releases/5.15.41/iwlwifi-iwl-dbg-use-del_timer_sync-before-freeing.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 460e8e97ff802c34502296a529a0431ea1fb87f7 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Mon, 11 Apr 2022 08:42:10 -0700
 Subject: iwlwifi: iwl-dbg: Use del_timer_sync() before freeing

 From: Guenter Roeck <linux@roeck-us.net>

 [ Upstream commit 7635a1ad8d92dcc8247b53f949e37795154b5b6f ]

 In Chrome OS, a large number of crashes is observed due to corrupted timer
 lists. Steven Rostedt pointed out that this usually happens when a timer
 is freed while still active, and that the problem is often triggered
 by code calling del_timer() instead of del_timer_sync() just before
 freeing.

 Steven also identified the iwlwifi driver as one of the possible culprits
 since it does exactly that.

 Reported-by: Steven Rostedt <rostedt@goodmis.org>
 Cc: Steven Rostedt <rostedt@goodmis.org>
 Cc: Johannes Berg <johannes.berg@intel.com>
 Cc: Gregory Greenman <gregory.greenman@intel.com>
 Fixes: 60e8abd9d3e91 ("iwlwifi: dbg_ini: add periodic trigger new API support")
 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
 Acked-by: Gregory Greenman <gregory.greenman@intel.com>
 Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.17.3-rc1 and Debian LLVM-14
 Signed-off-by: Kalle Valo <kvalo@kernel.org>
 Link: https://lore.kernel.org/r/20220411154210.1870008-1-linux@roeck-us.net
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
 index 125479b5c0d6..fc4197bf2478 100644
 --- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
 +++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
 @@ -322,7 +322,7 @@ void iwl_dbg_tlv_del_timers(struct iwl_trans *trans)
  	struct iwl_dbg_tlv_timer_node *node, *tmp;

  	list_for_each_entry_safe(node, tmp, timer_list, list) {
 -		del_timer(&node->timer);
 +		del_timer_sync(&node->timer);
  		list_del(&node->list);
  		kfree(node);
  	}
 --
 2.35.1
	From 460e8e97ff802c34502296a529a0431ea1fb87f7 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Mon, 11 Apr 2022 08:42:10 -0700
	Subject: iwlwifi: iwl-dbg: Use del_timer_sync() before freeing

	From: Guenter Roeck <linux@roeck-us.net>

	[ Upstream commit 7635a1ad8d92dcc8247b53f949e37795154b5b6f ]

	In Chrome OS, a large number of crashes is observed due to corrupted timer
	lists. Steven Rostedt pointed out that this usually happens when a timer
	is freed while still active, and that the problem is often triggered
	by code calling del_timer() instead of del_timer_sync() just before
	freeing.

	Steven also identified the iwlwifi driver as one of the possible culprits
	since it does exactly that.

	Reported-by: Steven Rostedt <rostedt@goodmis.org>
	Cc: Steven Rostedt <rostedt@goodmis.org>
	Cc: Johannes Berg <johannes.berg@intel.com>
	Cc: Gregory Greenman <gregory.greenman@intel.com>
	Fixes: 60e8abd9d3e91 ("iwlwifi: dbg_ini: add periodic trigger new API support")
	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
	Acked-by: Gregory Greenman <gregory.greenman@intel.com>
	Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Linux v5.17.3-rc1 and Debian LLVM-14
	Signed-off-by: Kalle Valo <kvalo@kernel.org>
	Link: https://lore.kernel.org/r/20220411154210.1870008-1-linux@roeck-us.net
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
	index 125479b5c0d6..fc4197bf2478 100644
	--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
	+++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
	@@ -322,7 +322,7 @@ void iwl_dbg_tlv_del_timers(struct iwl_trans *trans)
	struct iwl_dbg_tlv_timer_node node, tmp;

	list_for_each_entry_safe(node, tmp, timer_list, list) {
	- del_timer(&node->timer);
	+ del_timer_sync(&node->timer);
	list_del(&node->list);
	kfree(node);
	}
	--
	2.35.1