--- /dev/null
+From 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Fri, 3 May 2019 14:22:08 -0700
+Subject: clk: rockchip: Don't yell about bad mmc phases when getting
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 6943b839721ad4a31ad2bacf6e71b21f2dfe3134 upstream.
+
+At boot time, my rk3288-veyron devices yell with 8 lines that look
+like this:
+ [ 0.000000] rockchip_mmc_get_phase: invalid clk rate
+
+This is because the clock framework at clk_register() time tries to
+get the phase but we don't have a parent yet.
+
+While the errors appear to be harmless they are still ugly and, in
+general, we don't want yells like this in the log unless they are
+important.
+
+There's no real reason to be yelling here. We can still return
+-EINVAL to indicate that the phase makes no sense without a parent.
+If someone really tries to do tuning and the clock is reported as 0
+then we'll see the yells in rockchip_mmc_set_phase().
+
+Fixes: 4bf59902b500 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/rockchip/clk-mmc-phase.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/clk/rockchip/clk-mmc-phase.c
++++ b/drivers/clk/rockchip/clk-mmc-phase.c
+@@ -59,10 +59,8 @@ static int rockchip_mmc_get_phase(struct
+ u32 delay_num = 0;
+
+ /* See the comment for rockchip_mmc_set_phase below */
+- if (!rate) {
+- pr_err("%s: invalid clk rate\n", __func__);
++ if (!rate)
+ return -EINVAL;
+- }
+
+ raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift);
+
--- /dev/null
+From ac43432cb1f5c2950408534987e57c2071e24d8f Mon Sep 17 00:00:00 2001
+From: Muchun Song <smuchun@gmail.com>
+Date: Sat, 27 Jul 2019 11:21:22 +0800
+Subject: driver core: Fix use-after-free and double free on glue directory
+
+From: Muchun Song <smuchun@gmail.com>
+
+commit ac43432cb1f5c2950408534987e57c2071e24d8f upstream.
+
+There is a race condition between removing glue directory and adding a new
+device under the glue dir. It can be reproduced in following test:
+
+CPU1: CPU2:
+
+device_add()
+ get_device_parent()
+ class_dir_create_and_add()
+ kobject_add_internal()
+ create_dir() // create glue_dir
+
+ device_add()
+ get_device_parent()
+ kobject_get() // get glue_dir
+
+device_del()
+ cleanup_glue_dir()
+ kobject_del(glue_dir)
+
+ kobject_add()
+ kobject_add_internal()
+ create_dir() // in glue_dir
+ sysfs_create_dir_ns()
+ kernfs_create_dir_ns(sd)
+
+ sysfs_remove_dir() // glue_dir->sd=NULL
+ sysfs_put() // free glue_dir->sd
+
+ // sd is freed
+ kernfs_new_node(sd)
+ kernfs_get(glue_dir)
+ kernfs_add_one()
+ kernfs_put()
+
+Before CPU1 remove last child device under glue dir, if CPU2 add a new
+device under glue dir, the glue_dir kobject reference count will be
+increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
+been called kernfs_create_dir_ns(), but not call kernfs_new_node().
+Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
+glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
+kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
+it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
+call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
+and call kernfs_put() to decrease reference count. Because the reference
+count is decremented to 0, it will also call kmem_cache_free() to free
+the glue_dir->sd again. This will result in double free.
+
+In order to avoid this happening, we also should make sure that kernfs_node
+for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
+1 to fix this race.
+
+The following calltrace is captured in kernel 4.14 with the following patch
+applied:
+
+commit 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+
+--------------------------------------------------------------------------
+[ 3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
+ Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
+....
+[ 3.633986] Call trace:
+[ 3.633991] kernfs_create_dir_ns+0xa8/0xb0
+[ 3.633994] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634001] kobject_add_internal+0x22c/0x3f0
+[ 3.634005] kobject_add+0xe4/0x118
+[ 3.634011] device_add+0x200/0x870
+[ 3.634017] _request_firmware+0x958/0xc38
+[ 3.634020] request_firmware_into_buf+0x4c/0x70
+....
+[ 3.634064] kernel BUG at .../mm/slub.c:294!
+ Here is BUG_ON(object == fp) in set_freepointer().
+....
+[ 3.634346] Call trace:
+[ 3.634351] kmem_cache_free+0x504/0x6b8
+[ 3.634355] kernfs_put+0x14c/0x1d8
+[ 3.634359] kernfs_create_dir_ns+0x88/0xb0
+[ 3.634362] sysfs_create_dir_ns+0x54/0xe8
+[ 3.634366] kobject_add_internal+0x22c/0x3f0
+[ 3.634370] kobject_add+0xe4/0x118
+[ 3.634374] device_add+0x200/0x870
+[ 3.634378] _request_firmware+0x958/0xc38
+[ 3.634381] request_firmware_into_buf+0x4c/0x70
+--------------------------------------------------------------------------
+
+Fixes: 726e41097920 ("drivers: core: Remove glue dirs from sysfs earlier")
+Signed-off-by: Muchun Song <smuchun@gmail.com>
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: Prateek Sood <prsood@codeaurora.org>
+Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -857,12 +857,63 @@ static inline struct kobject *get_glue_d
+ */
+ static void cleanup_glue_dir(struct device *dev, struct kobject *glue_dir)
+ {
++ unsigned int ref;
++
+ /* see if we live in a "glue" directory */
+ if (!live_in_glue_dir(glue_dir, dev))
+ return;
+
+ mutex_lock(&gdp_mutex);
+- if (!kobject_has_children(glue_dir))
++ /**
++ * There is a race condition between removing glue directory
++ * and adding a new device under the glue directory.
++ *
++ * CPU1: CPU2:
++ *
++ * device_add()
++ * get_device_parent()
++ * class_dir_create_and_add()
++ * kobject_add_internal()
++ * create_dir() // create glue_dir
++ *
++ * device_add()
++ * get_device_parent()
++ * kobject_get() // get glue_dir
++ *
++ * device_del()
++ * cleanup_glue_dir()
++ * kobject_del(glue_dir)
++ *
++ * kobject_add()
++ * kobject_add_internal()
++ * create_dir() // in glue_dir
++ * sysfs_create_dir_ns()
++ * kernfs_create_dir_ns(sd)
++ *
++ * sysfs_remove_dir() // glue_dir->sd=NULL
++ * sysfs_put() // free glue_dir->sd
++ *
++ * // sd is freed
++ * kernfs_new_node(sd)
++ * kernfs_get(glue_dir)
++ * kernfs_add_one()
++ * kernfs_put()
++ *
++ * Before CPU1 remove last child device under glue dir, if CPU2 add
++ * a new device under glue dir, the glue_dir kobject reference count
++ * will be increase to 2 in kobject_get(k). And CPU2 has been called
++ * kernfs_create_dir_ns(). Meanwhile, CPU1 call sysfs_remove_dir()
++ * and sysfs_put(). This result in glue_dir->sd is freed.
++ *
++ * Then the CPU2 will see a stale "empty" but still potentially used
++ * glue dir around in kernfs_new_node().
++ *
++ * In order to avoid this happening, we also should make sure that
++ * kernfs_node for glue_dir is released in CPU1 only when refcount
++ * for glue_dir kobj is 1.
++ */
++ ref = kref_read(&glue_dir->kref);
++ if (!kobject_has_children(glue_dir) && !--ref)
+ kobject_del(glue_dir);
+ kobject_put(glue_dir);
+ mutex_unlock(&gdp_mutex);
--- /dev/null
+From 336d4b138be2dad372b67a2388e42805c48aaa38 Mon Sep 17 00:00:00 2001
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+Date: Tue, 7 May 2019 18:25:41 +0800
+Subject: mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue
+
+From: Xiaolei Li <xiaolei.li@mediatek.com>
+
+commit 336d4b138be2dad372b67a2388e42805c48aaa38 upstream.
+
+One main goal of the function mtk_nfc_update_ecc_stats is to check
+whether sectors are all empty. If they are empty, set these sectors's
+data buffer and OOB buffer as 0xff.
+
+But now, the sector OOB buffer pointer is wrongly assigned. We always
+do memset from sector 0.
+
+To fix this issue, pass start sector number to make OOB buffer pointer
+be properly assigned.
+
+Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device")
+Signed-off-by: Xiaolei Li <xiaolei.li@mediatek.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/mtk_nand.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/drivers/mtd/nand/mtk_nand.c
++++ b/drivers/mtd/nand/mtk_nand.c
+@@ -810,19 +810,21 @@ static int mtk_nfc_write_oob_std(struct
+ return ret & NAND_STATUS_FAIL ? -EIO : 0;
+ }
+
+-static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 sectors)
++static int mtk_nfc_update_ecc_stats(struct mtd_info *mtd, u8 *buf, u32 start,
++ u32 sectors)
+ {
+ struct nand_chip *chip = mtd_to_nand(mtd);
+ struct mtk_nfc *nfc = nand_get_controller_data(chip);
+ struct mtk_nfc_nand_chip *mtk_nand = to_mtk_nand(chip);
+ struct mtk_ecc_stats stats;
++ u32 reg_size = mtk_nand->fdm.reg_size;
+ int rc, i;
+
+ rc = nfi_readl(nfc, NFI_STA) & STA_EMP_PAGE;
+ if (rc) {
+ memset(buf, 0xff, sectors * chip->ecc.size);
+ for (i = 0; i < sectors; i++)
+- memset(oob_ptr(chip, i), 0xff, mtk_nand->fdm.reg_size);
++ memset(oob_ptr(chip, start + i), 0xff, reg_size);
+ return 0;
+ }
+
+@@ -842,7 +844,7 @@ static int mtk_nfc_read_subpage(struct m
+ u32 spare = mtk_nand->spare_per_sector;
+ u32 column, sectors, start, end, reg;
+ dma_addr_t addr;
+- int bitflips;
++ int bitflips = 0;
+ size_t len;
+ u8 *buf;
+ int rc;
+@@ -910,14 +912,11 @@ static int mtk_nfc_read_subpage(struct m
+ if (rc < 0) {
+ dev_err(nfc->dev, "subpage done timeout\n");
+ bitflips = -EIO;
+- } else {
+- bitflips = 0;
+- if (!raw) {
+- rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE);
+- bitflips = rc < 0 ? -ETIMEDOUT :
+- mtk_nfc_update_ecc_stats(mtd, buf, sectors);
+- mtk_nfc_read_fdm(chip, start, sectors);
+- }
++ } else if (!raw) {
++ rc = mtk_ecc_wait_done(nfc->ecc, ECC_DECODE);
++ bitflips = rc < 0 ? -ETIMEDOUT :
++ mtk_nfc_update_ecc_stats(mtd, buf, start, sectors);
++ mtk_nfc_read_fdm(chip, start, sectors);
+ }
+
+ dma_unmap_single(nfc->dev, addr, len, DMA_FROM_DEVICE);
kvm-nvmx-handle-page-fault-in-vmread.patch
mips-vdso-prevent-use-of-smp_processor_id.patch
mips-vdso-use-same-m-float-cflag-as-the-kernel-proper.patch
+clk-rockchip-don-t-yell-about-bad-mmc-phases-when-getting.patch
+mtd-rawnand-mtk-fix-wrongly-assigned-oob-buffer-pointer-issue.patch
+driver-core-fix-use-after-free-and-double-free-on-glue-directory.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
