From 1d9d5d7297dae87dd5053d744f0b5e7e88911f08 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 May 2021 16:06:27 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	acpi-custom_method-fix-a-possible-memory-leak.patch
	acpi-custom_method-fix-potential-use-after-free-issue.patch
	ecryptfs-fix-kernel-panic-with-null-dev_name.patch
	mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
	mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
	s390-disassembler-increase-ebpf-disasm-buffer-size.patch
---
 ...om_method-fix-a-possible-memory-leak.patch | 36 +++++++++
 ...d-fix-potential-use-after-free-issue.patch | 45 +++++++++++
 ...-fix-kernel-panic-with-null-dev_name.patch | 40 ++++++++++
 ...o-a-power-cycle-when-the-cmd11-fails.patch | 39 ++++++++++
 ...rds-with-permanent-write-protect-bit.patch | 45 +++++++++++
 ...ler-increase-ebpf-disasm-buffer-size.patch | 74 +++++++++++++++++++
 queue-4.4/series                              |  6 ++
 7 files changed, 285 insertions(+)
 create mode 100644 queue-4.4/acpi-custom_method-fix-a-possible-memory-leak.patch
 create mode 100644 queue-4.4/acpi-custom_method-fix-potential-use-after-free-issue.patch
 create mode 100644 queue-4.4/ecryptfs-fix-kernel-panic-with-null-dev_name.patch
 create mode 100644 queue-4.4/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
 create mode 100644 queue-4.4/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
 create mode 100644 queue-4.4/s390-disassembler-increase-ebpf-disasm-buffer-size.patch

diff --git a/queue-4.4/acpi-custom_method-fix-a-possible-memory-leak.patch b/queue-4.4/acpi-custom_method-fix-a-possible-memory-leak.patch
new file mode 100644
index 00000000000..102ed7e2fec
--- /dev/null
+++ b/queue-4.4/acpi-custom_method-fix-a-possible-memory-leak.patch
@@ -0,0 +1,36 @@
+From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Tue, 27 Apr 2021 13:54:33 -0500
+Subject: ACPI: custom_method: fix a possible memory leak
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream.
+
+In cm_write(), if the 'buf' is allocated memory but not fully consumed,
+it is possible to reallocate the buffer without freeing it by passing
+'*ppos' as 0 on a subsequent call.
+
+Add an explicit kfree() before kzalloc() to prevent the possible memory
+leak.
+
+Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -37,6 +37,8 @@ static ssize_t cm_write(struct file *fil
+ 				   sizeof(struct acpi_table_header)))
+ 			return -EFAULT;
+ 		uncopied_bytes = max_size = table.length;
++		/* make sure the buf is not allocated */
++		kfree(buf);
+ 		buf = kzalloc(max_size, GFP_KERNEL);
+ 		if (!buf)
+ 			return -ENOMEM;
diff --git a/queue-4.4/acpi-custom_method-fix-potential-use-after-free-issue.patch b/queue-4.4/acpi-custom_method-fix-potential-use-after-free-issue.patch
new file mode 100644
index 00000000000..3e995aa8e14
--- /dev/null
+++ b/queue-4.4/acpi-custom_method-fix-potential-use-after-free-issue.patch
@@ -0,0 +1,45 @@
+From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Fri, 23 Apr 2021 10:28:17 -0500
+Subject: ACPI: custom_method: fix potential use-after-free issue
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream.
+
+In cm_write(), buf is always freed when reaching the end of the
+function.  If the requested count is less than table.length, the
+allocated buffer will be freed but subsequent calls to cm_write() will
+still try to access it.
+
+Remove the unconditional kfree(buf) at the end of the function and
+set the buf to NULL in the -EINVAL error path to match the rest of
+function.
+
+Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -50,6 +50,7 @@ static ssize_t cm_write(struct file *fil
+ 	    (*ppos + count < count) ||
+ 	    (count > uncopied_bytes)) {
+ 		kfree(buf);
++		buf = NULL;
+ 		return -EINVAL;
+ 	}
+ 
+@@ -71,7 +72,6 @@ static ssize_t cm_write(struct file *fil
+ 		add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
+ 	}
+ 
+-	kfree(buf);
+ 	return count;
+ }
+ 
diff --git a/queue-4.4/ecryptfs-fix-kernel-panic-with-null-dev_name.patch b/queue-4.4/ecryptfs-fix-kernel-panic-with-null-dev_name.patch
new file mode 100644
index 00000000000..a037dbbdd9e
--- /dev/null
+++ b/queue-4.4/ecryptfs-fix-kernel-panic-with-null-dev_name.patch
@@ -0,0 +1,40 @@
+From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Date: Fri, 26 Feb 2021 15:00:23 -0600
+Subject: ecryptfs: fix kernel panic with null dev_name
+
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+
+commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream.
+
+When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount()
+causes a kernel panic if the parsed options are valid. The easiest way to
+reproduce this is to call mount() from userspace with an existing
+eCryptfs mount's options and a "source" argument of 0.
+
+Error out if "dev_name" is null in ecryptfs_mount()
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ecryptfs/main.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -507,6 +507,12 @@ static struct dentry *ecryptfs_mount(str
+ 		goto out;
+ 	}
+ 
++	if (!dev_name) {
++		rc = -EINVAL;
++		err = "Device name cannot be null";
++		goto out;
++	}
++
+ 	rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
+ 	if (rc) {
+ 		err = "Error parsing options";
diff --git a/queue-4.4/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch b/queue-4.4/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
new file mode 100644
index 00000000000..d94aad51cc2
--- /dev/null
+++ b/queue-4.4/mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
@@ -0,0 +1,39 @@
+From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+Date: Wed, 10 Feb 2021 13:59:36 +0900
+Subject: mmc: core: Do a power cycle when the CMD11 fails
+
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+
+commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream.
+
+A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure
+into 1.8V I/O. According to the SD spec a power cycle is needed of the
+card, if it turns out that the CMD11 fails. Let's fix this, to allow a
+retry of the initialization without the voltage switch, to succeed.
+
+Note that, whether it makes sense to also retry with the voltage switch
+after the power cycle is a bit more difficult to know. At this point, we
+treat it like the CMD11 isn't supported and therefore we skip it when
+retrying.
+
+Signed-off-by: DooHyun Hwang <dh0421.hwang@samsung.com>
+Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1593,7 +1593,7 @@ int mmc_set_signal_voltage(struct mmc_ho
+ 
+ 	err = mmc_wait_for_cmd(host, &cmd, 0);
+ 	if (err)
+-		return err;
++		goto power_cycle;
+ 
+ 	if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR))
+ 		return -EIO;
diff --git a/queue-4.4/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch b/queue-4.4/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
new file mode 100644
index 00000000000..9619087921c
--- /dev/null
+++ b/queue-4.4/mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
@@ -0,0 +1,45 @@
+From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001
+From: Seunghui Lee <sh043.lee@samsung.com>
+Date: Mon, 22 Feb 2021 17:31:56 +0900
+Subject: mmc: core: Set read only for SD cards with permanent write protect bit
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream.
+
+Some of SD cards sets permanent write protection bit in their CSD register,
+due to lifespan or internal problem. To avoid unnecessary I/O write
+operations, let's parse the bits in the CSD during initialization and mark
+the card as read only for this case.
+
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -138,6 +138,9 @@ static int mmc_decode_csd(struct mmc_car
+ 			csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1;
+ 			csd->erase_size <<= csd->write_blkbits - 9;
+ 		}
++
++		if (UNSTUFF_BITS(resp, 13, 1))
++			mmc_card_set_readonly(card);
+ 		break;
+ 	case 1:
+ 		/*
+@@ -172,6 +175,9 @@ static int mmc_decode_csd(struct mmc_car
+ 		csd->write_blkbits = 9;
+ 		csd->write_partial = 0;
+ 		csd->erase_size = 1;
++
++		if (UNSTUFF_BITS(resp, 13, 1))
++			mmc_card_set_readonly(card);
+ 		break;
+ 	default:
+ 		pr_err("%s: unrecognised CSD structure version %d\n",
diff --git a/queue-4.4/s390-disassembler-increase-ebpf-disasm-buffer-size.patch b/queue-4.4/s390-disassembler-increase-ebpf-disasm-buffer-size.patch
new file mode 100644
index 00000000000..d7843059127
--- /dev/null
+++ b/queue-4.4/s390-disassembler-increase-ebpf-disasm-buffer-size.patch
@@ -0,0 +1,74 @@
+From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 20 Apr 2021 11:04:10 +0200
+Subject: s390/disassembler: increase ebpf disasm buffer size
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream.
+
+Current ebpf disassembly buffer size of 64 is too small. E.g. this line
+takes 65 bytes:
+01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0
+
+Double the buffer size like it is done for the kernel disassembly buffer.
+
+Fixes the following KASAN finding:
+
+UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380
+Write of size 1 at addr 001fff800ad5f970 by task test_progs/853
+
+CPU: 53 PID: 853 Comm: test_progs Not tainted
+5.12.0-rc7-23786-g23457d86b1f0-dirty #19
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+ [<0000000cd8e0538a>] show_stack+0x17a/0x1668
+ [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8
+ [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260
+ [<0000000cd75a8698>] kasan_report+0xc8/0x130
+ [<0000000cd6e26da4>] print_fn_code+0x34c/0x380
+ [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58
+ [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0
+ [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0
+ [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768
+ [<0000000cd6e0f392>] do_syscall+0x12a/0x220
+ [<0000000cd8e333f8>] __do_syscall+0x98/0xc8
+ [<0000000cd8e54834>] system_call+0x6c/0x94
+1 lock held by test_progs/853:
+ #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at:
+     kasan_report+0x96/0x130
+
+addr 001fff800ad5f970 is located in stack of task test_progs/853 at
+offset 96 in frame:
+ print_fn_code+0x0/0x380
+this frame has 1 object:
+ [32, 96) 'buffer'
+
+Memory state around the buggy address:
+ 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3
+                                                             ^
+ 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/dis.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -2033,7 +2033,7 @@ void show_code(struct pt_regs *regs)
+ 
+ void print_fn_code(unsigned char *code, unsigned long len)
+ {
+-	char buffer[64], *ptr;
++	char buffer[128], *ptr;
+ 	int opsize, i;
+ 
+ 	while (len) {
diff --git a/queue-4.4/series b/queue-4.4/series
index 33b381539dc..43db85b78d7 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -5,3 +5,9 @@ alsa-usb-audio-add-midi-quirk-for-vox-tonelab-ex.patch
 usb-add-lpm-quirk-for-lenovo-thinkpad-usb-c-dock-gen2-ethernet.patch
 usb-add-reset-resume-quirk-for-wd19-s-realtek-hub.patch
 platform-x86-thinkpad_acpi-correct-thermal-sensor-allocation.patch
+s390-disassembler-increase-ebpf-disasm-buffer-size.patch
+acpi-custom_method-fix-potential-use-after-free-issue.patch
+acpi-custom_method-fix-a-possible-memory-leak.patch
+ecryptfs-fix-kernel-panic-with-null-dev_name.patch
+mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
+mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
-- 
2.47.3