From: Greg Kroah-Hartman Date: Fri, 7 May 2021 14:08:31 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.4.118~103 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b82db450d9db065f2e9f8b5bbe62c6100200cf6d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: acpi-custom_method-fix-a-possible-memory-leak.patch acpi-custom_method-fix-potential-use-after-free-issue.patch arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch ecryptfs-fix-kernel-panic-with-null-dev_name.patch ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch mtd-spinand-core-add-missing-module_device_table.patch s390-disassembler-increase-ebpf-disasm-buffer-size.patch scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch series spi-spi-ti-qspi-free-dma-resources.patch --- diff --git a/queue-4.19/acpi-custom_method-fix-a-possible-memory-leak.patch b/queue-4.19/acpi-custom_method-fix-a-possible-memory-leak.patch new file mode 100644 index 00000000000..102ed7e2fec --- /dev/null +++ b/queue-4.19/acpi-custom_method-fix-a-possible-memory-leak.patch @@ -0,0 +1,36 @@ +From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001 +From: Mark Langsdorf +Date: Tue, 27 Apr 2021 13:54:33 -0500 +Subject: ACPI: custom_method: fix a possible memory leak + +From: Mark Langsdorf + +commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream. + +In cm_write(), if the 'buf' is allocated memory but not fully consumed, +it is possible to reallocate the buffer without freeing it by passing +'*ppos' as 0 on a subsequent call. + +Add an explicit kfree() before kzalloc() to prevent the possible memory +leak. + +Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver") +Signed-off-by: Mark Langsdorf +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/custom_method.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -37,6 +37,8 @@ static ssize_t cm_write(struct file *fil + sizeof(struct acpi_table_header))) + return -EFAULT; + uncopied_bytes = max_size = table.length; ++ /* make sure the buf is not allocated */ ++ kfree(buf); + buf = kzalloc(max_size, GFP_KERNEL); + if (!buf) + return -ENOMEM; diff --git a/queue-4.19/acpi-custom_method-fix-potential-use-after-free-issue.patch b/queue-4.19/acpi-custom_method-fix-potential-use-after-free-issue.patch new file mode 100644 index 00000000000..3e995aa8e14 --- /dev/null +++ b/queue-4.19/acpi-custom_method-fix-potential-use-after-free-issue.patch @@ -0,0 +1,45 @@ +From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001 +From: Mark Langsdorf +Date: Fri, 23 Apr 2021 10:28:17 -0500 +Subject: ACPI: custom_method: fix potential use-after-free issue + +From: Mark Langsdorf + +commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream. + +In cm_write(), buf is always freed when reaching the end of the +function. If the requested count is less than table.length, the +allocated buffer will be freed but subsequent calls to cm_write() will +still try to access it. + +Remove the unconditional kfree(buf) at the end of the function and +set the buf to NULL in the -EINVAL error path to match the rest of +function. + +Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks") +Signed-off-by: Mark Langsdorf +Cc: 5.4+ # 5.4+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/custom_method.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -50,6 +50,7 @@ static ssize_t cm_write(struct file *fil + (*ppos + count < count) || + (count > uncopied_bytes)) { + kfree(buf); ++ buf = NULL; + return -EINVAL; + } + +@@ -71,7 +72,6 @@ static ssize_t cm_write(struct file *fil + add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE); + } + +- kfree(buf); + return count; + } + diff --git a/queue-4.19/arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch b/queue-4.19/arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch new file mode 100644 index 00000000000..74a6abe17ca --- /dev/null +++ b/queue-4.19/arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch @@ -0,0 +1,60 @@ +From c4e792d1acce31c2eb7b9193ab06ab94de05bf42 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Fri, 5 Feb 2021 19:23:00 +0100 +Subject: ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld + +From: Ard Biesheuvel + +commit c4e792d1acce31c2eb7b9193ab06ab94de05bf42 upstream. + +The LLVM ld.lld linker uses a different symbol type for __bss_start, +resulting in the calculation of KBSS_SZ to be thrown off. Up until now, +this has gone unnoticed as it only affects the appended DTB case, but +pending changes for ARM in the way the decompressed kernel is cleaned +from the caches has uncovered this problem. + +On a ld.lld build: + + $ nm vmlinux |grep bss_ + c1c22034 D __bss_start + c1c86e98 B __bss_stop + +resulting in + + $ readelf -s arch/arm/boot/compressed/vmlinux | grep bss_size + 433: c1c86e98 0 NOTYPE GLOBAL DEFAULT ABS _kernel_bss_size + +which is obviously incorrect, and may cause the cache clean to access +unmapped memory, or cause the size calculation to wrap, resulting in no +cache clean to be performed at all. + +Fix this by updating the sed regex to take D type symbols into account. + +Link: https://lore.kernel.org/linux-arm-kernel/6c65bcef-d4e7-25fa-43cf-2c435bb61bb9@collabora.com/ +Link: https://lore.kernel.org/linux-arm-kernel/20210205085220.31232-1-ardb@kernel.org/ + +Cc: # v4.19+ +Reviewed-by: Nick Desaulniers +Tested-by: Nick Desaulniers +Reported-by: Guillaume Tucker +Reported-by: "kernelci.org bot" +Signed-off-by: Ard Biesheuvel +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/compressed/Makefile ++++ b/arch/arm/boot/compressed/Makefile +@@ -121,8 +121,8 @@ asflags-y := -DZIMAGE + + # Supply kernel BSS size to the decompressor via a linker symbol. + KBSS_SZ = $(shell echo $$(($$($(NM) $(obj)/../../../../vmlinux | \ +- sed -n -e 's/^\([^ ]*\) [AB] __bss_start$$/-0x\1/p' \ +- -e 's/^\([^ ]*\) [AB] __bss_stop$$/+0x\1/p') )) ) ++ sed -n -e 's/^\([^ ]*\) [ABD] __bss_start$$/-0x\1/p' \ ++ -e 's/^\([^ ]*\) [ABD] __bss_stop$$/+0x\1/p') )) ) + LDFLAGS_vmlinux = --defsym _kernel_bss_size=$(KBSS_SZ) + # Supply ZRELADDR to the decompressor via a linker symbol. + ifneq ($(CONFIG_AUTO_ZRELADDR),y) diff --git a/queue-4.19/arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch b/queue-4.19/arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch new file mode 100644 index 00000000000..e84e4489601 --- /dev/null +++ b/queue-4.19/arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch @@ -0,0 +1,40 @@ +From 1d88358a89dbac9c7d4559548b9a44840456e6fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 14 Jan 2021 13:40:23 +0100 +Subject: arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 1d88358a89dbac9c7d4559548b9a44840456e6fb upstream. + +Add "syscon" compatible to the North Bridge clocks node to allow the +cpufreq driver to access these registers via syscon API. + +This is needed for a fix of cpufreq driver. + +Signed-off-by: Marek Behún +Fixes: e8d66e7927b2 ("arm64: dts: marvell: armada-37xx: add nodes...") +Cc: stable@vger.kernel.org +Cc: Gregory CLEMENT +Cc: Miquel Raynal +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi +@@ -143,7 +143,8 @@ + }; + + nb_periph_clk: nb-periph-clk@13000 { +- compatible = "marvell,armada-3700-periph-clock-nb"; ++ compatible = "marvell,armada-3700-periph-clock-nb", ++ "syscon"; + reg = <0x13000 0x100>; + clocks = <&tbg 0>, <&tbg 1>, <&tbg 2>, + <&tbg 3>, <&xtalclk>; diff --git a/queue-4.19/arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch b/queue-4.19/arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch new file mode 100644 index 00000000000..7c3a6d8d2c3 --- /dev/null +++ b/queue-4.19/arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch @@ -0,0 +1,33 @@ +From e4e5d030bd779fb8321d3b8bd65406fbe0827037 Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Tue, 16 Mar 2021 17:22:24 +0800 +Subject: arm64: dts: mt8173: fix property typo of 'phys' in dsi node + +From: Chunfeng Yun + +commit e4e5d030bd779fb8321d3b8bd65406fbe0827037 upstream. + +Use 'phys' instead of 'phy'. + +Fixes: 81ad4dbaf7af ("arm64: dts: mt8173: Add display subsystem related nodes") +Signed-off-by: Chunfeng Yun +Reviewed-by: Chun-Kuang Hu +Cc: stable +Link: https://lore.kernel.org/r/20210316092232.9806-5-chunfeng.yun@mediatek.com +Signed-off-by: Matthias Brugger +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/mediatek/mt8173.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi +@@ -1111,7 +1111,7 @@ + <&mmsys CLK_MM_DSI1_DIGITAL>, + <&mipi_tx1>; + clock-names = "engine", "digital", "hs"; +- phy = <&mipi_tx1>; ++ phys = <&mipi_tx1>; + phy-names = "dphy"; + status = "disabled"; + }; diff --git a/queue-4.19/ecryptfs-fix-kernel-panic-with-null-dev_name.patch b/queue-4.19/ecryptfs-fix-kernel-panic-with-null-dev_name.patch new file mode 100644 index 00000000000..bd30d260e43 --- /dev/null +++ b/queue-4.19/ecryptfs-fix-kernel-panic-with-null-dev_name.patch @@ -0,0 +1,40 @@ +From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001 +From: Jeffrey Mitchell +Date: Fri, 26 Feb 2021 15:00:23 -0600 +Subject: ecryptfs: fix kernel panic with null dev_name + +From: Jeffrey Mitchell + +commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream. + +When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount() +causes a kernel panic if the parsed options are valid. The easiest way to +reproduce this is to call mount() from userspace with an existing +eCryptfs mount's options and a "source" argument of 0. + +Error out if "dev_name" is null in ecryptfs_mount() + +Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig") +Cc: stable@vger.kernel.org +Signed-off-by: Jeffrey Mitchell +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman +--- + fs/ecryptfs/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/ecryptfs/main.c ++++ b/fs/ecryptfs/main.c +@@ -506,6 +506,12 @@ static struct dentry *ecryptfs_mount(str + goto out; + } + ++ if (!dev_name) { ++ rc = -EINVAL; ++ err = "Device name cannot be null"; ++ goto out; ++ } ++ + rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid); + if (rc) { + err = "Error parsing options"; diff --git a/queue-4.19/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch b/queue-4.19/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch new file mode 100644 index 00000000000..dd971b778b7 --- /dev/null +++ b/queue-4.19/ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch @@ -0,0 +1,53 @@ +From 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 5 May 2021 10:38:24 -0400 +Subject: ftrace: Handle commands when closing set_ftrace_filter file + +From: Steven Rostedt (VMware) + +commit 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 upstream. + + # echo switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter + +will cause switch_mm to stop tracing by the traceoff command. + + # echo -n switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter + +does nothing. + +The reason is that the parsing in the write function only processes +commands if it finished parsing (there is white space written after the +command). That's to handle: + + write(fd, "switch_mm:", 10); + write(fd, "traceoff", 8); + +cases, where the command is broken over multiple writes. + +The problem is if the file descriptor is closed, then the write call is +not processed, and the command needs to be processed in the release code. +The release code can handle matching of functions, but does not handle +commands. + +Cc: stable@vger.kernel.org +Fixes: eda1e32855656 ("tracing: handle broken names in ftrace filter") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ftrace.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5023,7 +5023,10 @@ int ftrace_regex_release(struct inode *i + + parser = &iter->parser; + if (trace_parser_loaded(parser)) { +- ftrace_match_records(iter->hash, parser->buffer, parser->idx); ++ int enable = !(iter->flags & FTRACE_ITER_NOTRACE); ++ ++ ftrace_process_regex(iter, parser->buffer, ++ parser->idx, enable); + } + + trace_parser_put(parser); diff --git a/queue-4.19/mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch b/queue-4.19/mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch new file mode 100644 index 00000000000..9dbc01ac89f --- /dev/null +++ b/queue-4.19/mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch @@ -0,0 +1,109 @@ +From 97fce126e279690105ee15be652b465fd96f9997 Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Sun, 25 Apr 2021 09:02:06 +0300 +Subject: mmc: block: Issue a cache flush only when it's enabled + +From: Avri Altman + +commit 97fce126e279690105ee15be652b465fd96f9997 upstream. + +In command queueing mode, the cache isn't flushed via the mmc_flush_cache() +function, but instead by issuing a CMDQ_TASK_MGMT (CMD48) with a +FLUSH_CACHE opcode. In this path, we need to check if cache has been +enabled, before deciding to flush the cache, along the lines of what's +being done in mmc_flush_cache(). + +To fix this problem, let's add a new bus ops callback ->cache_enabled() and +implement it for the mmc bus type. In this way, the mmc block device driver +can call it to know whether cache flushing should be done. + +Fixes: 1e8e55b67030 (mmc: block: Add CQE support) +Cc: stable@vger.kernel.org +Reported-by: Brendan Peter +Signed-off-by: Avri Altman +Tested-by: Brendan Peter +Acked-by: Adrian Hunter +Link: https://lore.kernel.org/r/20210425060207.2591-2-avri.altman@wdc.com +Link: https://lore.kernel.org/r/20210425060207.2591-3-avri.altman@wdc.com +[Ulf: Squashed the two patches and made some minor updates] +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 4 ++++ + drivers/mmc/core/core.h | 9 +++++++++ + drivers/mmc/core/mmc.c | 7 +++++++ + drivers/mmc/core/mmc_ops.c | 4 +--- + 4 files changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -2236,6 +2236,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru + case MMC_ISSUE_ASYNC: + switch (req_op(req)) { + case REQ_OP_FLUSH: ++ if (!mmc_cache_enabled(host)) { ++ blk_mq_end_request(req, BLK_STS_OK); ++ return MMC_REQ_FINISHED; ++ } + ret = mmc_blk_cqe_issue_flush(mq, req); + break; + case REQ_OP_READ: +--- a/drivers/mmc/core/core.h ++++ b/drivers/mmc/core/core.h +@@ -32,6 +32,7 @@ struct mmc_bus_ops { + int (*shutdown)(struct mmc_host *); + int (*hw_reset)(struct mmc_host *); + int (*sw_reset)(struct mmc_host *); ++ bool (*cache_enabled)(struct mmc_host *); + }; + + void mmc_attach_bus(struct mmc_host *host, const struct mmc_bus_ops *ops); +@@ -173,4 +174,12 @@ static inline void mmc_post_req(struct m + host->ops->post_req(host, mrq, err); + } + ++static inline bool mmc_cache_enabled(struct mmc_host *host) ++{ ++ if (host->bus_ops->cache_enabled) ++ return host->bus_ops->cache_enabled(host); ++ ++ return false; ++} ++ + #endif +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -2009,6 +2009,12 @@ static void mmc_detect(struct mmc_host * + } + } + ++static bool _mmc_cache_enabled(struct mmc_host *host) ++{ ++ return host->card->ext_csd.cache_size > 0 && ++ host->card->ext_csd.cache_ctrl & 1; ++} ++ + static int _mmc_suspend(struct mmc_host *host, bool is_suspend) + { + int err = 0; +@@ -2193,6 +2199,7 @@ static const struct mmc_bus_ops mmc_ops + .alive = mmc_alive, + .shutdown = mmc_shutdown, + .hw_reset = _mmc_hw_reset, ++ .cache_enabled = _mmc_cache_enabled, + }; + + /* +--- a/drivers/mmc/core/mmc_ops.c ++++ b/drivers/mmc/core/mmc_ops.c +@@ -1014,9 +1014,7 @@ int mmc_flush_cache(struct mmc_card *car + { + int err = 0; + +- if (mmc_card_mmc(card) && +- (card->ext_csd.cache_size > 0) && +- (card->ext_csd.cache_ctrl & 1)) { ++ if (mmc_cache_enabled(card->host)) { + err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL, + EXT_CSD_FLUSH_CACHE, 1, 0); + if (err) diff --git a/queue-4.19/mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch b/queue-4.19/mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch new file mode 100644 index 00000000000..5bc78758e4e --- /dev/null +++ b/queue-4.19/mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch @@ -0,0 +1,46 @@ +From aea0440ad023ab0662299326f941214b0d7480bd Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Tue, 20 Apr 2021 16:46:41 +0300 +Subject: mmc: block: Update ext_csd.cache_ctrl if it was written + +From: Avri Altman + +commit aea0440ad023ab0662299326f941214b0d7480bd upstream. + +The cache function can be turned ON and OFF by writing to the CACHE_CTRL +byte (EXT_CSD byte [33]). However, card->ext_csd.cache_ctrl is only +set on init if cache size > 0. + +Fix that by explicitly setting ext_csd.cache_ctrl on ext-csd write. + +Signed-off-by: Avri Altman +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210420134641.57343-3-avri.altman@wdc.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -623,6 +623,18 @@ static int __mmc_blk_ioctl_cmd(struct mm + } + + /* ++ * Make sure to update CACHE_CTRL in case it was changed. The cache ++ * will get turned back on if the card is re-initialized, e.g. ++ * suspend/resume or hw reset in recovery. ++ */ ++ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_CACHE_CTRL) && ++ (cmd.opcode == MMC_SWITCH)) { ++ u8 value = MMC_EXTRACT_VALUE_FROM_ARG(cmd.arg) & 1; ++ ++ card->ext_csd.cache_ctrl = value; ++ } ++ ++ /* + * According to the SD specs, some commands require a delay after + * issuing the command. + */ diff --git a/queue-4.19/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch b/queue-4.19/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch new file mode 100644 index 00000000000..82a68570d12 --- /dev/null +++ b/queue-4.19/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch @@ -0,0 +1,39 @@ +From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001 +From: DooHyun Hwang +Date: Wed, 10 Feb 2021 13:59:36 +0900 +Subject: mmc: core: Do a power cycle when the CMD11 fails + +From: DooHyun Hwang + +commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream. + +A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure +into 1.8V I/O. According to the SD spec a power cycle is needed of the +card, if it turns out that the CMD11 fails. Let's fix this, to allow a +retry of the initialization without the voltage switch, to succeed. + +Note that, whether it makes sense to also retry with the voltage switch +after the power cycle is a bit more difficult to know. At this point, we +treat it like the CMD11 isn't supported and therefore we skip it when +retrying. + +Signed-off-by: DooHyun Hwang +Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -1537,7 +1537,7 @@ int mmc_set_uhs_voltage(struct mmc_host + + err = mmc_wait_for_cmd(host, &cmd, 0); + if (err) +- return err; ++ goto power_cycle; + + if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR)) + return -EIO; diff --git a/queue-4.19/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch b/queue-4.19/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch new file mode 100644 index 00000000000..9619087921c --- /dev/null +++ b/queue-4.19/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch @@ -0,0 +1,45 @@ +From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001 +From: Seunghui Lee +Date: Mon, 22 Feb 2021 17:31:56 +0900 +Subject: mmc: core: Set read only for SD cards with permanent write protect bit + +From: Seunghui Lee + +commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream. + +Some of SD cards sets permanent write protection bit in their CSD register, +due to lifespan or internal problem. To avoid unnecessary I/O write +operations, let's parse the bits in the CSD during initialization and mark +the card as read only for this case. + +Signed-off-by: Seunghui Lee +Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -138,6 +138,9 @@ static int mmc_decode_csd(struct mmc_car + csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1; + csd->erase_size <<= csd->write_blkbits - 9; + } ++ ++ if (UNSTUFF_BITS(resp, 13, 1)) ++ mmc_card_set_readonly(card); + break; + case 1: + /* +@@ -172,6 +175,9 @@ static int mmc_decode_csd(struct mmc_car + csd->write_blkbits = 9; + csd->write_partial = 0; + csd->erase_size = 1; ++ ++ if (UNSTUFF_BITS(resp, 13, 1)) ++ mmc_card_set_readonly(card); + break; + default: + pr_err("%s: unrecognised CSD structure version %d\n", diff --git a/queue-4.19/mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch b/queue-4.19/mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch new file mode 100644 index 00000000000..9e3231092d9 --- /dev/null +++ b/queue-4.19/mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch @@ -0,0 +1,83 @@ +From 2970134b927834e9249659a70aac48e62dff804a Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 31 Mar 2021 11:17:52 +0300 +Subject: mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers + +From: Adrian Hunter + +commit 2970134b927834e9249659a70aac48e62dff804a upstream. + +Bus power may control card power, but the full reset done by SDHCI at +initialization still may not reset the power, whereas a direct write to +SDHCI_POWER_CONTROL can. That might be needed to initialize correctly, if +the card was left powered on previously. + +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20210331081752.23621-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -465,6 +465,7 @@ struct intel_host { + int drv_strength; + bool d3_retune; + bool rpm_retune_ok; ++ bool needs_pwr_off; + u32 glk_rx_ctrl1; + u32 glk_tun_val; + }; +@@ -590,9 +591,25 @@ out: + static void sdhci_intel_set_power(struct sdhci_host *host, unsigned char mode, + unsigned short vdd) + { ++ struct sdhci_pci_slot *slot = sdhci_priv(host); ++ struct intel_host *intel_host = sdhci_pci_priv(slot); + int cntr; + u8 reg; + ++ /* ++ * Bus power may control card power, but a full reset still may not ++ * reset the power, whereas a direct write to SDHCI_POWER_CONTROL can. ++ * That might be needed to initialize correctly, if the card was left ++ * powered on previously. ++ */ ++ if (intel_host->needs_pwr_off) { ++ intel_host->needs_pwr_off = false; ++ if (mode != MMC_POWER_OFF) { ++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL); ++ usleep_range(10000, 12500); ++ } ++ } ++ + sdhci_set_power(host, mode, vdd); + + if (mode == MMC_POWER_OFF) +@@ -926,6 +943,14 @@ static int byt_sdio_probe_slot(struct sd + return 0; + } + ++static void byt_needs_pwr_off(struct sdhci_pci_slot *slot) ++{ ++ struct intel_host *intel_host = sdhci_pci_priv(slot); ++ u8 reg = sdhci_readb(slot->host, SDHCI_POWER_CONTROL); ++ ++ intel_host->needs_pwr_off = reg & SDHCI_POWER_ON; ++} ++ + static int byt_sd_probe_slot(struct sdhci_pci_slot *slot) + { + byt_probe_slot(slot); +@@ -943,6 +968,8 @@ static int byt_sd_probe_slot(struct sdhc + slot->chip->pdev->subsystem_device == PCI_SUBDEVICE_ID_NI_78E3) + slot->host->mmc->caps2 |= MMC_CAP2_AVOID_3_3V; + ++ byt_needs_pwr_off(slot); ++ + return 0; + } + diff --git a/queue-4.19/mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch b/queue-4.19/mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch new file mode 100644 index 00000000000..58f86fbda4c --- /dev/null +++ b/queue-4.19/mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch @@ -0,0 +1,39 @@ +From 33cebf701e98dd12b01d39d1c644387b27c1a627 Mon Sep 17 00:00:00 2001 +From: "Kai Stuhlemmer (ebee Engineering)" +Date: Mon, 22 Mar 2021 17:07:14 +0200 +Subject: mtd: rawnand: atmel: Update ecc_stats.corrected counter + +From: Kai Stuhlemmer (ebee Engineering) + +commit 33cebf701e98dd12b01d39d1c644387b27c1a627 upstream. + +Update MTD ECC statistics with the number of corrected bits. + +Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") +Cc: stable@vger.kernel.org +Signed-off-by: Kai Stuhlemmer (ebee Engineering) +Signed-off-by: Tudor Ambarus +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210322150714.101585-1-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -826,10 +826,12 @@ static int atmel_nand_pmecc_correct_data + NULL, 0, + chip->ecc.strength); + +- if (ret >= 0) ++ if (ret >= 0) { ++ mtd->ecc_stats.corrected += ret; + max_bitflips = max(ret, max_bitflips); +- else ++ } else { + mtd->ecc_stats.failed++; ++ } + + databuf += chip->ecc.size; + eccbuf += chip->ecc.bytes; diff --git a/queue-4.19/mtd-spinand-core-add-missing-module_device_table.patch b/queue-4.19/mtd-spinand-core-add-missing-module_device_table.patch new file mode 100644 index 00000000000..6097e718bfd --- /dev/null +++ b/queue-4.19/mtd-spinand-core-add-missing-module_device_table.patch @@ -0,0 +1,41 @@ +From 25fefc88c71f47db0466570335e3f75f10952e7a Mon Sep 17 00:00:00 2001 +From: Alexander Lobakin +Date: Tue, 23 Mar 2021 17:37:19 +0000 +Subject: mtd: spinand: core: add missing MODULE_DEVICE_TABLE() + +From: Alexander Lobakin + +commit 25fefc88c71f47db0466570335e3f75f10952e7a upstream. + +The module misses MODULE_DEVICE_TABLE() for both SPI and OF ID tables +and thus never autoloads on ID matches. +Add the missing declarations. +Present since day-0 of spinand framework introduction. + +Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Alexander Lobakin +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210323173714.317884-1-alobakin@pm.me +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -1129,12 +1129,14 @@ static const struct spi_device_id spinan + { .name = "spi-nand" }, + { /* sentinel */ }, + }; ++MODULE_DEVICE_TABLE(spi, spinand_ids); + + #ifdef CONFIG_OF + static const struct of_device_id spinand_of_ids[] = { + { .compatible = "spi-nand" }, + { /* sentinel */ }, + }; ++MODULE_DEVICE_TABLE(of, spinand_of_ids); + #endif + + static struct spi_mem_driver spinand_drv = { diff --git a/queue-4.19/s390-disassembler-increase-ebpf-disasm-buffer-size.patch b/queue-4.19/s390-disassembler-increase-ebpf-disasm-buffer-size.patch new file mode 100644 index 00000000000..56cd705e5c7 --- /dev/null +++ b/queue-4.19/s390-disassembler-increase-ebpf-disasm-buffer-size.patch @@ -0,0 +1,74 @@ +From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Tue, 20 Apr 2021 11:04:10 +0200 +Subject: s390/disassembler: increase ebpf disasm buffer size + +From: Vasily Gorbik + +commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream. + +Current ebpf disassembly buffer size of 64 is too small. E.g. this line +takes 65 bytes: +01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0 + +Double the buffer size like it is done for the kernel disassembly buffer. + +Fixes the following KASAN finding: + +UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380 +Write of size 1 at addr 001fff800ad5f970 by task test_progs/853 + +CPU: 53 PID: 853 Comm: test_progs Not tainted +5.12.0-rc7-23786-g23457d86b1f0-dirty #19 +Hardware name: IBM 3906 M04 704 (LPAR) +Call Trace: + [<0000000cd8e0538a>] show_stack+0x17a/0x1668 + [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8 + [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260 + [<0000000cd75a8698>] kasan_report+0xc8/0x130 + [<0000000cd6e26da4>] print_fn_code+0x34c/0x380 + [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58 + [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0 + [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0 + [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768 + [<0000000cd6e0f392>] do_syscall+0x12a/0x220 + [<0000000cd8e333f8>] __do_syscall+0x98/0xc8 + [<0000000cd8e54834>] system_call+0x6c/0x94 +1 lock held by test_progs/853: + #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at: + kasan_report+0x96/0x130 + +addr 001fff800ad5f970 is located in stack of task test_progs/853 at +offset 96 in frame: + print_fn_code+0x0/0x380 +this frame has 1 object: + [32, 96) 'buffer' + +Memory state around the buggy address: + 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3 + ^ + 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 + +Cc: +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/dis.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/kernel/dis.c ++++ b/arch/s390/kernel/dis.c +@@ -558,7 +558,7 @@ void show_code(struct pt_regs *regs) + + void print_fn_code(unsigned char *code, unsigned long len) + { +- char buffer[64], *ptr; ++ char buffer[128], *ptr; + int opsize, i; + + while (len) { diff --git a/queue-4.19/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch b/queue-4.19/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch new file mode 100644 index 00000000000..386b5424e11 --- /dev/null +++ b/queue-4.19/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch @@ -0,0 +1,57 @@ +From 6641df81ab799f28a5d564f860233dd26cca0d93 Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Mon, 29 Mar 2021 01:52:23 -0700 +Subject: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() + +From: Arun Easi + +commit 6641df81ab799f28a5d564f860233dd26cca0d93 upstream. + + RIP: 0010:kmem_cache_free+0xfa/0x1b0 + Call Trace: + qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx] + scsi_queue_rq+0x5e2/0xa40 + __blk_mq_try_issue_directly+0x128/0x1d0 + blk_mq_request_issue_directly+0x4e/0xb0 + +Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now +allocated by upper layers. This fixes smatch warning of srb unintended +free. + +Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com +Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout") +Cc: stable@vger.kernel.org # 5.5 +Reported-by: Laurence Oberman +Reported-by: Dan Carpenter +Reviewed-by: Himanshu Madhani +Signed-off-by: Arun Easi +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_os.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -1028,8 +1028,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host * + if (rval != QLA_SUCCESS) { + ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078, + "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd); +- if (rval == QLA_INTERFACE_ERROR) +- goto qc24_free_sp_fail_command; + goto qc24_host_busy_free_sp; + } + +@@ -1044,11 +1042,6 @@ qc24_host_busy: + qc24_target_busy: + return SCSI_MLQUEUE_TARGET_BUSY; + +-qc24_free_sp_fail_command: +- sp->free(sp); +- CMD_SP(cmd) = NULL; +- qla2xxx_rel_qpair_sp(sp->qpair, sp); +- + qc24_fail_command: + cmd->scsi_done(cmd); + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..f3af67c23a4 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,17 @@ +s390-disassembler-increase-ebpf-disasm-buffer-size.patch +acpi-custom_method-fix-potential-use-after-free-issue.patch +acpi-custom_method-fix-a-possible-memory-leak.patch +ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch +arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch +arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch +arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch +ecryptfs-fix-kernel-panic-with-null-dev_name.patch +mtd-spinand-core-add-missing-module_device_table.patch +mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch +spi-spi-ti-qspi-free-dma-resources.patch +scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch +mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch +mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch +mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch +mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch +mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch diff --git a/queue-4.19/spi-spi-ti-qspi-free-dma-resources.patch b/queue-4.19/spi-spi-ti-qspi-free-dma-resources.patch new file mode 100644 index 00000000000..a7c0f48a549 --- /dev/null +++ b/queue-4.19/spi-spi-ti-qspi-free-dma-resources.patch @@ -0,0 +1,65 @@ +From 1d309cd688a76fb733f0089d36dc630327b32d59 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Thu, 18 Feb 2021 15:09:50 +0200 +Subject: spi: spi-ti-qspi: Free DMA resources + +From: Tudor Ambarus + +commit 1d309cd688a76fb733f0089d36dc630327b32d59 upstream. + +Release the RX channel and free the dma coherent memory when +devm_spi_register_master() fails. + +Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20210218130950.90155-1-tudor.ambarus@microchip.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-ti-qspi.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -663,6 +663,17 @@ static int ti_qspi_runtime_resume(struct + return 0; + } + ++static void ti_qspi_dma_cleanup(struct ti_qspi *qspi) ++{ ++ if (qspi->rx_bb_addr) ++ dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE, ++ qspi->rx_bb_addr, ++ qspi->rx_bb_dma_addr); ++ ++ if (qspi->rx_chan) ++ dma_release_channel(qspi->rx_chan); ++} ++ + static const struct of_device_id ti_qspi_match[] = { + {.compatible = "ti,dra7xxx-qspi" }, + {.compatible = "ti,am4372-qspi" }, +@@ -817,6 +828,8 @@ no_dma: + if (!ret) + return 0; + ++ ti_qspi_dma_cleanup(qspi); ++ + pm_runtime_disable(&pdev->dev); + free_master: + spi_master_put(master); +@@ -835,12 +848,7 @@ static int ti_qspi_remove(struct platfor + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +- if (qspi->rx_bb_addr) +- dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE, +- qspi->rx_bb_addr, +- qspi->rx_bb_dma_addr); +- if (qspi->rx_chan) +- dma_release_channel(qspi->rx_chan); ++ ti_qspi_dma_cleanup(qspi); + + return 0; + }