Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-08-16 22:01:45 +0200
committerJiri Slaby <jslaby@suse.cz>2019-08-16 22:25:10 +0200
commit82ea3ef058a617a5eb27cdd3a4fc1109e4ffde63 (patch)
tree01a247e81bc752d1f79b0d1f036b7c6129e89980
parent3ea08e63ffd77ef346d52ef29df6646e6fce2ae0 (diff)
HID: sony: Fix race condition between rumble and device remove
-rw-r--r--patches.kernel.org/5.2.9-118-HID-sony-Fix-race-condition-between-rumble-and-.patch85
-rw-r--r--series.conf1
2 files changed, 86 insertions, 0 deletions
diff --git a/patches.kernel.org/5.2.9-118-HID-sony-Fix-race-condition-between-rumble-and-.patch b/patches.kernel.org/5.2.9-118-HID-sony-Fix-race-condition-between-rumble-and-.patch
new file mode 100644
index 0000000000..cddc5a3d67
--- /dev/null
+++ b/patches.kernel.org/5.2.9-118-HID-sony-Fix-race-condition-between-rumble-and-.patch
@@ -0,0 +1,85 @@
+From: Roderick Colenbrander <roderick@gaikai.com>
+Date: Fri, 2 Aug 2019 15:50:19 -0700
+Subject: [PATCH] HID: sony: Fix race condition between rumble and device
+ remove.
+References: bnc#1012628
+Patch-mainline: 5.2.9
+Git-commit: e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04
+
+commit e0f6974a54d3f7f1b5fdf5a593bd43ce9206ec04 upstream.
+
+Valve reported a kernel crash on Ubuntu 18.04 when disconnecting a DS4
+gamepad while rumble is enabled. This issue is reproducible with a
+frequency of 1 in 3 times in the game Borderlands 2 when using an
+automatic weapon, which triggers many rumble operations.
+
+We found the issue to be a race condition between sony_remove and the
+final device destruction by the HID / input system. The problem was
+that sony_remove didn't clean some of its work_item state in
+"struct sony_sc". After sony_remove work, the corresponding evdev
+node was around for sufficient time for applications to still queue
+rumble work after "sony_remove".
+
+On pre-4.19 kernels the race condition caused a kernel crash due to a
+NULL-pointer dereference as "sc->output_report_dmabuf" got freed during
+sony_remove. On newer kernels this crash doesn't happen due the buffer
+now being allocated using devm_kzalloc. However we can still queue work,
+while the driver is an undefined state.
+
+This patch fixes the described problem, by guarding the work_item
+"state_worker" with an initialized variable, which we are setting back
+to 0 on cleanup.
+
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/hid/hid-sony.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index 93942063b51b..49dd2d905c7f 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -585,10 +585,14 @@ static void sony_set_leds(struct sony_sc *sc);
+ static inline void sony_schedule_work(struct sony_sc *sc,
+ enum sony_worker which)
+ {
++ unsigned long flags;
++
+ switch (which) {
+ case SONY_WORKER_STATE:
+- if (!sc->defer_initialization)
++ spin_lock_irqsave(&sc->lock, flags);
++ if (!sc->defer_initialization && sc->state_worker_initialized)
+ schedule_work(&sc->state_worker);
++ spin_unlock_irqrestore(&sc->lock, flags);
+ break;
+ case SONY_WORKER_HOTPLUG:
+ if (sc->hotplug_worker_initialized)
+@@ -2558,13 +2562,18 @@ static inline void sony_init_output_report(struct sony_sc *sc,
+
+ static inline void sony_cancel_work_sync(struct sony_sc *sc)
+ {
++ unsigned long flags;
++
+ if (sc->hotplug_worker_initialized)
+ cancel_work_sync(&sc->hotplug_worker);
+- if (sc->state_worker_initialized)
++ if (sc->state_worker_initialized) {
++ spin_lock_irqsave(&sc->lock, flags);
++ sc->state_worker_initialized = 0;
++ spin_unlock_irqrestore(&sc->lock, flags);
+ cancel_work_sync(&sc->state_worker);
++ }
+ }
+
+-
+ static int sony_input_configured(struct hid_device *hdev,
+ struct hid_input *hidinput)
+ {
+--
+2.22.0
+
diff --git a/series.conf b/series.conf
index af8b39e033..1c883d6d26 100644
--- a/series.conf
+++ b/series.conf
@@ -1138,6 +1138,7 @@
patches.kernel.org/5.2.9-115-perf-core-Fix-creating-kernel-counters-for-PMUs.patch
patches.kernel.org/5.2.9-116-s390-dma-provide-proper-ARCH_ZONE_DMA_BITS-valu.patch
patches.kernel.org/5.2.9-117-gen_compile_commands-lower-the-entry-count-thre.patch
+ patches.kernel.org/5.2.9-118-HID-sony-Fix-race-condition-between-rumble-and-.patch
########################################################
# Build fixes that apply to the vanilla kernel too.