From 869414a8c31fc2e688ae948d4a7279183e146673 Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Apr 20 2023 11:00:54 +0000 Subject: HID: intel-ish-hid: Fix kernel panic during warm reset (bsc#1012628). --- diff --git a/patches.kernel.org/6.2.12-105-HID-intel-ish-hid-Fix-kernel-panic-during-warm.patch b/patches.kernel.org/6.2.12-105-HID-intel-ish-hid-Fix-kernel-panic-during-warm.patch new file mode 100644 index 0000000..40888ff --- /dev/null +++ b/patches.kernel.org/6.2.12-105-HID-intel-ish-hid-Fix-kernel-panic-during-warm.patch @@ -0,0 +1,65 @@ +From: Tanu Malhotra +Date: Mon, 27 Mar 2023 11:58:38 -0700 +Subject: [PATCH] HID: intel-ish-hid: Fix kernel panic during warm reset +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: 38518593ec55e897abda4b4be77b2ec8ec4447d1 + +commit 38518593ec55e897abda4b4be77b2ec8ec4447d1 upstream. + +During warm reset device->fw_client is set to NULL. If a bus driver is +registered after this NULL setting and before new firmware clients are +enumerated by ISHTP, kernel panic will result in the function +ishtp_cl_bus_match(). This is because of reference to +device->fw_client->props.protocol_name. + +ISH firmware after getting successfully loaded, sends a warm reset +notification to remove all clients from the bus and sets +device->fw_client to NULL. Until kernel v5.15, all enabled ISHTP kernel +module drivers were loaded right after any of the first ISHTP device was +registered, regardless of whether it was a matched or an unmatched +device. This resulted in all drivers getting registered much before the +warm reset notification from ISH. + +Starting kernel v5.16, this issue got exposed after the change was +introduced to load only bus drivers for the respective matching devices. +In this scenario, cros_ec_ishtp device and cros_ec_ishtp driver are +registered after the warm reset device fw_client NULL setting. +cros_ec_ishtp driver_register() triggers the callback to +ishtp_cl_bus_match() to match ISHTP driver to the device and causes kernel +panic in guid_equal() when dereferencing fw_client NULL pointer to get +protocol_name. + +Fixes: f155dfeaa4ee ("platform/x86: isthp_eclite: only load for matching devices") +Fixes: facfe0a4fdce ("platform/chrome: chros_ec_ishtp: only load for matching devices") +Fixes: 0d0cccc0fd83 ("HID: intel-ish-hid: hid-client: only load for matching devices") +Fixes: 44e2a58cb880 ("HID: intel-ish-hid: fw-loader: only load for matching devices") +Cc: # 5.16+ +Signed-off-by: Tanu Malhotra +Tested-by: Shaunak Saha +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c +index f68aba87..d4296681 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -241,8 +241,8 @@ static int ishtp_cl_bus_match(struct device *dev, struct device_driver *drv) + struct ishtp_cl_device *device = to_ishtp_cl_device(dev); + struct ishtp_cl_driver *driver = to_ishtp_cl_driver(drv); + +- return guid_equal(&driver->id[0].guid, +- &device->fw_client->props.protocol_name); ++ return(device->fw_client ? guid_equal(&driver->id[0].guid, ++ &device->fw_client->props.protocol_name) : 0); + } + + /** +-- +2.35.3 + diff --git a/series.conf b/series.conf index da99376..c953f7a 100644 --- a/series.conf +++ b/series.conf @@ -2332,6 +2332,7 @@ patches.kernel.org/6.2.12-102-maple_tree-fix-write-memory-barrier-of-nodes-o.patch patches.kernel.org/6.2.12-103-ksmbd-avoid-out-of-bounds-access-in-decode_pre.patch patches.kernel.org/6.2.12-104-riscv-add-icache-flush-for-nommu-sigreturn-tra.patch + patches.kernel.org/6.2.12-105-HID-intel-ish-hid-Fix-kernel-panic-during-warm.patch ######################################################## # Build fixes that apply to the vanilla kernel too.