %boot-logo-patch %linux-libre-arm-export-__sync_icache_dcache-patch + %linux-libre-fix-atheros-9271-patch ;; Pinebook Pro patch from linux-next, ;; can be dropped for linux-libre 5.7 (search-patch @@ -466,19 +471,23 @@ (define-public linux-libre-5.4-source (define-public linux-libre-4.19-source (source-with-patches linux-libre-4.19-pristine-source (list %boot-logo-patch - %linux-libre-arm-export-__sync_icache_dcache-patch))) + %linux-libre-arm-export-__sync_icache_dcache-patch + %linux-libre-fix-atheros-9271-patch))) (define-public linux-libre-4.14-source (source-with-patches linux-libre-4.14-pristine-source - (list %boot-logo-patch))) + (list %boot-logo-patch + %linux-libre-fix-atheros-9271-patch))) (define-public linux-libre-4.9-source (source-with-patches linux-libre-4.9-pristine-source - (list %boot-logo-patch))) + (list %boot-logo-patch + %linux-libre-fix-atheros-9271-patch))) (define-public linux-libre-4.4-source (source-with-patches linux-libre-4.4-pristine-source - (list %boot-logo-patch))) + (list %boot-logo-patch + %linux-libre-fix-atheros-9271-patch))) ;;; diff --git a/gnu/packages/patches/linux-libre-fix-atheros-9271.patch b/gnu/packages/patches/linux-libre-fix-atheros-9271.patch new file mode 100644 index 0000000000..7527f9fdf0 --- /dev/null +++ b/gnu/packages/patches/linux-libre-fix-atheros-9271.patch @@ -0,0 +1,225 @@ +Revert the following upstream commit, which broke Atheros 9271 support. +See: + https://bugzilla.kernel.org/show_bug.cgi?id=208251 + https://bugzilla.redhat.com/show_bug.cgi?id=1848631 + + +From b5c8896bc14f54e5c4dd5a6e42879f125b8abd2d Mon Sep 17 00:00:00 2001 +From: Qiujun Huang +Date: Sat, 4 Apr 2020 12:18:38 +0800 +Subject: ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb + +commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream. + +In ath9k_hif_usb_rx_cb interface number is assumed to be 0. +usb_ifnum_to_if(urb->dev, 0) +But it isn't always true. + +The case reported by syzbot: +https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com +usb 2-1: new high-speed USB device number 2 using dummy_hcd +usb 2-1: config 1 has an invalid interface number: 2 but max is 0 +usb 2-1: config 1 has no interface number 0 +usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= +1.08 +usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +general protection fault, probably for non-canonical address +0xdffffc0000000015: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0 + +Call Trace +__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 +usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 +dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 +call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 +expire_timers kernel/time/timer.c:1449 [inline] +__run_timers kernel/time/timer.c:1773 [inline] +__run_timers kernel/time/timer.c:1740 [inline] +run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 +__do_softirq+0x21e/0x950 kernel/softirq.c:292 +invoke_softirq kernel/softirq.c:373 [inline] +irq_exit+0x178/0x1a0 kernel/softirq.c:413 +exiting_irq arch/x86/include/asm/apic.h:546 [inline] +smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 +apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 + +Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com +Signed-off-by: Qiujun Huang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 48 ++++++++++++++++++++++++-------- + drivers/net/wireless/ath/ath9k/hif_usb.h | 5 ++++ + 2 files changed, 42 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 6049d3766c64..4ed21dad6a8e 100644 +--- b/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ a/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -643,9 +643,9 @@ + + static void ath9k_hif_usb_rx_cb(struct urb *urb) + { +- struct rx_buf *rx_buf = (struct rx_buf *)urb->context; +- struct hif_device_usb *hif_dev = rx_buf->hif_dev; +- struct sk_buff *skb = rx_buf->skb; ++ struct sk_buff *skb = (struct sk_buff *) urb->context; ++ struct hif_device_usb *hif_dev = ++ usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + int ret; + + if (!skb) +@@ -685,15 +685,14 @@ + return; + free: + kfree_skb(skb); +- kfree(rx_buf); + } + + static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + { +- struct rx_buf *rx_buf = (struct rx_buf *)urb->context; +- struct hif_device_usb *hif_dev = rx_buf->hif_dev; +- struct sk_buff *skb = rx_buf->skb; ++ struct sk_buff *skb = (struct sk_buff *) urb->context; + struct sk_buff *nskb; ++ struct hif_device_usb *hif_dev = ++ usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + int ret; + + if (!skb) +@@ -751,7 +750,6 @@ + return; + free: + kfree_skb(skb); +- kfree(rx_buf); + urb->context = NULL; + } + +@@ -797,7 +795,7 @@ + init_usb_anchor(&hif_dev->mgmt_submitted); + + for (i = 0; i < MAX_TX_URB_NUM; i++) { +- tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL); ++ tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL); + if (!tx_buf) + goto err; + +@@ -834,9 +832,8 @@ + + static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) + { +- struct rx_buf *rx_buf = NULL; ++ struct urb *urb = NULL; + struct sk_buff *skb = NULL; +- struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->rx_submitted); +@@ -844,12 +841,6 @@ + + for (i = 0; i < MAX_RX_URB_NUM; i++) { + +- rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); +- if (!rx_buf) { +- ret = -ENOMEM; +- goto err_rxb; +- } +- + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -864,14 +855,11 @@ + goto err_skb; + } + +- rx_buf->hif_dev = hif_dev; +- rx_buf->skb = skb; +- + usb_fill_bulk_urb(urb, hif_dev->udev, + usb_rcvbulkpipe(hif_dev->udev, + USB_WLAN_RX_PIPE), + skb->data, MAX_RX_BUF_SIZE, +- ath9k_hif_usb_rx_cb, rx_buf); ++ ath9k_hif_usb_rx_cb, skb); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->rx_submitted); +@@ -897,8 +885,6 @@ + err_skb: + usb_free_urb(urb); + err_urb: +- kfree(rx_buf); +-err_rxb: + ath9k_hif_usb_dealloc_rx_urbs(hif_dev); + return ret; + } +@@ -910,21 +896,14 @@ + + static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) + { +- struct rx_buf *rx_buf = NULL; ++ struct urb *urb = NULL; + struct sk_buff *skb = NULL; +- struct urb *urb = NULL; + int i, ret; + + init_usb_anchor(&hif_dev->reg_in_submitted); + + for (i = 0; i < MAX_REG_IN_URB_NUM; i++) { + +- rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); +- if (!rx_buf) { +- ret = -ENOMEM; +- goto err_rxb; +- } +- + /* Allocate URB */ + urb = usb_alloc_urb(0, GFP_KERNEL); + if (urb == NULL) { +@@ -939,14 +918,11 @@ + goto err_skb; + } + +- rx_buf->hif_dev = hif_dev; +- rx_buf->skb = skb; +- + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), + skb->data, MAX_REG_IN_BUF_SIZE, +- ath9k_hif_usb_reg_in_cb, rx_buf, 1); ++ ath9k_hif_usb_reg_in_cb, skb, 1); + + /* Anchor URB */ + usb_anchor_urb(urb, &hif_dev->reg_in_submitted); +@@ -972,8 +948,6 @@ + err_skb: + usb_free_urb(urb); + err_urb: +- kfree(rx_buf); +-err_rxb: + ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); + return ret; + } +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h +index a94e7e1c86e9..5985aa15ca93 100644 +--- b/drivers/net/wireless/ath/ath9k/hif_usb.h ++++ a/drivers/net/wireless/ath/ath9k/hif_usb.h +@@ -86,11 +86,6 @@ + struct list_head list; + }; + +-struct rx_buf { +- struct sk_buff *skb; +- struct hif_device_usb *hif_dev; +-}; +- + #define HIF_USB_TX_STOP BIT(0) + #define HIF_USB_TX_FLUSH BIT(1) + ++- +cgit 1.2.3-1.el7 + -- cgit v1.2.3