Linux-mmc Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH AUTOSEL 4.19 336/671] mmc: core: fix possible use after free of host
       [not found] <20200116170509.12787-1-sashal@kernel.org>
@ 2020-01-16 16:59 ` Sasha Levin
  2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 647/671] mmc: sdio: fix wl1251 vendor id Sasha Levin
  2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 648/671] mmc: core: fix wl1251 sdio quirks Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-01-16 16:59 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Pan Bian, Ulf Hansson, Sasha Levin, linux-mmc

From: Pan Bian <bianpan2016@163.com>

[ Upstream commit 8e1943af2986db42bee2b8dddf49a36cdb2e9219 ]

In the function mmc_alloc_host, the function put_device is called to
release allocated resources when mmc_gpio_alloc fails. Finally, the
function pointed by host->class_dev.class->dev_release (i.e.,
mmc_host_classdev_release) is used to release resources including the
host structure. However, after put_device, host is used and released
again. Resulting in a use-after-free bug.

Fixes: 1ed217194488 ("mmc: core: fix error path in mmc_host_alloc")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/core/host.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/mmc/core/host.c b/drivers/mmc/core/host.c
index f57f5de54206..dd1c14d8f686 100644
--- a/drivers/mmc/core/host.c
+++ b/drivers/mmc/core/host.c
@@ -385,8 +385,6 @@ struct mmc_host *mmc_alloc_host(int extra, struct device *dev)
 
 	if (mmc_gpio_alloc(host)) {
 		put_device(&host->class_dev);
-		ida_simple_remove(&mmc_host_ida, host->index);
-		kfree(host);
 		return NULL;
 	}
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 4.19 647/671] mmc: sdio: fix wl1251 vendor id
       [not found] <20200116170509.12787-1-sashal@kernel.org>
  2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 336/671] mmc: core: fix possible use after free of host Sasha Levin
@ 2020-01-16 17:04 ` Sasha Levin
  2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 648/671] mmc: core: fix wl1251 sdio quirks Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-01-16 17:04 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: H. Nikolaus Schaller, Ulf Hansson, Sasha Levin, linux-mmc

From: "H. Nikolaus Schaller" <hns@goldelico.com>

[ Upstream commit e5db673e7fe2f971ec82039a28dc0811c2100e87 ]

v4.11-rc1 did introduce a patch series that rearranged the
sdio quirks into a header file. Unfortunately this did forget
to handle SDIO_VENDOR_ID_TI differently between wl1251 and
wl1271 with the result that although the wl1251 was found on
the sdio bus, the firmware did not load any more and there was
no interface registration.

This patch defines separate constants to be used by sdio quirks
and drivers.

Fixes: 884f38607897 ("mmc: core: move some sdio IDs out of quirks file")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: <stable@vger.kernel.org> # v4.11+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/mmc/sdio_ids.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/mmc/sdio_ids.h b/include/linux/mmc/sdio_ids.h
index 4224902a8e22..358d6be357ed 100644
--- a/include/linux/mmc/sdio_ids.h
+++ b/include/linux/mmc/sdio_ids.h
@@ -68,6 +68,8 @@
 
 #define SDIO_VENDOR_ID_TI			0x0097
 #define SDIO_DEVICE_ID_TI_WL1271		0x4076
+#define SDIO_VENDOR_ID_TI_WL1251		0x104c
+#define SDIO_DEVICE_ID_TI_WL1251		0x9066
 
 #define SDIO_VENDOR_ID_STE			0x0020
 #define SDIO_DEVICE_ID_STE_CW1200		0x2280
-- 
2.20.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH AUTOSEL 4.19 648/671] mmc: core: fix wl1251 sdio quirks
       [not found] <20200116170509.12787-1-sashal@kernel.org>
  2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 336/671] mmc: core: fix possible use after free of host Sasha Levin
  2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 647/671] mmc: sdio: fix wl1251 vendor id Sasha Levin
@ 2020-01-16 17:04 ` Sasha Levin
  2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-01-16 17:04 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: H. Nikolaus Schaller, Ulf Hansson, Sasha Levin, linux-mmc

From: "H. Nikolaus Schaller" <hns@goldelico.com>

[ Upstream commit 16568b4a4f0c34bd35cfadac63303c7af7812764 ]

wl1251 and wl1271 have different vendor id and device id.
So we need to handle both with sdio quirks.

Fixes: 884f38607897 ("mmc: core: move some sdio IDs out of quirks file")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: <stable@vger.kernel.org> # v4.11+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/core/quirks.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/mmc/core/quirks.h b/drivers/mmc/core/quirks.h
index dd2f73af8f2c..d5bbe8e544de 100644
--- a/drivers/mmc/core/quirks.h
+++ b/drivers/mmc/core/quirks.h
@@ -119,7 +119,14 @@ static const struct mmc_fixup mmc_ext_csd_fixups[] = {
 	END_FIXUP
 };
 
+
 static const struct mmc_fixup sdio_fixup_methods[] = {
+	SDIO_FIXUP(SDIO_VENDOR_ID_TI_WL1251, SDIO_DEVICE_ID_TI_WL1251,
+		   add_quirk, MMC_QUIRK_NONSTD_FUNC_IF),
+
+	SDIO_FIXUP(SDIO_VENDOR_ID_TI_WL1251, SDIO_DEVICE_ID_TI_WL1251,
+		   add_quirk, MMC_QUIRK_DISABLE_CD),
+
 	SDIO_FIXUP(SDIO_VENDOR_ID_TI, SDIO_DEVICE_ID_TI_WL1271,
 		   add_quirk, MMC_QUIRK_NONSTD_FUNC_IF),
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20200116170509.12787-1-sashal@kernel.org>
2020-01-16 16:59 ` [PATCH AUTOSEL 4.19 336/671] mmc: core: fix possible use after free of host Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 647/671] mmc: sdio: fix wl1251 vendor id Sasha Levin
2020-01-16 17:04 ` [PATCH AUTOSEL 4.19 648/671] mmc: core: fix wl1251 sdio quirks Sasha Levin

Linux-mmc Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mmc/0 linux-mmc/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mmc linux-mmc/ https://lore.kernel.org/linux-mmc \
		linux-mmc@vger.kernel.org
	public-inbox-index linux-mmc

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-mmc


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git