--- /dev/null
+From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Tue, 27 Apr 2021 13:54:33 -0500
+Subject: ACPI: custom_method: fix a possible memory leak
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream.
+
+In cm_write(), if the 'buf' is allocated memory but not fully consumed,
+it is possible to reallocate the buffer without freeing it by passing
+'*ppos' as 0 on a subsequent call.
+
+Add an explicit kfree() before kzalloc() to prevent the possible memory
+leak.
+
+Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -37,6 +37,8 @@ static ssize_t cm_write(struct file *fil
+ sizeof(struct acpi_table_header)))
+ return -EFAULT;
+ uncopied_bytes = max_size = table.length;
++ /* make sure the buf is not allocated */
++ kfree(buf);
+ buf = kzalloc(max_size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
--- /dev/null
+From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Fri, 23 Apr 2021 10:28:17 -0500
+Subject: ACPI: custom_method: fix potential use-after-free issue
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream.
+
+In cm_write(), buf is always freed when reaching the end of the
+function. If the requested count is less than table.length, the
+allocated buffer will be freed but subsequent calls to cm_write() will
+still try to access it.
+
+Remove the unconditional kfree(buf) at the end of the function and
+set the buf to NULL in the -EINVAL error path to match the rest of
+function.
+
+Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -50,6 +50,7 @@ static ssize_t cm_write(struct file *fil
+ (*ppos + count < count) ||
+ (count > uncopied_bytes)) {
+ kfree(buf);
++ buf = NULL;
+ return -EINVAL;
+ }
+
+@@ -71,7 +72,6 @@ static ssize_t cm_write(struct file *fil
+ add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
+ }
+
+- kfree(buf);
+ return count;
+ }
+
--- /dev/null
+From e4e5d030bd779fb8321d3b8bd65406fbe0827037 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Tue, 16 Mar 2021 17:22:24 +0800
+Subject: arm64: dts: mt8173: fix property typo of 'phys' in dsi node
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit e4e5d030bd779fb8321d3b8bd65406fbe0827037 upstream.
+
+Use 'phys' instead of 'phy'.
+
+Fixes: 81ad4dbaf7af ("arm64: dts: mt8173: Add display subsystem related nodes")
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Reviewed-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210316092232.9806-5-chunfeng.yun@mediatek.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+@@ -1029,7 +1029,7 @@
+ <&mmsys CLK_MM_DSI1_DIGITAL>,
+ <&mipi_tx1>;
+ clock-names = "engine", "digital", "hs";
+- phy = <&mipi_tx1>;
++ phys = <&mipi_tx1>;
+ phy-names = "dphy";
+ status = "disabled";
+ };
--- /dev/null
+From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Date: Fri, 26 Feb 2021 15:00:23 -0600
+Subject: ecryptfs: fix kernel panic with null dev_name
+
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+
+commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream.
+
+When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount()
+causes a kernel panic if the parsed options are valid. The easiest way to
+reproduce this is to call mount() from userspace with an existing
+eCryptfs mount's options and a "source" argument of 0.
+
+Error out if "dev_name" is null in ecryptfs_mount()
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ecryptfs/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -506,6 +506,12 @@ static struct dentry *ecryptfs_mount(str
+ goto out;
+ }
+
++ if (!dev_name) {
++ rc = -EINVAL;
++ err = "Device name cannot be null";
++ goto out;
++ }
++
+ rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
+ if (rc) {
+ err = "Error parsing options";
--- /dev/null
+From aea0440ad023ab0662299326f941214b0d7480bd Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@wdc.com>
+Date: Tue, 20 Apr 2021 16:46:41 +0300
+Subject: mmc: block: Update ext_csd.cache_ctrl if it was written
+
+From: Avri Altman <avri.altman@wdc.com>
+
+commit aea0440ad023ab0662299326f941214b0d7480bd upstream.
+
+The cache function can be turned ON and OFF by writing to the CACHE_CTRL
+byte (EXT_CSD byte [33]). However, card->ext_csd.cache_ctrl is only
+set on init if cache size > 0.
+
+Fix that by explicitly setting ext_csd.cache_ctrl on ext-csd write.
+
+Signed-off-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210420134641.57343-3-avri.altman@wdc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -599,6 +599,18 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ }
+
+ /*
++ * Make sure to update CACHE_CTRL in case it was changed. The cache
++ * will get turned back on if the card is re-initialized, e.g.
++ * suspend/resume or hw reset in recovery.
++ */
++ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_CACHE_CTRL) &&
++ (cmd.opcode == MMC_SWITCH)) {
++ u8 value = MMC_EXTRACT_VALUE_FROM_ARG(cmd.arg) & 1;
++
++ card->ext_csd.cache_ctrl = value;
++ }
++
++ /*
+ * According to the SD specs, some commands require a delay after
+ * issuing the command.
+ */
--- /dev/null
+From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+Date: Wed, 10 Feb 2021 13:59:36 +0900
+Subject: mmc: core: Do a power cycle when the CMD11 fails
+
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+
+commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream.
+
+A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure
+into 1.8V I/O. According to the SD spec a power cycle is needed of the
+card, if it turns out that the CMD11 fails. Let's fix this, to allow a
+retry of the initialization without the voltage switch, to succeed.
+
+Note that, whether it makes sense to also retry with the voltage switch
+after the power cycle is a bit more difficult to know. At this point, we
+treat it like the CMD11 isn't supported and therefore we skip it when
+retrying.
+
+Signed-off-by: DooHyun Hwang <dh0421.hwang@samsung.com>
+Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1506,7 +1506,7 @@ int mmc_set_uhs_voltage(struct mmc_host
+
+ err = mmc_wait_for_cmd(host, &cmd, 0);
+ if (err)
+- return err;
++ goto power_cycle;
+
+ if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR))
+ return -EIO;
--- /dev/null
+From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001
+From: Seunghui Lee <sh043.lee@samsung.com>
+Date: Mon, 22 Feb 2021 17:31:56 +0900
+Subject: mmc: core: Set read only for SD cards with permanent write protect bit
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream.
+
+Some of SD cards sets permanent write protection bit in their CSD register,
+due to lifespan or internal problem. To avoid unnecessary I/O write
+operations, let's parse the bits in the CSD during initialization and mark
+the card as read only for this case.
+
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -138,6 +138,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1;
+ csd->erase_size <<= csd->write_blkbits - 9;
+ }
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ case 1:
+ /*
+@@ -172,6 +175,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->write_blkbits = 9;
+ csd->write_partial = 0;
+ csd->erase_size = 1;
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ default:
+ pr_err("%s: unrecognised CSD structure version %d\n",
--- /dev/null
+From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 20 Apr 2021 11:04:10 +0200
+Subject: s390/disassembler: increase ebpf disasm buffer size
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream.
+
+Current ebpf disassembly buffer size of 64 is too small. E.g. this line
+takes 65 bytes:
+01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0
+
+Double the buffer size like it is done for the kernel disassembly buffer.
+
+Fixes the following KASAN finding:
+
+UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380
+Write of size 1 at addr 001fff800ad5f970 by task test_progs/853
+
+CPU: 53 PID: 853 Comm: test_progs Not tainted
+5.12.0-rc7-23786-g23457d86b1f0-dirty #19
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+ [<0000000cd8e0538a>] show_stack+0x17a/0x1668
+ [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8
+ [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260
+ [<0000000cd75a8698>] kasan_report+0xc8/0x130
+ [<0000000cd6e26da4>] print_fn_code+0x34c/0x380
+ [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58
+ [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0
+ [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0
+ [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768
+ [<0000000cd6e0f392>] do_syscall+0x12a/0x220
+ [<0000000cd8e333f8>] __do_syscall+0x98/0xc8
+ [<0000000cd8e54834>] system_call+0x6c/0x94
+1 lock held by test_progs/853:
+ #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at:
+ kasan_report+0x96/0x130
+
+addr 001fff800ad5f970 is located in stack of task test_progs/853 at
+offset 96 in frame:
+ print_fn_code+0x0/0x380
+this frame has 1 object:
+ [32, 96) 'buffer'
+
+Memory state around the buggy address:
+ 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3
+ ^
+ 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/dis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -2026,7 +2026,7 @@ void show_code(struct pt_regs *regs)
+
+ void print_fn_code(unsigned char *code, unsigned long len)
+ {
+- char buffer[64], *ptr;
++ char buffer[128], *ptr;
+ int opsize, i;
+
+ while (len) {
usb-add-lpm-quirk-for-lenovo-thinkpad-usb-c-dock-gen2-ethernet.patch
usb-add-reset-resume-quirk-for-wd19-s-realtek-hub.patch
platform-x86-thinkpad_acpi-correct-thermal-sensor-allocation.patch
+s390-disassembler-increase-ebpf-disasm-buffer-size.patch
+acpi-custom_method-fix-potential-use-after-free-issue.patch
+acpi-custom_method-fix-a-possible-memory-leak.patch
+arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch
+ecryptfs-fix-kernel-panic-with-null-dev_name.patch
+spi-spi-ti-qspi-free-dma-resources.patch
+mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch
+mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
+mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
--- /dev/null
+From 1d309cd688a76fb733f0089d36dc630327b32d59 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+Date: Thu, 18 Feb 2021 15:09:50 +0200
+Subject: spi: spi-ti-qspi: Free DMA resources
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+commit 1d309cd688a76fb733f0089d36dc630327b32d59 upstream.
+
+Release the RX channel and free the dma coherent memory when
+devm_spi_register_master() fails.
+
+Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20210218130950.90155-1-tudor.ambarus@microchip.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-ti-qspi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -643,6 +643,17 @@ static int ti_qspi_runtime_resume(struct
+ return 0;
+ }
+
++static void ti_qspi_dma_cleanup(struct ti_qspi *qspi)
++{
++ if (qspi->rx_bb_addr)
++ dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE,
++ qspi->rx_bb_addr,
++ qspi->rx_bb_dma_addr);
++
++ if (qspi->rx_chan)
++ dma_release_channel(qspi->rx_chan);
++}
++
+ static const struct of_device_id ti_qspi_match[] = {
+ {.compatible = "ti,dra7xxx-qspi" },
+ {.compatible = "ti,am4372-qspi" },
+@@ -794,6 +805,8 @@ no_dma:
+ if (!ret)
+ return 0;
+
++ ti_qspi_dma_cleanup(qspi);
++
+ pm_runtime_disable(&pdev->dev);
+ free_master:
+ spi_master_put(master);
+@@ -812,12 +825,7 @@ static int ti_qspi_remove(struct platfor
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+- if (qspi->rx_bb_addr)
+- dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE,
+- qspi->rx_bb_addr,
+- qspi->rx_bb_dma_addr);
+- if (qspi->rx_chan)
+- dma_release_channel(qspi->rx_chan);
++ ti_qspi_dma_cleanup(qspi);
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
