There are no other files referencing this function, apparently
it was left global to avoid an 'unused function' warning when
the only caller is left out. With a 'W=1' build, it causes
a 'missing prototype' warning though:
drivers/memstick/host/r592.c:47:13: error: no previous prototype for 'memstick_debug_get_tpc_name' [-Werror=missing-prototypes]
Annotate the function as 'static __maybe_unused' to avoid both
problems.
Fixes: 9263412501 ("memstick: add driver for Ricoh R5C592 card reader")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20230516202714.560929-1-arnd@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Merge the mmc fixes for v6.3-rc[n] into the next branch, to allow them to
get tested together with the new mmc changes that are targeted for v6.4.
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
In r592_probe, dev->detect_timer was bound with r592_detect_timer.
In r592_irq function, the timer function will be invoked by mod_timer.
If we remove the module which will call hantro_release to make cleanup,
there may be a unfinished work. The possible sequence is as follows,
which will cause a typical UAF bug.
Fix it by canceling the work before cleanup in r592_remove.
CPU0 CPU1
|r592_detect_timer
r592_remove |
memstick_free_host|
put_device; |
kfree(host); |
|
| queue_work
| &host->media_checker //use
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Pull MMC updates from Ulf Hansson:
"MMC core:
- Extend slot-gpio to be used for host specific card detect interrupts
- Align to common busy polling behaviour for mmc ioctls
- Suggest the BFQ I/O scheduler to be built along with MMC/SD support
- Add devm_mmc_alloc_host() to enable further cleanups in host drivers
MMC host:
- atmel-mci: Fix race condition when stopping/starting a command
- dw_mmc-starfive: Add new driver to support the StarFive JH7110 variant
- dw_mmc-rockchip: Add support for the RK3588 variant
- jz4740: Add support for the vqmmc power supply
- meson-gx: Convert the DT bindings to the dt-schema
- meson-gx: Enable the platform interrupt to be used for card detect
- moxart: Set the supported maximum request/block/segment sizes
- renesas,sdhi: Add support for the RZ/V2M variants
- sdhci: Rework code to drop SDHCI_QUIRK_MISSING_CAPS
- sdhci-esdhc-imx: Improve tuning logic support
- sdhci-msm: Add support for the IPQ5332 and the IPQ9574 variants
- sdhci-of-dwcmshc: Add the missing device table IDs for acpi
- sdhci-of-dwcmshc: Improve clock support for the Rockchip variant
- sdhci-of-dwcmshc: Enable support of V4 host for the BlueField-3 variant
- sdhci-pxav2: Add support for the PXA168 V1 variant
- sdhci-pxav2: Add support for SDIO IRQs for the PXA168 V1 variant
- uniphier-sd: Add support for SD UHS-I speed modes"
* tag 'mmc-v6.3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (59 commits)
mmc: meson-gx: Use devm_platform_get_and_ioremap_resource()
mmc: meson-gx: constify member data of struct meson_host
mmc: meson-gx: use devm_clk_get_enabled() for core clock
mmc: core: fix return value check in devm_mmc_alloc_host()
dt-bindings: mmc: meson-gx: fix interrupt binding
mmc: meson-gx: support platform interrupt as card detect interrupt
dt-bindings: mmc: meson-gx: support specifying cd interrupt
mmc: core: support setting card detect interrupt from drivers
mmc: starfive: Add sdio/emmc driver support
dt-bindings: mmc: Add StarFive MMC module
dt-bindings: mmc: sdhci-msm: Allow 1 icc path
dt-bindings: mmc: rockchip-dw-mshc: Add RK3588 compatible string
mmc: core: Align to common busy polling behaviour for mmc ioctls
dt-bindings: mmc: Add resets property to cadence SDHCI binding
mmc: meson-gx: remove meson_mmc_get_cd
mmc: moxart: set maximum request/block/segment sizes
mmc: sdhci-brcmstb: Use devm_platform_get_and_ioremap_resource()
mmc: sdhci-of-dwcmshc: add the missing device table IDs for acpi
mmc: sdhci-of-dwcmshc: Update DLL and pre-change delay for rockchip platform
mmc: jz4740: Add support for vqmmc power supply
...
Pull MMC updates from Ulf Hansson:
"MMC core:
- Add support for the asynchronous SDIO wakeup interrupts
- Skip redundant evaluation of eMMC HS400 caps when no-MMC-cap
- Add support to store error stats from host drivers
- Extend debugfs to show error stats from host drivers
- Add single I/O read support in the recovery path for 4k sector cards
MMC host:
- dw_mmc-exynos: Convert corresponding DT bindings to the dtschema
- dw_mmc-rockchip: Add support for the Rockchip RV1126 variant
- mmc_spi: Convert corresponding DT bindings to the dtschema
- mtk-sd: Extend support for interrupts/pinctrls for SDIO low-power mode
- mtk-sd: Add support for SDIO wake irqs
- mtk-sd: Add support for the Mediatek MT8188 variant
- renesas_sdhi: Drop redundant manual tap correction for newer SoCs
- renesas_sdhi: Add support for the R-Car S4-8 and generic Gen4 variants
- sdhci/cqhci: Add support to capture stats from host errors
- sdhci-brcmstb: Add ability to increase max clock rate for SDIO on 72116b0
- sdhci-msm: Add support for the MSM8998 and SM8450 variant
- sdhci-of-at91: Fixup UHS-I mode by rewriting of MC1R
- sdhci-of-dwcmshc: Add support for the Rockchip rk3588 variant
- sdhci-of-dwcmshc: Enable reset support for the Rockchip variants
- sdhci-pci-gli: Improve I/O read/write performance for GL9763E
- sdhci-s3c: Convert corresponding DT bindings to the dtschema
- tmio: Avoid glitches when resetting
MEMSTICK core:
- A couple of minor fixes and cleanups"
* tag 'mmc-v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (61 commits)
mmc: mediatek: add support for SDIO eint wakup IRQ
mmc: core: Add support for SDIO wakeup interrupt
dt-bindings: mmc: mtk-sd: extend interrupts and pinctrls properties
dt-bindings: mmc: rockchip-dw-mshc: Document Rockchip RV1126
mmc: renesas_sdhi: newer SoCs don't need manual tap correction
mmc: cavium-thunderx: Add of_node_put() when breaking out of loop
mmc: cavium-octeon: Add of_node_put() when breaking out of loop
mmc: core: quirks: Add of_node_put() when breaking out of loop
mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
dt-bindings: mmc: sdhci-msm: Document the SM8450 compatible
mmc: sdhci-msm: drop redundant of_device_id entries
dt-bindings: mmc: sdhci-msm: add MSM8998
mmc: block: Add single read for 4k sector cards
mmc: mxcmmc: Use mmc_card_sdio macro
mmc: core: Use mmc_card_* macro and add a new for the sd_combo type
dt-bindings: mmc: sdhci-msm: constrain reg-names per variants
dt-bindings: mmc: sdhci-msm: fix reg-names entries
dt-bindings: mmc: Add compatible for MediaTek MT8188
dt-bindings: mmc: sdhci-msm: document resets
mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R
...
Set the queue dying flag and call blk_mq_exit_queue from del_gendisk for
all disks that do not have separately allocated queues, and thus remove
the need to call blk_cleanup_queue for them.
Rename blk_cleanup_disk to blk_mq_destroy_queue to make it clear that
this function is intended only for separately allocated blk-mq queues.
This saves an extra queue freeze for devices without a separately
allocated queue.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Link: https://lore.kernel.org/r/20220619060552.1850436-6-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
The "msh" pointer is device managed, meaning that memstick_alloc_host()
calls device_initialize() on it. That means that it can't be free
using kfree() but must instead be freed with memstick_free_host().
Otherwise it leads to a tiny memory leak of device resources.
Fixes: 60fdd931d5 ("memstick: add support for JMicron jmb38x MemoryStick host controller")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211011123912.GD15188@kili
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
clang-14 complains about a sanity check that always passes when the
page size is 64KB or larger:
drivers/memstick/core/ms_block.c:1739:21: error: result of comparison of constant 65536 with expression of type 'unsigned short' is always false [-Werror,-Wtautological-constant-out-of-range-compare]
if (msb->page_size > PAGE_SIZE) {
~~~~~~~~~~~~~~ ^ ~~~~~~~~~
This is fine, it will still work on all architectures, so just shut
up that warning with a cast.
Fixes: 0ab30494bc ("memstick: add support for legacy memorysticks")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20210927094520.696665-1-arnd@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
As noted in the "Deprecated Interfaces, Language Features, Attributes,
and Conventions" documentation [1], size calculations (especially
multiplication) should not be performed in memory allocator (or similar)
function arguments due to the risk of them overflowing. This could lead
to values wrapping around and a smaller allocation being made than the
caller was expecting. Using those allocations could lead to linear
overflows of heap memory and other misbehaviors.
So, use the struct_size() helper to do the arithmetic instead of the
argument "size + count * size" in the kzalloc() function.
[1] https://www.kernel.org/doc/html/v5.14/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
Signed-off-by: Len Baker <len.baker@gmx.com>
Link: https://lore.kernel.org/r/20210911131933.2089-1-len.baker@gmx.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
We never checked for errors on add_disk() as this function returned void.
Now that this is fixed, use the shiny new error handling.
Contrary to the typical removal which delays the put_disk() until later,
since we are failing on a probe we immediately put the disk on failure from
add_disk by using blk_cleanup_disk().
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
Link: https://lore.kernel.org/r/20210902174105.2418771-4-mcgrof@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
We never checked for errors on add_disk() as this function returned void.
Now that this is fixed, use the shiny new error handling.
Contrary to the typical removal which delays the put_disk() until later,
since we are failing on a probe we immediately put the disk on failure from
add_disk by using blk_cleanup_disk().
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
Link: https://lore.kernel.org/r/20210902174105.2418771-3-mcgrof@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Pull driver core updates from Greg KH:
"Here is the big set of driver core patches for 5.15-rc1.
These do change a number of different things across different
subsystems, and because of that, there were 2 stable tags created that
might have already come into your tree from different pulls that did
the following
- changed the bus remove callback to return void
- sysfs iomem_get_mapping rework
Other than those two things, there's only a few small things in here:
- kernfs performance improvements for huge numbers of sysfs users at
once
- tiny api cleanups
- other minor changes
All of these have been in linux-next for a while with no reported
problems, other than the before-mentioned merge issue"
* tag 'driver-core-5.15-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (33 commits)
MAINTAINERS: Add dri-devel for component.[hc]
driver core: platform: Remove platform_device_add_properties()
ARM: tegra: paz00: Handle device properties with software node API
bitmap: extend comment to bitmap_print_bitmask/list_to_buf
drivers/base/node.c: use bin_attribute to break the size limitation of cpumap ABI
topology: use bin_attribute to break the size limitation of cpumap ABI
lib: test_bitmap: add bitmap_print_bitmask/list_to_buf test cases
cpumask: introduce cpumap_print_list/bitmask_to_buf to support large bitmask and list
sysfs: Rename struct bin_attribute member to f_mapping
sysfs: Invoke iomem_get_mapping() from the sysfs open callback
debugfs: Return error during {full/open}_proxy_open() on rmmod
zorro: Drop useless (and hardly used) .driver member in struct zorro_dev
zorro: Simplify remove callback
sh: superhyway: Simplify check in remove callback
nubus: Simplify check in remove callback
nubus: Make struct nubus_driver::remove return void
kernfs: dont call d_splice_alias() under kernfs node lock
kernfs: use i_lock to protect concurrent inode updates
kernfs: switch kernfs to use an rwsem
kernfs: use VFS negative dentry caching
...
This patch fixes the following issues:
1. memstick_free_host() will free the host, so the use of ms_dev(host) after
it will be a problem. To fix this, move memstick_free_host() after when we
are done with ms_dev(host).
2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove
and free host otherwise memstick_check will be called and UAF will
happen.
[ 11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
[ 11.357077] rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
[ 11.357376] platform_remove+0x2a/0x50
[ 11.367531] Freed by task 298:
[ 11.368537] kfree+0xa4/0x2a0
[ 11.368711] device_release+0x51/0xe0
[ 11.368905] kobject_put+0xa2/0x120
[ 11.369090] rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]
[ 11.369386] platform_remove+0x2a/0x50
[ 12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0
[ 12.045432] mutex_lock+0xc9/0xd0
[ 12.046080] memstick_check+0x6a/0x578 [memstick]
[ 12.046509] process_one_work+0x46d/0x750
[ 12.052107] Freed by task 297:
[ 12.053115] kfree+0xa4/0x2a0
[ 12.053272] device_release+0x51/0xe0
[ 12.053463] kobject_put+0xa2/0x120
[ 12.053647] rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]
[ 12.053939] platform_remove+0x2a/0x50
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
A minor cleanup to address a clang warning removed an assigned
but unused local variable, but this now caused a gcc warning as
kfifo_out() is annotated to require checking its return code:
In file included from drivers/memstick/host/r592.h:13,
from drivers/memstick/host/r592.c:21:
drivers/memstick/host/r592.c: In function 'r592_flush_fifo_write':
include/linux/kfifo.h:588:1: error: ignoring return value of '__kfifo_uint_must_check_helper' declared with attribute 'warn_unused_result' [-Werror=unused-result]
588 | __kfifo_uint_must_check_helper( \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
589 | ({ \
| ~~~~
590 | typeof((fifo) + 1) __tmp = (fifo); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
591 | typeof(__tmp->ptr) __buf = (buf); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
592 | unsigned long __n = (n); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
593 | const size_t __recsize = sizeof(*__tmp->rectype); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
594 | struct __kfifo *__kfifo = &__tmp->kfifo; \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
595 | (__recsize) ?\
| ~~~~~~~~~~~~~~
596 | __kfifo_out_r(__kfifo, __buf, __n, __recsize) : \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
597 | __kfifo_out(__kfifo, __buf, __n); \
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
598 | }) \
| ~~~~
599 | )
| ~
drivers/memstick/host/r592.c:367:9: note: in expansion of macro 'kfifo_out'
367 | kfifo_out(&dev->pio_fifo, buffer, 4);
| ^~~~~~~~~
The value was never checked here, and the purpose of the function
is only to flush the contents, so restore the old behavior but
add a cast to void and a comment, which hopefully warns with neither
gcc nor clang now.
If anyone has an idea for how to fix it without ignoring the return
code, that is probably better.
Fixes: 4b00ed3c50 ("memstick: r592: remove unused variable")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20210421135215.3414589-1-arnd@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Pull MMC updates from Ulf Hansson:
"MMC core:
- Add a new host cap bit and a corresponding DT property, to support
power cycling of the card by FW at system suspend/resume.
- Fix clock rate setting for SDIO in SDR12/SDR25 speed-mode
- Fix switch to 1/4-bit mode at system suspend/resume for SD-combo
cards
- Convert the mmc-pwrseq DT bindings to the json-schema
- Always allow the card detect uevent to be consumed by userspace
MMC host controllers:
- Convert a few DT bindings to the json-schema
- mtk-sd:
- Add support for command queue through cqhci
- Add support for the MT6779 variant
- renesas_sdhi_internal_dmac:
- Fix dma unmapping in the error path
- sdhci_am654:
- Add support for the AM65x PG2.0 variant
- Extend support for phys/clocks
- sdhci-cadence:
- Drop incorrect HW tuning for SD mode
- sdhci-msm:
- Add support for interconnect bandwidth scaling
- Enable internal voltage control
- Enable low power state for pinctrls
- sdhci-of-at91:
- Ludovic Desroches handovers maintenance to Eugen Hristev
- sdhci-pci-gli:
- Improve clock handling for GL975x
- sdhci-pci-o2micro:
- Add HW tuning for SDR104 mode
- Fix support for O2 host controller Seabird1"
* tag 'mmc-v5.9' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (66 commits)
mmc: mediatek: make function msdc_cqe_disable() static
MAINTAINERS: mmc: sdhci-of-at91: handover maintenance to Eugen Hristev
dt-bindings: mmc: mediatek: Add document for mt6779
mmc: mediatek: command queue support
mmc: mediatek: refine msdc timeout api
mmc: mediatek: add MT6779 MMC driver support
mmc: sdhci-pci-o2micro: Add HW tuning for SDR104 mode
mmc: sdhci-pci-o2micro: Bug fix for O2 host controller Seabird1
mmc: via-sdmmc: use generic power management
memstick: jmb38x_ms: use generic power management
mmc: sdhci-cadence: do not use hardware tuning for SD mode
mmc: sdhci-pci-gli: Set SDR104's clock to 205MHz and enable SSC for GL975x
mmc: cqhci: Fix a print format for the task descriptor
mmc: sdhci-of-arasan: fix timings allocation code
mmc: sdhci: Fix a potential uninitialized variable
dt-bindings: mmc: renesas,sdhi: convert to YAML
dt-bindings: mmc: convert arasan sdhci bindings to yaml
mmc: sdhci: Fix potential null pointer access while accessing vqmmc
mmc: core: Add MMC_CAP2_FULL_PWR_CYCLE_IN_SUSPEND
dt-bindings: mmc: Add full-pwr-cycle-in-suspend property
...
