--- /dev/null
+From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Tue, 27 Apr 2021 13:54:33 -0500
+Subject: ACPI: custom_method: fix a possible memory leak
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream.
+
+In cm_write(), if the 'buf' is allocated memory but not fully consumed,
+it is possible to reallocate the buffer without freeing it by passing
+'*ppos' as 0 on a subsequent call.
+
+Add an explicit kfree() before kzalloc() to prevent the possible memory
+leak.
+
+Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -44,6 +44,8 @@ static ssize_t cm_write(struct file *fil
+ sizeof(struct acpi_table_header)))
+ return -EFAULT;
+ uncopied_bytes = max_size = table.length;
++ /* make sure the buf is not allocated */
++ kfree(buf);
+ buf = kzalloc(max_size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
--- /dev/null
+From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Fri, 23 Apr 2021 10:28:17 -0500
+Subject: ACPI: custom_method: fix potential use-after-free issue
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream.
+
+In cm_write(), buf is always freed when reaching the end of the
+function. If the requested count is less than table.length, the
+allocated buffer will be freed but subsequent calls to cm_write() will
+still try to access it.
+
+Remove the unconditional kfree(buf) at the end of the function and
+set the buf to NULL in the -EINVAL error path to match the rest of
+function.
+
+Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -57,6 +57,7 @@ static ssize_t cm_write(struct file *fil
+ (*ppos + count < count) ||
+ (count > uncopied_bytes)) {
+ kfree(buf);
++ buf = NULL;
+ return -EINVAL;
+ }
+
+@@ -78,7 +79,6 @@ static ssize_t cm_write(struct file *fil
+ add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
+ }
+
+- kfree(buf);
+ return count;
+ }
+
--- /dev/null
+From c4e792d1acce31c2eb7b9193ab06ab94de05bf42 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 5 Feb 2021 19:23:00 +0100
+Subject: ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit c4e792d1acce31c2eb7b9193ab06ab94de05bf42 upstream.
+
+The LLVM ld.lld linker uses a different symbol type for __bss_start,
+resulting in the calculation of KBSS_SZ to be thrown off. Up until now,
+this has gone unnoticed as it only affects the appended DTB case, but
+pending changes for ARM in the way the decompressed kernel is cleaned
+from the caches has uncovered this problem.
+
+On a ld.lld build:
+
+ $ nm vmlinux |grep bss_
+ c1c22034 D __bss_start
+ c1c86e98 B __bss_stop
+
+resulting in
+
+ $ readelf -s arch/arm/boot/compressed/vmlinux | grep bss_size
+ 433: c1c86e98 0 NOTYPE GLOBAL DEFAULT ABS _kernel_bss_size
+
+which is obviously incorrect, and may cause the cache clean to access
+unmapped memory, or cause the size calculation to wrap, resulting in no
+cache clean to be performed at all.
+
+Fix this by updating the sed regex to take D type symbols into account.
+
+Link: https://lore.kernel.org/linux-arm-kernel/6c65bcef-d4e7-25fa-43cf-2c435bb61bb9@collabora.com/
+Link: https://lore.kernel.org/linux-arm-kernel/20210205085220.31232-1-ardb@kernel.org/
+
+Cc: <stable@vger.kernel.org> # v4.19+
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Reported-by: Guillaume Tucker <guillaume.tucker@collabora.com>
+Reported-by: "kernelci.org bot" <bot@kernelci.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/compressed/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -122,8 +122,8 @@ asflags-y := -DZIMAGE
+
+ # Supply kernel BSS size to the decompressor via a linker symbol.
+ KBSS_SZ = $(shell echo $$(($$($(NM) $(obj)/../../../../vmlinux | \
+- sed -n -e 's/^\([^ ]*\) [AB] __bss_start$$/-0x\1/p' \
+- -e 's/^\([^ ]*\) [AB] __bss_stop$$/+0x\1/p') )) )
++ sed -n -e 's/^\([^ ]*\) [ABD] __bss_start$$/-0x\1/p' \
++ -e 's/^\([^ ]*\) [ABD] __bss_stop$$/+0x\1/p') )) )
+ LDFLAGS_vmlinux = --defsym _kernel_bss_size=$(KBSS_SZ)
+ # Supply ZRELADDR to the decompressor via a linker symbol.
+ ifneq ($(CONFIG_AUTO_ZRELADDR),y)
--- /dev/null
+From 1d88358a89dbac9c7d4559548b9a44840456e6fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 14 Jan 2021 13:40:23 +0100
+Subject: arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek BehĂșn <kabel@kernel.org>
+
+commit 1d88358a89dbac9c7d4559548b9a44840456e6fb upstream.
+
+Add "syscon" compatible to the North Bridge clocks node to allow the
+cpufreq driver to access these registers via syscon API.
+
+This is needed for a fix of cpufreq driver.
+
+Signed-off-by: Marek BehĂșn <kabel@kernel.org>
+Fixes: e8d66e7927b2 ("arm64: dts: marvell: armada-37xx: add nodes...")
+Cc: stable@vger.kernel.org
+Cc: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+@@ -156,7 +156,8 @@
+ };
+
+ nb_periph_clk: nb-periph-clk@13000 {
+- compatible = "marvell,armada-3700-periph-clock-nb";
++ compatible = "marvell,armada-3700-periph-clock-nb",
++ "syscon";
+ reg = <0x13000 0x100>;
+ clocks = <&tbg 0>, <&tbg 1>, <&tbg 2>,
+ <&tbg 3>, <&xtalclk>;
--- /dev/null
+From e4e5d030bd779fb8321d3b8bd65406fbe0827037 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Tue, 16 Mar 2021 17:22:24 +0800
+Subject: arm64: dts: mt8173: fix property typo of 'phys' in dsi node
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit e4e5d030bd779fb8321d3b8bd65406fbe0827037 upstream.
+
+Use 'phys' instead of 'phy'.
+
+Fixes: 81ad4dbaf7af ("arm64: dts: mt8173: Add display subsystem related nodes")
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Reviewed-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210316092232.9806-5-chunfeng.yun@mediatek.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+@@ -1137,7 +1137,7 @@
+ <&mmsys CLK_MM_DSI1_DIGITAL>,
+ <&mipi_tx1>;
+ clock-names = "engine", "digital", "hs";
+- phy = <&mipi_tx1>;
++ phys = <&mipi_tx1>;
+ phy-names = "dphy";
+ status = "disabled";
+ };
--- /dev/null
+From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Date: Fri, 26 Feb 2021 15:00:23 -0600
+Subject: ecryptfs: fix kernel panic with null dev_name
+
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+
+commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream.
+
+When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount()
+causes a kernel panic if the parsed options are valid. The easiest way to
+reproduce this is to call mount() from userspace with an existing
+eCryptfs mount's options and a "source" argument of 0.
+
+Error out if "dev_name" is null in ecryptfs_mount()
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ecryptfs/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -492,6 +492,12 @@ static struct dentry *ecryptfs_mount(str
+ goto out;
+ }
+
++ if (!dev_name) {
++ rc = -EINVAL;
++ err = "Device name cannot be null";
++ goto out;
++ }
++
+ rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
+ if (rc) {
+ err = "Error parsing options";
--- /dev/null
+From 24a806d849c0b0c1d0cd6a6b93ba4ae4c0ec9f08 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@redhat.com>
+Date: Mon, 29 Mar 2021 08:36:14 +0800
+Subject: erofs: add unsupported inode i_format check
+
+From: Gao Xiang <hsiangkao@redhat.com>
+
+commit 24a806d849c0b0c1d0cd6a6b93ba4ae4c0ec9f08 upstream.
+
+If any unknown i_format fields are set (may be of some new incompat
+inode features), mark such inode as unsupported.
+
+Just in case of any new incompat i_format fields added in the future.
+
+Link: https://lore.kernel.org/r/20210329003614.6583-1-hsiangkao@aol.com
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+Cc: <stable@vger.kernel.org> # 4.19+
+Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/erofs_fs.h | 3 +++
+ fs/erofs/inode.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/fs/erofs/erofs_fs.h
++++ b/fs/erofs/erofs_fs.h
+@@ -74,6 +74,9 @@ static inline bool erofs_inode_is_data_c
+ #define EROFS_I_VERSION_BIT 0
+ #define EROFS_I_DATALAYOUT_BIT 1
+
++#define EROFS_I_ALL \
++ ((1 << (EROFS_I_DATALAYOUT_BIT + EROFS_I_DATALAYOUT_BITS)) - 1)
++
+ /* 32-byte reduced form of an ondisk inode */
+ struct erofs_inode_compact {
+ __le16 i_format; /* inode format hints */
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -44,6 +44,13 @@ static struct page *erofs_read_inode(str
+ dic = page_address(page) + *ofs;
+ ifmt = le16_to_cpu(dic->i_format);
+
++ if (ifmt & ~EROFS_I_ALL) {
++ erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu",
++ ifmt, vi->nid);
++ err = -EOPNOTSUPP;
++ goto err_out;
++ }
++
+ vi->datalayout = erofs_inode_datalayout(ifmt);
+ if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) {
+ erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu",
--- /dev/null
+From 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 5 May 2021 10:38:24 -0400
+Subject: ftrace: Handle commands when closing set_ftrace_filter file
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 upstream.
+
+ # echo switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter
+
+will cause switch_mm to stop tracing by the traceoff command.
+
+ # echo -n switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter
+
+does nothing.
+
+The reason is that the parsing in the write function only processes
+commands if it finished parsing (there is white space written after the
+command). That's to handle:
+
+ write(fd, "switch_mm:", 10);
+ write(fd, "traceoff", 8);
+
+cases, where the command is broken over multiple writes.
+
+The problem is if the file descriptor is closed, then the write call is
+not processed, and the command needs to be processed in the release code.
+The release code can handle matching of functions, but does not handle
+commands.
+
+Cc: stable@vger.kernel.org
+Fixes: eda1e32855656 ("tracing: handle broken names in ftrace filter")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5053,7 +5053,10 @@ int ftrace_regex_release(struct inode *i
+
+ parser = &iter->parser;
+ if (trace_parser_loaded(parser)) {
+- ftrace_match_records(iter->hash, parser->buffer, parser->idx);
++ int enable = !(iter->flags & FTRACE_ITER_NOTRACE);
++
++ ftrace_process_regex(iter, parser->buffer,
++ parser->idx, enable);
+ }
+
+ trace_parser_put(parser);
--- /dev/null
+From 97fce126e279690105ee15be652b465fd96f9997 Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@wdc.com>
+Date: Sun, 25 Apr 2021 09:02:06 +0300
+Subject: mmc: block: Issue a cache flush only when it's enabled
+
+From: Avri Altman <avri.altman@wdc.com>
+
+commit 97fce126e279690105ee15be652b465fd96f9997 upstream.
+
+In command queueing mode, the cache isn't flushed via the mmc_flush_cache()
+function, but instead by issuing a CMDQ_TASK_MGMT (CMD48) with a
+FLUSH_CACHE opcode. In this path, we need to check if cache has been
+enabled, before deciding to flush the cache, along the lines of what's
+being done in mmc_flush_cache().
+
+To fix this problem, let's add a new bus ops callback ->cache_enabled() and
+implement it for the mmc bus type. In this way, the mmc block device driver
+can call it to know whether cache flushing should be done.
+
+Fixes: 1e8e55b67030 (mmc: block: Add CQE support)
+Cc: stable@vger.kernel.org
+Reported-by: Brendan Peter <bpeter@lytx.com>
+Signed-off-by: Avri Altman <avri.altman@wdc.com>
+Tested-by: Brendan Peter <bpeter@lytx.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20210425060207.2591-2-avri.altman@wdc.com
+Link: https://lore.kernel.org/r/20210425060207.2591-3-avri.altman@wdc.com
+[Ulf: Squashed the two patches and made some minor updates]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 4 ++++
+ drivers/mmc/core/core.h | 9 +++++++++
+ drivers/mmc/core/mmc.c | 7 +++++++
+ drivers/mmc/core/mmc_ops.c | 4 +---
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -2227,6 +2227,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru
+ case MMC_ISSUE_ASYNC:
+ switch (req_op(req)) {
+ case REQ_OP_FLUSH:
++ if (!mmc_cache_enabled(host)) {
++ blk_mq_end_request(req, BLK_STS_OK);
++ return MMC_REQ_FINISHED;
++ }
+ ret = mmc_blk_cqe_issue_flush(mq, req);
+ break;
+ case REQ_OP_READ:
+--- a/drivers/mmc/core/core.h
++++ b/drivers/mmc/core/core.h
+@@ -29,6 +29,7 @@ struct mmc_bus_ops {
+ int (*shutdown)(struct mmc_host *);
+ int (*hw_reset)(struct mmc_host *);
+ int (*sw_reset)(struct mmc_host *);
++ bool (*cache_enabled)(struct mmc_host *);
+ };
+
+ void mmc_attach_bus(struct mmc_host *host, const struct mmc_bus_ops *ops);
+@@ -171,4 +172,12 @@ static inline void mmc_post_req(struct m
+ host->ops->post_req(host, mrq, err);
+ }
+
++static inline bool mmc_cache_enabled(struct mmc_host *host)
++{
++ if (host->bus_ops->cache_enabled)
++ return host->bus_ops->cache_enabled(host);
++
++ return false;
++}
++
+ #endif
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -2019,6 +2019,12 @@ static void mmc_detect(struct mmc_host *
+ }
+ }
+
++static bool _mmc_cache_enabled(struct mmc_host *host)
++{
++ return host->card->ext_csd.cache_size > 0 &&
++ host->card->ext_csd.cache_ctrl & 1;
++}
++
+ static int _mmc_suspend(struct mmc_host *host, bool is_suspend)
+ {
+ int err = 0;
+@@ -2197,6 +2203,7 @@ static const struct mmc_bus_ops mmc_ops
+ .alive = mmc_alive,
+ .shutdown = mmc_shutdown,
+ .hw_reset = _mmc_hw_reset,
++ .cache_enabled = _mmc_cache_enabled,
+ };
+
+ /*
+--- a/drivers/mmc/core/mmc_ops.c
++++ b/drivers/mmc/core/mmc_ops.c
+@@ -959,9 +959,7 @@ int mmc_flush_cache(struct mmc_card *car
+ {
+ int err = 0;
+
+- if (mmc_card_mmc(card) &&
+- (card->ext_csd.cache_size > 0) &&
+- (card->ext_csd.cache_ctrl & 1)) {
++ if (mmc_cache_enabled(card->host)) {
+ err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
+ EXT_CSD_FLUSH_CACHE, 1, 0);
+ if (err)
--- /dev/null
+From aea0440ad023ab0662299326f941214b0d7480bd Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@wdc.com>
+Date: Tue, 20 Apr 2021 16:46:41 +0300
+Subject: mmc: block: Update ext_csd.cache_ctrl if it was written
+
+From: Avri Altman <avri.altman@wdc.com>
+
+commit aea0440ad023ab0662299326f941214b0d7480bd upstream.
+
+The cache function can be turned ON and OFF by writing to the CACHE_CTRL
+byte (EXT_CSD byte [33]). However, card->ext_csd.cache_ctrl is only
+set on init if cache size > 0.
+
+Fix that by explicitly setting ext_csd.cache_ctrl on ext-csd write.
+
+Signed-off-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210420134641.57343-3-avri.altman@wdc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -622,6 +622,18 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ }
+
+ /*
++ * Make sure to update CACHE_CTRL in case it was changed. The cache
++ * will get turned back on if the card is re-initialized, e.g.
++ * suspend/resume or hw reset in recovery.
++ */
++ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_CACHE_CTRL) &&
++ (cmd.opcode == MMC_SWITCH)) {
++ u8 value = MMC_EXTRACT_VALUE_FROM_ARG(cmd.arg) & 1;
++
++ card->ext_csd.cache_ctrl = value;
++ }
++
++ /*
+ * According to the SD specs, some commands require a delay after
+ * issuing the command.
+ */
--- /dev/null
+From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+Date: Wed, 10 Feb 2021 13:59:36 +0900
+Subject: mmc: core: Do a power cycle when the CMD11 fails
+
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+
+commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream.
+
+A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure
+into 1.8V I/O. According to the SD spec a power cycle is needed of the
+card, if it turns out that the CMD11 fails. Let's fix this, to allow a
+retry of the initialization without the voltage switch, to succeed.
+
+Note that, whether it makes sense to also retry with the voltage switch
+after the power cycle is a bit more difficult to know. At this point, we
+treat it like the CMD11 isn't supported and therefore we skip it when
+retrying.
+
+Signed-off-by: DooHyun Hwang <dh0421.hwang@samsung.com>
+Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1221,7 +1221,7 @@ int mmc_set_uhs_voltage(struct mmc_host
+
+ err = mmc_wait_for_cmd(host, &cmd, 0);
+ if (err)
+- return err;
++ goto power_cycle;
+
+ if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR))
+ return -EIO;
--- /dev/null
+From 17a17bf50612e6048a9975450cf1bd30f93815b5 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 10 Mar 2021 16:29:00 +0100
+Subject: mmc: core: Fix hanging on I/O during system suspend for removable cards
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 17a17bf50612e6048a9975450cf1bd30f93815b5 upstream.
+
+The mmc core uses a PM notifier to temporarily during system suspend, turn
+off the card detection mechanism for removal/insertion of (e)MMC/SD/SDIO
+cards. Additionally, the notifier may be used to remove an SDIO card
+entirely, if a corresponding SDIO functional driver don't have the system
+suspend/resume callbacks assigned. This behaviour has been around for a
+very long time.
+
+However, a recent bug report tells us there are problems with this
+approach. More precisely, when receiving the PM_SUSPEND_PREPARE
+notification, we may end up hanging on I/O to be completed, thus also
+preventing the system from getting suspended.
+
+In the end what happens, is that the cancel_delayed_work_sync() in
+mmc_pm_notify() ends up waiting for mmc_rescan() to complete - and since
+mmc_rescan() wants to claim the host, it needs to wait for the I/O to be
+completed first.
+
+Typically, this problem is triggered in Android, if there is ongoing I/O
+while the user decides to suspend, resume and then suspend the system
+again. This due to that after the resume, an mmc_rescan() work gets punted
+to the workqueue, which job is to verify that the card remains inserted
+after the system has resumed.
+
+To fix this problem, userspace needs to become frozen to suspend the I/O,
+prior to turning off the card detection mechanism. Therefore, let's drop
+the PM notifiers for mmc subsystem altogether and rely on the card
+detection to be turned off/on as a part of the system_freezable_wq, that we
+are already using.
+
+Moreover, to allow and SDIO card to be removed during system suspend, let's
+manage this from a ->prepare() callback, assigned at the mmc_host_class
+level. In this way, we can use the parent device (the mmc_host_class
+device), to remove the card device that is the child, in the
+device_prepare() phase.
+
+Reported-by: Kiwoong Kim <kwmad.kim@samsung.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20210310152900.149380-1-ulf.hansson@linaro.org
+Reviewed-by: Kiwoong Kim <kwmad.kim@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 74 -----------------------------------------------
+ drivers/mmc/core/core.h | 8 -----
+ drivers/mmc/core/host.c | 40 +++++++++++++++++++++++--
+ drivers/mmc/core/sdio.c | 28 +++++++++++++----
+ include/linux/mmc/host.h | 3 -
+ 5 files changed, 59 insertions(+), 94 deletions(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -2392,80 +2392,6 @@ void mmc_stop_host(struct mmc_host *host
+ mmc_release_host(host);
+ }
+
+-#ifdef CONFIG_PM_SLEEP
+-/* Do the card removal on suspend if card is assumed removeable
+- * Do that in pm notifier while userspace isn't yet frozen, so we will be able
+- to sync the card.
+-*/
+-static int mmc_pm_notify(struct notifier_block *notify_block,
+- unsigned long mode, void *unused)
+-{
+- struct mmc_host *host = container_of(
+- notify_block, struct mmc_host, pm_notify);
+- unsigned long flags;
+- int err = 0;
+-
+- switch (mode) {
+- case PM_HIBERNATION_PREPARE:
+- case PM_SUSPEND_PREPARE:
+- case PM_RESTORE_PREPARE:
+- spin_lock_irqsave(&host->lock, flags);
+- host->rescan_disable = 1;
+- spin_unlock_irqrestore(&host->lock, flags);
+- cancel_delayed_work_sync(&host->detect);
+-
+- if (!host->bus_ops)
+- break;
+-
+- /* Validate prerequisites for suspend */
+- if (host->bus_ops->pre_suspend)
+- err = host->bus_ops->pre_suspend(host);
+- if (!err)
+- break;
+-
+- if (!mmc_card_is_removable(host)) {
+- dev_warn(mmc_dev(host),
+- "pre_suspend failed for non-removable host: "
+- "%d\n", err);
+- /* Avoid removing non-removable hosts */
+- break;
+- }
+-
+- /* Calling bus_ops->remove() with a claimed host can deadlock */
+- host->bus_ops->remove(host);
+- mmc_claim_host(host);
+- mmc_detach_bus(host);
+- mmc_power_off(host);
+- mmc_release_host(host);
+- host->pm_flags = 0;
+- break;
+-
+- case PM_POST_SUSPEND:
+- case PM_POST_HIBERNATION:
+- case PM_POST_RESTORE:
+-
+- spin_lock_irqsave(&host->lock, flags);
+- host->rescan_disable = 0;
+- spin_unlock_irqrestore(&host->lock, flags);
+- _mmc_detect_change(host, 0, false);
+-
+- }
+-
+- return 0;
+-}
+-
+-void mmc_register_pm_notifier(struct mmc_host *host)
+-{
+- host->pm_notify.notifier_call = mmc_pm_notify;
+- register_pm_notifier(&host->pm_notify);
+-}
+-
+-void mmc_unregister_pm_notifier(struct mmc_host *host)
+-{
+- unregister_pm_notifier(&host->pm_notify);
+-}
+-#endif
+-
+ static int __init mmc_init(void)
+ {
+ int ret;
+--- a/drivers/mmc/core/core.h
++++ b/drivers/mmc/core/core.h
+@@ -94,14 +94,6 @@ int mmc_execute_tuning(struct mmc_card *
+ int mmc_hs200_to_hs400(struct mmc_card *card);
+ int mmc_hs400_to_hs200(struct mmc_card *card);
+
+-#ifdef CONFIG_PM_SLEEP
+-void mmc_register_pm_notifier(struct mmc_host *host);
+-void mmc_unregister_pm_notifier(struct mmc_host *host);
+-#else
+-static inline void mmc_register_pm_notifier(struct mmc_host *host) { }
+-static inline void mmc_unregister_pm_notifier(struct mmc_host *host) { }
+-#endif
+-
+ void mmc_wait_for_req_done(struct mmc_host *host, struct mmc_request *mrq);
+ bool mmc_is_req_done(struct mmc_host *host, struct mmc_request *mrq);
+
+--- a/drivers/mmc/core/host.c
++++ b/drivers/mmc/core/host.c
+@@ -33,6 +33,42 @@
+
+ static DEFINE_IDA(mmc_host_ida);
+
++#ifdef CONFIG_PM_SLEEP
++static int mmc_host_class_prepare(struct device *dev)
++{
++ struct mmc_host *host = cls_dev_to_mmc_host(dev);
++
++ /*
++ * It's safe to access the bus_ops pointer, as both userspace and the
++ * workqueue for detecting cards are frozen at this point.
++ */
++ if (!host->bus_ops)
++ return 0;
++
++ /* Validate conditions for system suspend. */
++ if (host->bus_ops->pre_suspend)
++ return host->bus_ops->pre_suspend(host);
++
++ return 0;
++}
++
++static void mmc_host_class_complete(struct device *dev)
++{
++ struct mmc_host *host = cls_dev_to_mmc_host(dev);
++
++ _mmc_detect_change(host, 0, false);
++}
++
++static const struct dev_pm_ops mmc_host_class_dev_pm_ops = {
++ .prepare = mmc_host_class_prepare,
++ .complete = mmc_host_class_complete,
++};
++
++#define MMC_HOST_CLASS_DEV_PM_OPS (&mmc_host_class_dev_pm_ops)
++#else
++#define MMC_HOST_CLASS_DEV_PM_OPS NULL
++#endif
++
+ static void mmc_host_classdev_release(struct device *dev)
+ {
+ struct mmc_host *host = cls_dev_to_mmc_host(dev);
+@@ -43,6 +79,7 @@ static void mmc_host_classdev_release(st
+ static struct class mmc_host_class = {
+ .name = "mmc_host",
+ .dev_release = mmc_host_classdev_release,
++ .pm = MMC_HOST_CLASS_DEV_PM_OPS,
+ };
+
+ int mmc_register_host_class(void)
+@@ -477,8 +514,6 @@ int mmc_add_host(struct mmc_host *host)
+ #endif
+
+ mmc_start_host(host);
+- mmc_register_pm_notifier(host);
+-
+ return 0;
+ }
+
+@@ -494,7 +529,6 @@ EXPORT_SYMBOL(mmc_add_host);
+ */
+ void mmc_remove_host(struct mmc_host *host)
+ {
+- mmc_unregister_pm_notifier(host);
+ mmc_stop_host(host);
+
+ #ifdef CONFIG_DEBUG_FS
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -924,21 +924,37 @@ out:
+ */
+ static int mmc_sdio_pre_suspend(struct mmc_host *host)
+ {
+- int i, err = 0;
++ int i;
+
+ for (i = 0; i < host->card->sdio_funcs; i++) {
+ struct sdio_func *func = host->card->sdio_func[i];
+ if (func && sdio_func_present(func) && func->dev.driver) {
+ const struct dev_pm_ops *pmops = func->dev.driver->pm;
+- if (!pmops || !pmops->suspend || !pmops->resume) {
++ if (!pmops || !pmops->suspend || !pmops->resume)
+ /* force removal of entire card in that case */
+- err = -ENOSYS;
+- break;
+- }
++ goto remove;
+ }
+ }
+
+- return err;
++ return 0;
++
++remove:
++ if (!mmc_card_is_removable(host)) {
++ dev_warn(mmc_dev(host),
++ "missing suspend/resume ops for non-removable SDIO card\n");
++ /* Don't remove a non-removable card - we can't re-detect it. */
++ return 0;
++ }
++
++ /* Remove the SDIO card and let it be re-detected later on. */
++ mmc_sdio_remove(host);
++ mmc_claim_host(host);
++ mmc_detach_bus(host);
++ mmc_power_off(host);
++ mmc_release_host(host);
++ host->pm_flags = 0;
++
++ return 0;
+ }
+
+ /*
+--- a/include/linux/mmc/host.h
++++ b/include/linux/mmc/host.h
+@@ -281,9 +281,6 @@ struct mmc_host {
+ u32 ocr_avail_sdio; /* SDIO-specific OCR */
+ u32 ocr_avail_sd; /* SD-specific OCR */
+ u32 ocr_avail_mmc; /* MMC-specific OCR */
+-#ifdef CONFIG_PM_SLEEP
+- struct notifier_block pm_notify;
+-#endif
+ u32 max_current_330;
+ u32 max_current_300;
+ u32 max_current_180;
--- /dev/null
+From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001
+From: Seunghui Lee <sh043.lee@samsung.com>
+Date: Mon, 22 Feb 2021 17:31:56 +0900
+Subject: mmc: core: Set read only for SD cards with permanent write protect bit
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream.
+
+Some of SD cards sets permanent write protection bit in their CSD register,
+due to lifespan or internal problem. To avoid unnecessary I/O write
+operations, let's parse the bits in the CSD during initialization and mark
+the card as read only for this case.
+
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -135,6 +135,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1;
+ csd->erase_size <<= csd->write_blkbits - 9;
+ }
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ case 1:
+ /*
+@@ -169,6 +172,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->write_blkbits = 9;
+ csd->write_partial = 0;
+ csd->erase_size = 1;
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ default:
+ pr_err("%s: unrecognised CSD structure version %d\n",
--- /dev/null
+From 21e35e898aa9ef7781632959db8613a5380f2eae Mon Sep 17 00:00:00 2001
+From: Pradeep P V K <pragalla@codeaurora.org>
+Date: Wed, 3 Mar 2021 14:02:11 +0530
+Subject: mmc: sdhci: Check for reset prior to DMA address unmap
+
+From: Pradeep P V K <pragalla@codeaurora.org>
+
+commit 21e35e898aa9ef7781632959db8613a5380f2eae upstream.
+
+For data read commands, SDHC may initiate data transfers even before it
+completely process the command response. In case command itself fails,
+driver un-maps the memory associated with data transfer but this memory
+can still be accessed by SDHC for the already initiated data transfer.
+This scenario can lead to un-mapped memory access error.
+
+To avoid this scenario, reset SDHC (when command fails) prior to
+un-mapping memory. Resetting SDHC ensures that all in-flight data
+transfers are either aborted or completed. So we don't run into this
+scenario.
+
+Swap the reset, un-map steps sequence in sdhci_request_done().
+
+Suggested-by: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
+Signed-off-by: Pradeep P V K <pragalla@codeaurora.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1614760331-43499-1-git-send-email-pragalla@qti.qualcomm.com
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 60 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 31 insertions(+), 29 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2648,6 +2648,37 @@ static bool sdhci_request_done(struct sd
+ }
+
+ /*
++ * The controller needs a reset of internal state machines
++ * upon error conditions.
++ */
++ if (sdhci_needs_reset(host, mrq)) {
++ /*
++ * Do not finish until command and data lines are available for
++ * reset. Note there can only be one other mrq, so it cannot
++ * also be in mrqs_done, otherwise host->cmd and host->data_cmd
++ * would both be null.
++ */
++ if (host->cmd || host->data_cmd) {
++ spin_unlock_irqrestore(&host->lock, flags);
++ return true;
++ }
++
++ /* Some controllers need this kick or reset won't work here */
++ if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET)
++ /* This is to force an update */
++ host->ops->set_clock(host, host->clock);
++
++ /*
++ * Spec says we should do both at the same time, but Ricoh
++ * controllers do not like that.
++ */
++ sdhci_do_reset(host, SDHCI_RESET_CMD);
++ sdhci_do_reset(host, SDHCI_RESET_DATA);
++
++ host->pending_reset = false;
++ }
++
++ /*
+ * Always unmap the data buffers if they were mapped by
+ * sdhci_prepare_data() whenever we finish with a request.
+ * This avoids leaking DMA mappings on error.
+@@ -2699,35 +2730,6 @@ static bool sdhci_request_done(struct sd
+ }
+ }
+
+- /*
+- * The controller needs a reset of internal state machines
+- * upon error conditions.
+- */
+- if (sdhci_needs_reset(host, mrq)) {
+- /*
+- * Do not finish until command and data lines are available for
+- * reset. Note there can only be one other mrq, so it cannot
+- * also be in mrqs_done, otherwise host->cmd and host->data_cmd
+- * would both be null.
+- */
+- if (host->cmd || host->data_cmd) {
+- spin_unlock_irqrestore(&host->lock, flags);
+- return true;
+- }
+-
+- /* Some controllers need this kick or reset won't work here */
+- if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET)
+- /* This is to force an update */
+- host->ops->set_clock(host, host->clock);
+-
+- /* Spec says we should do both at the same time, but Ricoh
+- controllers do not like that. */
+- sdhci_do_reset(host, SDHCI_RESET_CMD);
+- sdhci_do_reset(host, SDHCI_RESET_DATA);
+-
+- host->pending_reset = false;
+- }
+-
+ host->mrqs_done[i] = NULL;
+
+ spin_unlock_irqrestore(&host->lock, flags);
--- /dev/null
+From 2970134b927834e9249659a70aac48e62dff804a Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 31 Mar 2021 11:17:52 +0300
+Subject: mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 2970134b927834e9249659a70aac48e62dff804a upstream.
+
+Bus power may control card power, but the full reset done by SDHCI at
+initialization still may not reset the power, whereas a direct write to
+SDHCI_POWER_CONTROL can. That might be needed to initialize correctly, if
+the card was left powered on previously.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210331081752.23621-1-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-core.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -520,6 +520,7 @@ struct intel_host {
+ int drv_strength;
+ bool d3_retune;
+ bool rpm_retune_ok;
++ bool needs_pwr_off;
+ u32 glk_rx_ctrl1;
+ u32 glk_tun_val;
+ u32 active_ltr;
+@@ -647,9 +648,25 @@ out:
+ static void sdhci_intel_set_power(struct sdhci_host *host, unsigned char mode,
+ unsigned short vdd)
+ {
++ struct sdhci_pci_slot *slot = sdhci_priv(host);
++ struct intel_host *intel_host = sdhci_pci_priv(slot);
+ int cntr;
+ u8 reg;
+
++ /*
++ * Bus power may control card power, but a full reset still may not
++ * reset the power, whereas a direct write to SDHCI_POWER_CONTROL can.
++ * That might be needed to initialize correctly, if the card was left
++ * powered on previously.
++ */
++ if (intel_host->needs_pwr_off) {
++ intel_host->needs_pwr_off = false;
++ if (mode != MMC_POWER_OFF) {
++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL);
++ usleep_range(10000, 12500);
++ }
++ }
++
+ sdhci_set_power(host, mode, vdd);
+
+ if (mode == MMC_POWER_OFF)
+@@ -1139,6 +1156,14 @@ static int byt_sdio_probe_slot(struct sd
+ return 0;
+ }
+
++static void byt_needs_pwr_off(struct sdhci_pci_slot *slot)
++{
++ struct intel_host *intel_host = sdhci_pci_priv(slot);
++ u8 reg = sdhci_readb(slot->host, SDHCI_POWER_CONTROL);
++
++ intel_host->needs_pwr_off = reg & SDHCI_POWER_ON;
++}
++
+ static int byt_sd_probe_slot(struct sdhci_pci_slot *slot)
+ {
+ byt_probe_slot(slot);
+@@ -1156,6 +1181,8 @@ static int byt_sd_probe_slot(struct sdhc
+ slot->chip->pdev->subsystem_device == PCI_SUBDEVICE_ID_NI_78E3)
+ slot->host->mmc->caps2 |= MMC_CAP2_AVOID_3_3V;
+
++ byt_needs_pwr_off(slot);
++
+ return 0;
+ }
+
--- /dev/null
+From e29c84857e2d51aa017ce04284b962742fb97d9e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 20 Feb 2021 15:29:53 +0100
+Subject: mmc: uniphier-sd: Fix a resource leak in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit e29c84857e2d51aa017ce04284b962742fb97d9e upstream.
+
+A 'tmio_mmc_host_free()' call is missing in the remove function, in order
+to balance a 'tmio_mmc_host_alloc()' call in the probe.
+This is done in the error handling path of the probe, but not in the remove
+function.
+
+Add the missing call.
+
+Fixes: 3fd784f745dd ("mmc: uniphier-sd: add UniPhier SD/eMMC controller driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20210220142953.918608-1-christophe.jaillet@wanadoo.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/uniphier-sd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/uniphier-sd.c
++++ b/drivers/mmc/host/uniphier-sd.c
+@@ -664,6 +664,7 @@ static int uniphier_sd_remove(struct pla
+
+ tmio_mmc_host_remove(host);
+ uniphier_sd_clk_disable(host);
++ tmio_mmc_host_free(host);
+
+ return 0;
+ }
--- /dev/null
+From b03aec1c1f337dfdae44cdb0645ecac34208ae0a Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 20 Feb 2021 15:29:35 +0100
+Subject: mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit b03aec1c1f337dfdae44cdb0645ecac34208ae0a upstream.
+
+A 'uniphier_sd_clk_enable()' call should be balanced by a corresponding
+'uniphier_sd_clk_disable()' call.
+This is done in the remove function, but not in the error handling path of
+the probe.
+
+Add the missing call.
+
+Fixes: 3fd784f745dd ("mmc: uniphier-sd: add UniPhier SD/eMMC controller driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20210220142935.918554-1-christophe.jaillet@wanadoo.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/uniphier-sd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/uniphier-sd.c
++++ b/drivers/mmc/host/uniphier-sd.c
+@@ -639,7 +639,7 @@ static int uniphier_sd_probe(struct plat
+
+ ret = tmio_mmc_host_probe(host);
+ if (ret)
+- goto free_host;
++ goto disable_clk;
+
+ ret = devm_request_irq(dev, irq, tmio_mmc_irq, IRQF_SHARED,
+ dev_name(dev), host);
+@@ -650,6 +650,8 @@ static int uniphier_sd_probe(struct plat
+
+ remove_host:
+ tmio_mmc_host_remove(host);
++disable_clk:
++ uniphier_sd_clk_disable(host);
+ free_host:
+ tmio_mmc_host_free(host);
+
--- /dev/null
+From 33cebf701e98dd12b01d39d1c644387b27c1a627 Mon Sep 17 00:00:00 2001
+From: "Kai Stuhlemmer (ebee Engineering)" <kai.stuhlemmer@ebee.de>
+Date: Mon, 22 Mar 2021 17:07:14 +0200
+Subject: mtd: rawnand: atmel: Update ecc_stats.corrected counter
+
+From: Kai Stuhlemmer (ebee Engineering) <kai.stuhlemmer@ebee.de>
+
+commit 33cebf701e98dd12b01d39d1c644387b27c1a627 upstream.
+
+Update MTD ECC statistics with the number of corrected bits.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai Stuhlemmer (ebee Engineering) <kai.stuhlemmer@ebee.de>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210322150714.101585-1-tudor.ambarus@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -813,10 +813,12 @@ static int atmel_nand_pmecc_correct_data
+ NULL, 0,
+ chip->ecc.strength);
+
+- if (ret >= 0)
++ if (ret >= 0) {
++ mtd->ecc_stats.corrected += ret;
+ max_bitflips = max(ret, max_bitflips);
+- else
++ } else {
+ mtd->ecc_stats.failed++;
++ }
+
+ databuf += chip->ecc.size;
+ eccbuf += chip->ecc.bytes;
--- /dev/null
+From 25fefc88c71f47db0466570335e3f75f10952e7a Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Tue, 23 Mar 2021 17:37:19 +0000
+Subject: mtd: spinand: core: add missing MODULE_DEVICE_TABLE()
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 25fefc88c71f47db0466570335e3f75f10952e7a upstream.
+
+The module misses MODULE_DEVICE_TABLE() for both SPI and OF ID tables
+and thus never autoloads on ID matches.
+Add the missing declarations.
+Present since day-0 of spinand framework introduction.
+
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210323173714.317884-1-alobakin@pm.me
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/spi/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -1133,12 +1133,14 @@ static const struct spi_device_id spinan
+ { .name = "spi-nand" },
+ { /* sentinel */ },
+ };
++MODULE_DEVICE_TABLE(spi, spinand_ids);
+
+ #ifdef CONFIG_OF
+ static const struct of_device_id spinand_of_ids[] = {
+ { .compatible = "spi-nand" },
+ { /* sentinel */ },
+ };
++MODULE_DEVICE_TABLE(of, spinand_of_ids);
+ #endif
+
+ static struct spi_mem_driver spinand_drv = {
--- /dev/null
+From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 20 Apr 2021 11:04:10 +0200
+Subject: s390/disassembler: increase ebpf disasm buffer size
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream.
+
+Current ebpf disassembly buffer size of 64 is too small. E.g. this line
+takes 65 bytes:
+01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0
+
+Double the buffer size like it is done for the kernel disassembly buffer.
+
+Fixes the following KASAN finding:
+
+UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380
+Write of size 1 at addr 001fff800ad5f970 by task test_progs/853
+
+CPU: 53 PID: 853 Comm: test_progs Not tainted
+5.12.0-rc7-23786-g23457d86b1f0-dirty #19
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+ [<0000000cd8e0538a>] show_stack+0x17a/0x1668
+ [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8
+ [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260
+ [<0000000cd75a8698>] kasan_report+0xc8/0x130
+ [<0000000cd6e26da4>] print_fn_code+0x34c/0x380
+ [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58
+ [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0
+ [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0
+ [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768
+ [<0000000cd6e0f392>] do_syscall+0x12a/0x220
+ [<0000000cd8e333f8>] __do_syscall+0x98/0xc8
+ [<0000000cd8e54834>] system_call+0x6c/0x94
+1 lock held by test_progs/853:
+ #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at:
+ kasan_report+0x96/0x130
+
+addr 001fff800ad5f970 is located in stack of task test_progs/853 at
+offset 96 in frame:
+ print_fn_code+0x0/0x380
+this frame has 1 object:
+ [32, 96) 'buffer'
+
+Memory state around the buggy address:
+ 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3
+ ^
+ 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/dis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -557,7 +557,7 @@ void show_code(struct pt_regs *regs)
+
+ void print_fn_code(unsigned char *code, unsigned long len)
+ {
+- char buffer[64], *ptr;
++ char buffer[128], *ptr;
+ int opsize, i;
+
+ while (len) {
--- /dev/null
+From 3c8604691d2acc7b7d4795d9695070de9eaa5828 Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Tue, 30 Mar 2021 16:21:37 +0530
+Subject: scsi: mpt3sas: Block PCI config access from userspace during reset
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+commit 3c8604691d2acc7b7d4795d9695070de9eaa5828 upstream.
+
+While diag reset is in progress there is short duration where all access to
+controller's PCI config space from the host needs to be blocked. This is
+due to a hardware limitation of the IOC controllers.
+
+Block all access to controller's config space from userland applications by
+calling pci_cfg_access_lock() while diag reset is in progress and unlocking
+it again after the controller comes back to ready state.
+
+Link: https://lore.kernel.org/r/20210330105137.20728-1-sreekanth.reddy@broadcom.com
+Cc: stable@vger.kernel.org #v5.4.108+
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -6572,6 +6572,8 @@ _base_diag_reset(struct MPT3SAS_ADAPTER
+
+ ioc_info(ioc, "sending diag reset !!\n");
+
++ pci_cfg_access_lock(ioc->pdev);
++
+ drsprintk(ioc, ioc_info(ioc, "clear interrupts\n"));
+
+ count = 0;
+@@ -6653,10 +6655,12 @@ _base_diag_reset(struct MPT3SAS_ADAPTER
+ goto out;
+ }
+
++ pci_cfg_access_unlock(ioc->pdev);
+ ioc_info(ioc, "diag reset: SUCCESS\n");
+ return 0;
+
+ out:
++ pci_cfg_access_unlock(ioc->pdev);
+ ioc_err(ioc, "diag reset: FAILED\n");
+ return -EFAULT;
+ }
--- /dev/null
+From 6641df81ab799f28a5d564f860233dd26cca0d93 Mon Sep 17 00:00:00 2001
+From: Arun Easi <aeasi@marvell.com>
+Date: Mon, 29 Mar 2021 01:52:23 -0700
+Subject: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()
+
+From: Arun Easi <aeasi@marvell.com>
+
+commit 6641df81ab799f28a5d564f860233dd26cca0d93 upstream.
+
+ RIP: 0010:kmem_cache_free+0xfa/0x1b0
+ Call Trace:
+ qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]
+ scsi_queue_rq+0x5e2/0xa40
+ __blk_mq_try_issue_directly+0x128/0x1d0
+ blk_mq_request_issue_directly+0x4e/0xb0
+
+Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now
+allocated by upper layers. This fixes smatch warning of srb unintended
+free.
+
+Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com
+Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")
+Cc: stable@vger.kernel.org # 5.5
+Reported-by: Laurence Oberman <loberman@redhat.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -983,8 +983,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *
+ if (rval != QLA_SUCCESS) {
+ ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,
+ "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);
+- if (rval == QLA_INTERFACE_ERROR)
+- goto qc24_free_sp_fail_command;
+ goto qc24_host_busy_free_sp;
+ }
+
+@@ -996,11 +994,6 @@ qc24_host_busy_free_sp:
+ qc24_target_busy:
+ return SCSI_MLQUEUE_TARGET_BUSY;
+
+-qc24_free_sp_fail_command:
+- sp->free(sp);
+- CMD_SP(cmd) = NULL;
+- qla2xxx_rel_qpair_sp(sp->qpair, sp);
+-
+ qc24_fail_command:
+ cmd->scsi_done(cmd);
+
+s390-disassembler-increase-ebpf-disasm-buffer-size.patch
+acpi-custom_method-fix-potential-use-after-free-issue.patch
+acpi-custom_method-fix-a-possible-memory-leak.patch
+ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch
+arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch
+arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch
+arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch
+ecryptfs-fix-kernel-panic-with-null-dev_name.patch
+mtd-spinand-core-add-missing-module_device_table.patch
+mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch
+erofs-add-unsupported-inode-i_format-check.patch
+spi-spi-ti-qspi-free-dma-resources.patch
+scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch
+scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch
+mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch
+mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch
+mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch
+mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch
+mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch
+mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch
+mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
+mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
+mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch
--- /dev/null
+From 1d309cd688a76fb733f0089d36dc630327b32d59 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+Date: Thu, 18 Feb 2021 15:09:50 +0200
+Subject: spi: spi-ti-qspi: Free DMA resources
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+commit 1d309cd688a76fb733f0089d36dc630327b32d59 upstream.
+
+Release the RX channel and free the dma coherent memory when
+devm_spi_register_master() fails.
+
+Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20210218130950.90155-1-tudor.ambarus@microchip.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-ti-qspi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -656,6 +656,17 @@ static int ti_qspi_runtime_resume(struct
+ return 0;
+ }
+
++static void ti_qspi_dma_cleanup(struct ti_qspi *qspi)
++{
++ if (qspi->rx_bb_addr)
++ dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE,
++ qspi->rx_bb_addr,
++ qspi->rx_bb_dma_addr);
++
++ if (qspi->rx_chan)
++ dma_release_channel(qspi->rx_chan);
++}
++
+ static const struct of_device_id ti_qspi_match[] = {
+ {.compatible = "ti,dra7xxx-qspi" },
+ {.compatible = "ti,am4372-qspi" },
+@@ -809,6 +820,8 @@ no_dma:
+ if (!ret)
+ return 0;
+
++ ti_qspi_dma_cleanup(qspi);
++
+ pm_runtime_disable(&pdev->dev);
+ free_master:
+ spi_master_put(master);
+@@ -827,12 +840,7 @@ static int ti_qspi_remove(struct platfor
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+- if (qspi->rx_bb_addr)
+- dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE,
+- qspi->rx_bb_addr,
+- qspi->rx_bb_dma_addr);
+- if (qspi->rx_chan)
+- dma_release_channel(qspi->rx_chan);
++ ti_qspi_dma_cleanup(qspi);
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
