--- /dev/null
+From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Tue, 27 Apr 2021 13:54:33 -0500
+Subject: ACPI: custom_method: fix a possible memory leak
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream.
+
+In cm_write(), if the 'buf' is allocated memory but not fully consumed,
+it is possible to reallocate the buffer without freeing it by passing
+'*ppos' as 0 on a subsequent call.
+
+Add an explicit kfree() before kzalloc() to prevent the possible memory
+leak.
+
+Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -37,6 +37,8 @@ static ssize_t cm_write(struct file *fil
+ sizeof(struct acpi_table_header)))
+ return -EFAULT;
+ uncopied_bytes = max_size = table.length;
++ /* make sure the buf is not allocated */
++ kfree(buf);
+ buf = kzalloc(max_size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
--- /dev/null
+From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Fri, 23 Apr 2021 10:28:17 -0500
+Subject: ACPI: custom_method: fix potential use-after-free issue
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream.
+
+In cm_write(), buf is always freed when reaching the end of the
+function. If the requested count is less than table.length, the
+allocated buffer will be freed but subsequent calls to cm_write() will
+still try to access it.
+
+Remove the unconditional kfree(buf) at the end of the function and
+set the buf to NULL in the -EINVAL error path to match the rest of
+function.
+
+Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -50,6 +50,7 @@ static ssize_t cm_write(struct file *fil
+ (*ppos + count < count) ||
+ (count > uncopied_bytes)) {
+ kfree(buf);
++ buf = NULL;
+ return -EINVAL;
+ }
+
+@@ -71,7 +72,6 @@ static ssize_t cm_write(struct file *fil
+ add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
+ }
+
+- kfree(buf);
+ return count;
+ }
+
--- /dev/null
+From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Date: Fri, 26 Feb 2021 15:00:23 -0600
+Subject: ecryptfs: fix kernel panic with null dev_name
+
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+
+commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream.
+
+When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount()
+causes a kernel panic if the parsed options are valid. The easiest way to
+reproduce this is to call mount() from userspace with an existing
+eCryptfs mount's options and a "source" argument of 0.
+
+Error out if "dev_name" is null in ecryptfs_mount()
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ecryptfs/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -507,6 +507,12 @@ static struct dentry *ecryptfs_mount(str
+ goto out;
+ }
+
++ if (!dev_name) {
++ rc = -EINVAL;
++ err = "Device name cannot be null";
++ goto out;
++ }
++
+ rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
+ if (rc) {
+ err = "Error parsing options";
--- /dev/null
+From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+Date: Wed, 10 Feb 2021 13:59:36 +0900
+Subject: mmc: core: Do a power cycle when the CMD11 fails
+
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+
+commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream.
+
+A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure
+into 1.8V I/O. According to the SD spec a power cycle is needed of the
+card, if it turns out that the CMD11 fails. Let's fix this, to allow a
+retry of the initialization without the voltage switch, to succeed.
+
+Note that, whether it makes sense to also retry with the voltage switch
+after the power cycle is a bit more difficult to know. At this point, we
+treat it like the CMD11 isn't supported and therefore we skip it when
+retrying.
+
+Signed-off-by: DooHyun Hwang <dh0421.hwang@samsung.com>
+Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1593,7 +1593,7 @@ int mmc_set_signal_voltage(struct mmc_ho
+
+ err = mmc_wait_for_cmd(host, &cmd, 0);
+ if (err)
+- return err;
++ goto power_cycle;
+
+ if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR))
+ return -EIO;
--- /dev/null
+From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001
+From: Seunghui Lee <sh043.lee@samsung.com>
+Date: Mon, 22 Feb 2021 17:31:56 +0900
+Subject: mmc: core: Set read only for SD cards with permanent write protect bit
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream.
+
+Some of SD cards sets permanent write protection bit in their CSD register,
+due to lifespan or internal problem. To avoid unnecessary I/O write
+operations, let's parse the bits in the CSD during initialization and mark
+the card as read only for this case.
+
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -138,6 +138,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1;
+ csd->erase_size <<= csd->write_blkbits - 9;
+ }
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ case 1:
+ /*
+@@ -172,6 +175,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->write_blkbits = 9;
+ csd->write_partial = 0;
+ csd->erase_size = 1;
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ default:
+ pr_err("%s: unrecognised CSD structure version %d\n",
--- /dev/null
+From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 20 Apr 2021 11:04:10 +0200
+Subject: s390/disassembler: increase ebpf disasm buffer size
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream.
+
+Current ebpf disassembly buffer size of 64 is too small. E.g. this line
+takes 65 bytes:
+01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0
+
+Double the buffer size like it is done for the kernel disassembly buffer.
+
+Fixes the following KASAN finding:
+
+UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380
+Write of size 1 at addr 001fff800ad5f970 by task test_progs/853
+
+CPU: 53 PID: 853 Comm: test_progs Not tainted
+5.12.0-rc7-23786-g23457d86b1f0-dirty #19
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+ [<0000000cd8e0538a>] show_stack+0x17a/0x1668
+ [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8
+ [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260
+ [<0000000cd75a8698>] kasan_report+0xc8/0x130
+ [<0000000cd6e26da4>] print_fn_code+0x34c/0x380
+ [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58
+ [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0
+ [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0
+ [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768
+ [<0000000cd6e0f392>] do_syscall+0x12a/0x220
+ [<0000000cd8e333f8>] __do_syscall+0x98/0xc8
+ [<0000000cd8e54834>] system_call+0x6c/0x94
+1 lock held by test_progs/853:
+ #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at:
+ kasan_report+0x96/0x130
+
+addr 001fff800ad5f970 is located in stack of task test_progs/853 at
+offset 96 in frame:
+ print_fn_code+0x0/0x380
+this frame has 1 object:
+ [32, 96) 'buffer'
+
+Memory state around the buggy address:
+ 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3
+ ^
+ 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/dis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -2033,7 +2033,7 @@ void show_code(struct pt_regs *regs)
+
+ void print_fn_code(unsigned char *code, unsigned long len)
+ {
+- char buffer[64], *ptr;
++ char buffer[128], *ptr;
+ int opsize, i;
+
+ while (len) {
usb-add-lpm-quirk-for-lenovo-thinkpad-usb-c-dock-gen2-ethernet.patch
usb-add-reset-resume-quirk-for-wd19-s-realtek-hub.patch
platform-x86-thinkpad_acpi-correct-thermal-sensor-allocation.patch
+s390-disassembler-increase-ebpf-disasm-buffer-size.patch
+acpi-custom_method-fix-potential-use-after-free-issue.patch
+acpi-custom_method-fix-a-possible-memory-leak.patch
+ecryptfs-fix-kernel-panic-with-null-dev_name.patch
+mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
+mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
