Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.78 2021-07-14T14:55:53+00:00 2021-07-14T14:55:53+00:00 Tong Zhang ztong0001@gmail.com 2021-05-11T16:39:45+00:00 urn:sha1:b6cbe1fcf85ee3c62c8e0642edbf7d027f4e7e38 [ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ] This patch fixes the following issues: 1. memstick_free_host() will free the host, so the use of ms_dev(host) after it will be a problem. To fix this, move memstick_free_host() after when we are done with ms_dev(host). 2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove and free host otherwise memstick_check will be called and UAF will happen. [ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms] [ 11.357376] platform_remove+0x2a/0x50 [ 11.367531] Freed by task 298: [ 11.368537] kfree+0xa4/0x2a0 [ 11.368711] device_release+0x51/0xe0 [ 11.368905] kobject_put+0xa2/0x120 [ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms] [ 11.369386] platform_remove+0x2a/0x50 [ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0 [ 12.045432] mutex_lock+0xc9/0xd0 [ 12.046080] memstick_check+0x6a/0x578 [memstick] [ 12.046509] process_one_work+0x46d/0x750 [ 12.052107] Freed by task 297: [ 12.053115] kfree+0xa4/0x2a0 [ 12.053272] device_release+0x51/0xe0 [ 12.053463] kobject_put+0xa2/0x120 [ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms] [ 12.053939] platform_remove+0x2a/0x50 Signed-off-by: Tong Zhang <ztong0001@gmail.com> Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-12-30T10:53:34+00:00 Jing Xiangfeng jingxiangfeng@huawei.com 2020-11-25T01:47:18+00:00 urn:sha1:db4a90026e153c995ba33c95ef1f370e048d9f79 [ Upstream commit db29d3d1c2451e673e29c7257471e3ce9d50383a ] Fix to return a error code from the error handling case instead of 0. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com> Link: https://lore.kernel.org/r/20201125014718.153563-1-jingxiangfeng@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-12-30T10:53:20+00:00 Qinglang Miao miaoqinglang@huawei.com 2020-11-20T07:48:46+00:00 urn:sha1:365a94fc1e3d0c78df67b39b819ceb645b96b391 [ Upstream commit e3e9ced5c93803d5b2ea1942c4bf0192622531d6 ] kfree(host->card) has been called in put_device so that another kfree would raise cause a double-free bug. Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com> Link: https://lore.kernel.org/r/20201120074846.31322-1-miaoqinglang@huawei.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-09-28T10:17:36+00:00 Ulf Hansson ulf.hansson@linaro.org 2020-09-28T10:17:36+00:00 urn:sha1:21685f9a7d7cdb3f68d83352377571fb24d03134 2020-09-28T10:16:13+00:00 Kai-Heng Feng kai.heng.feng@canonical.com 2020-09-25T08:49:51+00:00 urn:sha1:62c59a8786e6bb75569cee91dab66e9da3ff4b68 After commit 6827ca573c03 ("memstick: rtsx_usb_ms: Support runtime power management"), removing module rtsx_usb_ms will be stuck. The deadlock is caused by powering on and powering off at the same time, the former one is when memstick_check() is flushed, and the later is called by memstick_remove_host(). Soe let's skip allocating card to prevent this issue. Fixes: 6827ca573c03 ("memstick: rtsx_usb_ms: Support runtime power management") Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Link: https://lore.kernel.org/r/20200925084952.13220-1-kai.heng.feng@canonical.com Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2020-09-07T07:11:28+00:00 Colin Ian King colin.king@canonical.com 2020-08-10T08:02:47+00:00 urn:sha1:309de450d78e9e83036f8b696596d8e7aa078f0d There is a spelling mistake in a debug message. Fix it. Signed-off-by: Colin Ian King <colin.king@canonical.com> Link: https://lore.kernel.org/r/20200810080247.47024-1-colin.king@canonical.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2020-08-23T22:36:59+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2020-08-23T22:36:59+00:00 urn:sha1:df561f6688fef775baa341a0f5d960becd248b11 Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> 2020-08-05T20:23:24+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-08-05T20:23:24+00:00 urn:sha1:8f7be6291529011a58856bf178f52ed5751c68ac Pull MMC updates from Ulf Hansson: "MMC core: - Add a new host cap bit and a corresponding DT property, to support power cycling of the card by FW at system suspend/resume. - Fix clock rate setting for SDIO in SDR12/SDR25 speed-mode - Fix switch to 1/4-bit mode at system suspend/resume for SD-combo cards - Convert the mmc-pwrseq DT bindings to the json-schema - Always allow the card detect uevent to be consumed by userspace MMC host controllers: - Convert a few DT bindings to the json-schema - mtk-sd: - Add support for command queue through cqhci - Add support for the MT6779 variant - renesas_sdhi_internal_dmac: - Fix dma unmapping in the error path - sdhci_am654: - Add support for the AM65x PG2.0 variant - Extend support for phys/clocks - sdhci-cadence: - Drop incorrect HW tuning for SD mode - sdhci-msm: - Add support for interconnect bandwidth scaling - Enable internal voltage control - Enable low power state for pinctrls - sdhci-of-at91: - Ludovic Desroches handovers maintenance to Eugen Hristev - sdhci-pci-gli: - Improve clock handling for GL975x - sdhci-pci-o2micro: - Add HW tuning for SDR104 mode - Fix support for O2 host controller Seabird1" * tag 'mmc-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (66 commits) mmc: mediatek: make function msdc_cqe_disable() static MAINTAINERS: mmc: sdhci-of-at91: handover maintenance to Eugen Hristev dt-bindings: mmc: mediatek: Add document for mt6779 mmc: mediatek: command queue support mmc: mediatek: refine msdc timeout api mmc: mediatek: add MT6779 MMC driver support mmc: sdhci-pci-o2micro: Add HW tuning for SDR104 mode mmc: sdhci-pci-o2micro: Bug fix for O2 host controller Seabird1 mmc: via-sdmmc: use generic power management memstick: jmb38x_ms: use generic power management mmc: sdhci-cadence: do not use hardware tuning for SD mode mmc: sdhci-pci-gli: Set SDR104's clock to 205MHz and enable SSC for GL975x mmc: cqhci: Fix a print format for the task descriptor mmc: sdhci-of-arasan: fix timings allocation code mmc: sdhci: Fix a potential uninitialized variable dt-bindings: mmc: renesas,sdhi: convert to YAML dt-bindings: mmc: convert arasan sdhci bindings to yaml mmc: sdhci: Fix potential null pointer access while accessing vqmmc mmc: core: Add MMC_CAP2_FULL_PWR_CYCLE_IN_SUSPEND dt-bindings: mmc: Add full-pwr-cycle-in-suspend property ... 2020-07-24T10:24:13+00:00 Vaibhav Gupta vaibhavgupta40@gmail.com 2020-07-20T11:16:26+00:00 urn:sha1:c4e5e22b3b4895821b7e7a9f5b2f7c820fb48ca3 Drivers using legacy PM have to manage PCI states and device's PM states themselves. They also need to take care of configuration registers. With improved and powerful support of generic PM, PCI Core takes care of above mentioned, device-independent, jobs. This driver makes use of PCI helper functions like pci_save/restore_state(), pci_enable/disable_device(), pci_set_power_state() and pci_set_master() to do required operations. In generic mode, they are no longer needed. Change function parameter in both .suspend() and .resume() to "struct device*" type. Use to_pci_dev() and dev_get_drvdata() to get "struct pci_dev*" variable and drv data. Compile-tested only. Signed-off-by: Vaibhav Gupta <vaibhavgupta40@gmail.com> Link: https://lore.kernel.org/r/20200720111625.306681-1-vaibhavgupta40@gmail.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 2020-07-16T19:35:15+00:00 Kees Cook keescook@chromium.org 2020-06-03T20:09:38+00:00 urn:sha1:3f649ab728cda8038259d8f14492fe400fbab911 Using uninitialized_var() is dangerous as it papers over real bugs[1] (or can in the future), and suppresses unrelated compiler warnings (e.g. "unused variable"). If the compiler thinks it is uninitialized, either simply initialize the variable or make compiler changes. In preparation for removing[2] the[3] macro[4], remove all remaining needless uses with the following script: git grep '\buninitialized_var\b' | cut -d: -f1 | sort -u | \ xargs perl -pi -e \ 's/\buninitialized_var\(([^\)]+)\)/\1/g; s:\s*/\* (GCC be quiet|to make compiler happy) \*/$::g;' drivers/video/fbdev/riva/riva_hw.c was manually tweaked to avoid pathological white-space. No outstanding warnings were found building allmodconfig with GCC 9.3.0 for x86_64, i386, arm64, arm, powerpc, powerpc64le, s390x, mips, sparc64, alpha, and m68k. [1] https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/ [2] https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/ [3] https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/ [4] https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/ Reviewed-by: Leon Romanovsky <leonro@mellanox.com> # drivers/infiniband and mlx4/mlx5 Acked-by: Jason Gunthorpe <jgg@mellanox.com> # IB Acked-by: Kalle Valo <kvalo@codeaurora.org> # wireless drivers Reviewed-by: Chao Yu <yuchao0@huawei.com> # erofs Signed-off-by: Kees Cook <keescook@chromium.org>