linux.git/drivers/memstick, branch v6.9-rc2 Linux kernel source tree Merge tag 'mmc-v6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc 2024-03-13T17:59:28+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-03-13T17:59:28+00:00 245b6f3239d9a4fe72f6fc78fc9a005fff2726c5 Pull MMC updates from Ulf Hansson: "MMC core: - Drop the use of BLK_BOUNCE_HIGH - Fix partition switch for GP3 - Remove usage of the deprecated ida_simple API MMC host: - cqhci: Update bouncing email-addresses in MAINTAINERS - davinci_mmc: Use sg_miter for PIO - dw_mmc-hi3798cv200: Convert the DT bindings to YAML - dw_mmc-hi3798mv200: Add driver for the new dw_mmc variant - fsl-imx-esdhc: A couple of corrections/updates to the DT bindings - meson-mx-sdhc: Drop use of the ->card_hw_reset() callback - moxart-mmc: Use sg_miter for PIO - moxart-mmc: Fix accounting for DMA transfers - mvsdio: Use sg_miter for PIO - mxcmmc: Use sg_miter for PIO - omap: Use sg_miter for PIO - renesas,sdhi: Add support for R-Car V4M variant - sdhci-esdhc-mcf: Use sg_miter for swapping - sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002 variants - sh_mmcif: Use sg_miter for PIO - tmio: Avoid concurrent runs of mmc_request_done()" * tag 'mmc-v6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (44 commits) mmc: core: make mmc_host_class constant mmc: core: Fix switch on gp3 partition mmc: tmio: comment the ERR_PTR usage in this driver mmc: mmc_spi: Don't mention DMA direction mmc: dw_mmc: Remove unused of_gpio.h mmc: dw_mmc: add support for hi3798mv200 dt-bindings: mmc: hisilicon,hi3798cv200-dw-mshc: add Hi3798MV200 binding dt-bindings: mmc: dw-mshc-hi3798cv200: convert to YAML mmc: dw_mmc-hi3798cv200: remove MODULE_ALIAS() mmc: core: Use a struct device* as in-param to mmc_of_parse_clk_phase() mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function mmc: tmio: avoid concurrent runs of mmc_request_done() dt-bindings: mmc: fsl-imx-mmc: Document the required clocks mmc: sh_mmcif: Advance sg_miter before reading blocks mmc: sh_mmcif: sg_miter must not be atomic mmc: sdhci-esdhc-mcf: Flag the sg_miter as atomic dt-bindings: mmc: fsl-imx-esdhc: add default and 100mhz state mmc: core: constify the struct device_type usage mmc: sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002 dt-bindings: mmc: sdhci-of-dwcmhsc: Add Sophgo CV1800B and SG2002 support ... 
Pull MMC updates from Ulf Hansson:
 "MMC core:
   - Drop the use of BLK_BOUNCE_HIGH
   - Fix partition switch for GP3
   - Remove usage of the deprecated ida_simple API

  MMC host:
   - cqhci: Update bouncing email-addresses in MAINTAINERS
   - davinci_mmc: Use sg_miter for PIO
   - dw_mmc-hi3798cv200: Convert the DT bindings to YAML
   - dw_mmc-hi3798mv200: Add driver for the new dw_mmc variant
   - fsl-imx-esdhc: A couple of corrections/updates to the DT bindings
   - meson-mx-sdhc: Drop use of the ->card_hw_reset() callback
   - moxart-mmc: Use sg_miter for PIO
   - moxart-mmc: Fix accounting for DMA transfers
   - mvsdio: Use sg_miter for PIO
   - mxcmmc: Use sg_miter for PIO
   - omap: Use sg_miter for PIO
   - renesas,sdhi: Add support for R-Car V4M variant
   - sdhci-esdhc-mcf: Use sg_miter for swapping
   - sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002 variants
   - sh_mmcif: Use sg_miter for PIO
   - tmio: Avoid concurrent runs of mmc_request_done()"

* tag 'mmc-v6.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (44 commits)
  mmc: core: make mmc_host_class constant
  mmc: core: Fix switch on gp3 partition
  mmc: tmio: comment the ERR_PTR usage in this driver
  mmc: mmc_spi: Don't mention DMA direction
  mmc: dw_mmc: Remove unused of_gpio.h
  mmc: dw_mmc: add support for hi3798mv200
  dt-bindings: mmc: hisilicon,hi3798cv200-dw-mshc: add Hi3798MV200 binding
  dt-bindings: mmc: dw-mshc-hi3798cv200: convert to YAML
  mmc: dw_mmc-hi3798cv200: remove MODULE_ALIAS()
  mmc: core: Use a struct device* as in-param to mmc_of_parse_clk_phase()
  mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove function
  mmc: tmio: avoid concurrent runs of mmc_request_done()
  dt-bindings: mmc: fsl-imx-mmc: Document the required clocks
  mmc: sh_mmcif: Advance sg_miter before reading blocks
  mmc: sh_mmcif: sg_miter must not be atomic
  mmc: sdhci-esdhc-mcf: Flag the sg_miter as atomic
  dt-bindings: mmc: fsl-imx-esdhc: add default and 100mhz state
  mmc: core: constify the struct device_type usage
  mmc: sdhci-of-dwcmshc: Add support for Sophgo CV1800B and SG2002
  dt-bindings: mmc: sdhci-of-dwcmhsc: Add Sophgo CV1800B and SG2002 support
  ...
mspro_block: pass queue_limits to blk_mq_alloc_disk 2024-02-19T23:59:31+00:00 Christoph Hellwig hch@lst.de 2024-02-15T07:02:55+00:00 9f633ecd43046659e3345bc4a4404e1d2ba67463 Pass the few limits mspro_block imposes directly to blk_mq_alloc_disk instead of setting them one at a time. Signed-off-by: Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20240215070300.2200308-13-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk> 
Pass the few limits mspro_block imposes directly to blk_mq_alloc_disk
instead of setting them one at a time.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240215070300.2200308-13-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
ms_block: pass queue_limits to blk_mq_alloc_disk 2024-02-19T23:59:31+00:00 Christoph Hellwig hch@lst.de 2024-02-15T07:02:54+00:00 f93b43ae3feafedc5777099ca1a0e05352b92671 Pass the few limits ms_block imposes directly to blk_mq_alloc_disk instead of setting them one at a time. Signed-off-by: Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20240215070300.2200308-12-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk> 
Pass the few limits ms_block imposes directly to blk_mq_alloc_disk
instead of setting them one at a time.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240215070300.2200308-12-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
block: pass a queue_limits argument to blk_mq_alloc_disk 2024-02-13T15:56:59+00:00 Christoph Hellwig hch@lst.de 2024-02-13T07:34:20+00:00 27e32cd23fed1ab88098897897dcb9ec2bdba4de Pass a queue_limits to blk_mq_alloc_disk and apply it if non-NULL. This will allow allocating queues with valid queue limits instead of setting the values one at a time later. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Keith Busch <kbusch@kernel.org> Reviewed-by: John Garry <john.g.garry@oracle.com> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Ming Lei <ming.lei@redhat.com> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com> Reviewed-by: Hannes Reinecke <hare@suse.de> Link: https://lore.kernel.org/r/20240213073425.1621680-11-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk> 
Pass a queue_limits to blk_mq_alloc_disk and apply it if non-NULL.  This
will allow allocating queues with valid queue limits instead of setting
the values one at a time later.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20240213073425.1621680-11-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
memstick: core: make memstick_bus_type const 2024-02-13T12:37:28+00:00 Ricardo B. Marliere ricardo@marliere.net 2024-02-04T20:05:58+00:00 cb8e8570d5c99e99715466d5616ad1bc3a4ad2f8 Now that the driver core can properly handle constant struct bus_type, move the memstick_bus_type variable to be a constant structure as well, placing it into read-only memory which can not be modified at runtime. Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20240204-bus_cleanup-memstick-v1-1-14809d4405d8@marliere.net Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
Now that the driver core can properly handle constant struct bus_type,
move the memstick_bus_type variable to be a constant structure as well,
placing it into read-only memory which can not be modified at runtime.

Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20240204-bus_cleanup-memstick-v1-1-14809d4405d8@marliere.net
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: jmb38x_ms: Annotate struct jmb38x_ms with __counted_by 2023-09-27T10:13:18+00:00 Kees Cook keescook@chromium.org 2023-09-22T17:52:50+00:00 45492b13453f9862abff6f9d7af5e8116849a9c9 Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct jmb38x_ms. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Maxim Levitsky <maximlevitsky@gmail.com> Cc: Alex Dubov <oakad@yahoo.com> Cc: Ulf Hansson <ulf.hansson@linaro.org> Cc: Tom Rix <trix@redhat.com> Cc: Len Baker <len.baker@gmx.com> Cc: Dan Carpenter <error27@gmail.com> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: linux-mmc@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20230922175249.work.593-kees@kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

As found with Coccinelle[1], add __counted_by for struct jmb38x_ms.

[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci

Cc: Maxim Levitsky <maximlevitsky@gmail.com>
Cc: Alex Dubov <oakad@yahoo.com>
Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Tom Rix <trix@redhat.com>
Cc: Len Baker <len.baker@gmx.com>
Cc: Dan Carpenter <error27@gmail.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-mmc@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230922175249.work.593-kees@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick r592: make memstick_debug_get_tpc_name() static 2023-06-12T13:16:19+00:00 Arnd Bergmann arnd@arndb.de 2023-05-16T20:27:04+00:00 434587df9f7fd68575f99a889cc5f2efc2eaee5e There are no other files referencing this function, apparently it was left global to avoid an 'unused function' warning when the only caller is left out. With a 'W=1' build, it causes a 'missing prototype' warning though: drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes] Annotate the function as 'static __maybe_unused' to avoid both problems. Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
There are no other files referencing this function, apparently
it was left global to avoid an 'unused function' warning when
the only caller is left out. With a 'W=1' build, it causes
a 'missing prototype' warning though:

drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes]

Annotate the function as 'static __maybe_unused' to avoid both
problems.

Fixes: 926341250102 ("memstick: add driver for Ricoh R5C592 card reader")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
mmc: Merge branch fixes into next 2023-04-05T09:45:35+00:00 Ulf Hansson ulf.hansson@linaro.org 2023-04-05T09:45:35+00:00 ec49843332dfffe85408b0a33acc818ff6c068b8 Merge the mmc fixes for v6.3-rc[n] into the next branch, to allow them to get tested together with the new mmc changes that are targeted for v6.4. Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
Merge the mmc fixes for v6.3-rc[n] into the next branch, to allow them to
get tested together with the new mmc changes that are targeted for v6.4.

Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: fix memory leak if card device is never registered 2023-04-05T09:43:51+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2023-04-01T20:03:27+00:00 4b6d621c9d859ff89e68cebf6178652592676013 When calling dev_set_name() memory is allocated for the name for the struct device. Once that structure device is registered, or attempted to be registerd, with the driver core, the driver core will handle cleaning up that memory when the device is removed from the system. Unfortunatly for the memstick code, there is an error path that causes the struct device to never be registered, and so the memory allocated in dev_set_name will be leaked. Fix that leak by manually freeing it right before the memory for the device is freed. Cc: Maxim Levitsky <maximlevitsky@gmail.com> Cc: Alex Dubov <oakad@yahoo.com> Cc: Ulf Hansson <ulf.hansson@linaro.org> Cc: "Rafael J. Wysocki" <rafael@kernel.org> Cc: Hans de Goede <hdegoede@redhat.com> Cc: Kay Sievers <kay.sievers@vrfy.org> Cc: linux-mmc@vger.kernel.org Fixes: 0252c3b4f018 ("memstick: struct device - replace bus_id with dev_name(), dev_set_name()") Cc: stable <stable@kernel.org> Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Co-developed-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr> Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr> Link: https://lore.kernel.org/r/20230401200327.16800-1-gregkh@linuxfoundation.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
When calling dev_set_name() memory is allocated for the name for the
struct device.  Once that structure device is registered, or attempted
to be registerd, with the driver core, the driver core will handle
cleaning up that memory when the device is removed from the system.

Unfortunatly for the memstick code, there is an error path that causes
the struct device to never be registered, and so the memory allocated in
dev_set_name will be leaked.  Fix that leak by manually freeing it right
before the memory for the device is freed.

Cc: Maxim Levitsky <maximlevitsky@gmail.com>
Cc: Alex Dubov <oakad@yahoo.com>
Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: linux-mmc@vger.kernel.org
Fixes: 0252c3b4f018 ("memstick: struct device - replace bus_id with dev_name(), dev_set_name()")
Cc: stable <stable@kernel.org>
Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Co-developed-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
Link: https://lore.kernel.org/r/20230401200327.16800-1-gregkh@linuxfoundation.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
memstick: r592: Fix UAF bug in r592_remove due to race condition 2023-03-23T10:30:19+00:00 Zheng Wang zyytlz.wz@163.com 2023-03-07T16:43:38+00:00 63264422785021704c39b38f65a78ab9e4a186d7 In r592_probe, dev->detect_timer was bound with r592_detect_timer. In r592_irq function, the timer function will be invoked by mod_timer. If we remove the module which will call hantro_release to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in r592_remove. CPU0 CPU1 |r592_detect_timer r592_remove | memstick_free_host| put_device; | kfree(host); | | | queue_work | &host->media_checker //use Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> 
In r592_probe, dev->detect_timer was bound with r592_detect_timer.
In r592_irq function, the timer function will be invoked by mod_timer.

If we remove the module which will call hantro_release to make cleanup,
there may be a unfinished work. The possible sequence is as follows,
which will cause a typical UAF bug.

Fix it by canceling the work before cleanup in r592_remove.

CPU0                  CPU1

                    |r592_detect_timer
r592_remove         |
  memstick_free_host|
  put_device;       |
  kfree(host);      |
                    |
                    | queue_work
                    |   &host->media_checker //use

Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>