--- /dev/null
+From fda17afc6166e975bec1197bd94cd2a3317bce3f Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Date: Mon, 7 Feb 2022 11:27:53 +0900
+Subject: ata: libata-core: Fix ata_dev_config_cpr()
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+commit fda17afc6166e975bec1197bd94cd2a3317bce3f upstream.
+
+The concurrent positioning ranges log page 47h is a general purpose log
+page and not a subpage of the indentify device log. Using
+ata_identify_page_supported() to test for concurrent positioning ranges
+support is thus wrong. ata_log_supported() must be used.
+
+Furthermore, unlike other advanced ATA features (e.g. NCQ priority),
+accesses to the concurrent positioning ranges log page are not gated by
+a feature bit from the device IDENTIFY data. Since many older drives
+react badly to the READ LOG EXT and/or READ LOG DMA EXT commands isued
+to read device log pages, avoid problems with older drives by limiting
+the concurrent positioning ranges support detection to drives
+implementing at least the ACS-4 ATA standard (major version 11). This
+additional condition effectively turns ata_dev_config_cpr() into a nop
+for older drives, avoiding problems in the field.
+
+Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215519
+Cc: stable@vger.kernel.org
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Abderraouf Adjal <adjal.arf@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c | 14 ++++++--------
+ include/linux/ata.h | 2 +-
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2486,23 +2486,21 @@ static void ata_dev_config_cpr(struct at
+ struct ata_cpr_log *cpr_log = NULL;
+ u8 *desc, *buf = NULL;
+
+- if (!ata_identify_page_supported(dev,
+- ATA_LOG_CONCURRENT_POSITIONING_RANGES))
++ if (ata_id_major_version(dev->id) < 11 ||
++ !ata_log_supported(dev, ATA_LOG_CONCURRENT_POSITIONING_RANGES))
+ goto out;
+
+ /*
+- * Read IDENTIFY DEVICE data log, page 0x47
+- * (concurrent positioning ranges). We can have at most 255 32B range
+- * descriptors plus a 64B header.
++ * Read the concurrent positioning ranges log (0x47). We can have at
++ * most 255 32B range descriptors plus a 64B header.
+ */
+ buf_len = (64 + 255 * 32 + 511) & ~511;
+ buf = kzalloc(buf_len, GFP_KERNEL);
+ if (!buf)
+ goto out;
+
+- err_mask = ata_read_log_page(dev, ATA_LOG_IDENTIFY_DEVICE,
+- ATA_LOG_CONCURRENT_POSITIONING_RANGES,
+- buf, buf_len >> 9);
++ err_mask = ata_read_log_page(dev, ATA_LOG_CONCURRENT_POSITIONING_RANGES,
++ 0, buf, buf_len >> 9);
+ if (err_mask)
+ goto out;
+
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -324,12 +324,12 @@ enum {
+ ATA_LOG_NCQ_NON_DATA = 0x12,
+ ATA_LOG_NCQ_SEND_RECV = 0x13,
+ ATA_LOG_IDENTIFY_DEVICE = 0x30,
++ ATA_LOG_CONCURRENT_POSITIONING_RANGES = 0x47,
+
+ /* Identify device log pages: */
+ ATA_LOG_SECURITY = 0x06,
+ ATA_LOG_SATA_SETTINGS = 0x08,
+ ATA_LOG_ZONED_INFORMATION = 0x09,
+- ATA_LOG_CONCURRENT_POSITIONING_RANGES = 0x47,
+
+ /* Identify device SATA settings log:*/
+ ATA_LOG_DEVSLP_OFFSET = 0x30,
--- /dev/null
+From bd2db32e7c3e35bd4d9b8bbff689434a50893546 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 27 Jan 2022 08:16:38 +0100
+Subject: moxart: fix potential use-after-free on remove path
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit bd2db32e7c3e35bd4d9b8bbff689434a50893546 upstream.
+
+It was reported that the mmc host structure could be accessed after it
+was freed in moxart_remove(), so fix this by saving the base register of
+the device and using it instead of the pointer dereference.
+
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Cc: Xin Xiong <xiongx18@fudan.edu.cn>
+Cc: Xin Tan <tanxin.ctf@gmail.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Yang Li <yang.lee@linux.alibaba.com>
+Cc: linux-mmc@vger.kernel.org
+Cc: stable <stable@vger.kernel.org>
+Reported-by: whitehat002 <hackyzh002@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20220127071638.4057899-1-gregkh@linuxfoundation.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -705,12 +705,12 @@ static int moxart_remove(struct platform
+ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ dma_release_channel(host->dma_chan_rx);
+ mmc_remove_host(mmc);
+- mmc_free_host(mmc);
+
+ writel(0, host->base + REG_INTERRUPT_MASK);
+ writel(0, host->base + REG_POWER_CONTROL);
+ writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
+ host->base + REG_CLOCK_CONTROL);
++ mmc_free_host(mmc);
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
