From: Greg Kroah-Hartman Date: Wed, 9 Feb 2022 13:08:18 +0000 (+0100) Subject: 5.16-stable patches X-Git-Tag: v4.9.301~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=86e85d8c8f9e71fc401f0b2da8b48f3905eb79f1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: ata-libata-core-fix-ata_dev_config_cpr.patch moxart-fix-potential-use-after-free-on-remove-path.patch --- diff --git a/queue-5.16/ata-libata-core-fix-ata_dev_config_cpr.patch b/queue-5.16/ata-libata-core-fix-ata_dev_config_cpr.patch new file mode 100644 index 00000000000..9218e74eee9 --- /dev/null +++ b/queue-5.16/ata-libata-core-fix-ata_dev_config_cpr.patch @@ -0,0 +1,84 @@ +From fda17afc6166e975bec1197bd94cd2a3317bce3f Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 7 Feb 2022 11:27:53 +0900 +Subject: ata: libata-core: Fix ata_dev_config_cpr() + +From: Damien Le Moal + +commit fda17afc6166e975bec1197bd94cd2a3317bce3f upstream. + +The concurrent positioning ranges log page 47h is a general purpose log +page and not a subpage of the indentify device log. Using +ata_identify_page_supported() to test for concurrent positioning ranges +support is thus wrong. ata_log_supported() must be used. + +Furthermore, unlike other advanced ATA features (e.g. NCQ priority), +accesses to the concurrent positioning ranges log page are not gated by +a feature bit from the device IDENTIFY data. Since many older drives +react badly to the READ LOG EXT and/or READ LOG DMA EXT commands isued +to read device log pages, avoid problems with older drives by limiting +the concurrent positioning ranges support detection to drives +implementing at least the ACS-4 ATA standard (major version 11). This +additional condition effectively turns ata_dev_config_cpr() into a nop +for older drives, avoiding problems in the field. + +Fixes: fe22e1c2f705 ("libata: support concurrent positioning ranges log") +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215519 +Cc: stable@vger.kernel.org +Reviewed-by: Hannes Reinecke +Tested-by: Abderraouf Adjal +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 14 ++++++-------- + include/linux/ata.h | 2 +- + 2 files changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2486,23 +2486,21 @@ static void ata_dev_config_cpr(struct at + struct ata_cpr_log *cpr_log = NULL; + u8 *desc, *buf = NULL; + +- if (!ata_identify_page_supported(dev, +- ATA_LOG_CONCURRENT_POSITIONING_RANGES)) ++ if (ata_id_major_version(dev->id) < 11 || ++ !ata_log_supported(dev, ATA_LOG_CONCURRENT_POSITIONING_RANGES)) + goto out; + + /* +- * Read IDENTIFY DEVICE data log, page 0x47 +- * (concurrent positioning ranges). We can have at most 255 32B range +- * descriptors plus a 64B header. ++ * Read the concurrent positioning ranges log (0x47). We can have at ++ * most 255 32B range descriptors plus a 64B header. + */ + buf_len = (64 + 255 * 32 + 511) & ~511; + buf = kzalloc(buf_len, GFP_KERNEL); + if (!buf) + goto out; + +- err_mask = ata_read_log_page(dev, ATA_LOG_IDENTIFY_DEVICE, +- ATA_LOG_CONCURRENT_POSITIONING_RANGES, +- buf, buf_len >> 9); ++ err_mask = ata_read_log_page(dev, ATA_LOG_CONCURRENT_POSITIONING_RANGES, ++ 0, buf, buf_len >> 9); + if (err_mask) + goto out; + +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -324,12 +324,12 @@ enum { + ATA_LOG_NCQ_NON_DATA = 0x12, + ATA_LOG_NCQ_SEND_RECV = 0x13, + ATA_LOG_IDENTIFY_DEVICE = 0x30, ++ ATA_LOG_CONCURRENT_POSITIONING_RANGES = 0x47, + + /* Identify device log pages: */ + ATA_LOG_SECURITY = 0x06, + ATA_LOG_SATA_SETTINGS = 0x08, + ATA_LOG_ZONED_INFORMATION = 0x09, +- ATA_LOG_CONCURRENT_POSITIONING_RANGES = 0x47, + + /* Identify device SATA settings log:*/ + ATA_LOG_DEVSLP_OFFSET = 0x30, diff --git a/queue-5.16/moxart-fix-potential-use-after-free-on-remove-path.patch b/queue-5.16/moxart-fix-potential-use-after-free-on-remove-path.patch new file mode 100644 index 00000000000..8e77bb90134 --- /dev/null +++ b/queue-5.16/moxart-fix-potential-use-after-free-on-remove-path.patch @@ -0,0 +1,46 @@ +From bd2db32e7c3e35bd4d9b8bbff689434a50893546 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 27 Jan 2022 08:16:38 +0100 +Subject: moxart: fix potential use-after-free on remove path + +From: Greg Kroah-Hartman + +commit bd2db32e7c3e35bd4d9b8bbff689434a50893546 upstream. + +It was reported that the mmc host structure could be accessed after it +was freed in moxart_remove(), so fix this by saving the base register of +the device and using it instead of the pointer dereference. + +Cc: Ulf Hansson +Cc: Xiyu Yang +Cc: Xin Xiong +Cc: Xin Tan +Cc: Tony Lindgren +Cc: Yang Li +Cc: linux-mmc@vger.kernel.org +Cc: stable +Reported-by: whitehat002 +Signed-off-by: Greg Kroah-Hartman +Link: https://lore.kernel.org/r/20220127071638.4057899-1-gregkh@linuxfoundation.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/moxart-mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -705,12 +705,12 @@ static int moxart_remove(struct platform + if (!IS_ERR_OR_NULL(host->dma_chan_rx)) + dma_release_channel(host->dma_chan_rx); + mmc_remove_host(mmc); +- mmc_free_host(mmc); + + writel(0, host->base + REG_INTERRUPT_MASK); + writel(0, host->base + REG_POWER_CONTROL); + writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, + host->base + REG_CLOCK_CONTROL); ++ mmc_free_host(mmc); + + return 0; + } diff --git a/queue-5.16/series b/queue-5.16/series new file mode 100644 index 00000000000..187684a416f --- /dev/null +++ b/queue-5.16/series @@ -0,0 +1,2 @@ +ata-libata-core-fix-ata_dev_config_cpr.patch +moxart-fix-potential-use-after-free-on-remove-path.patch