--- /dev/null
+From 94ee12b507db8b5876e31c9d6c9d84f556a4b49f Mon Sep 17 00:00:00 2001
+From: Michael Clark <michaeljclark@mac.com>
+Date: Mon, 11 Feb 2019 17:38:29 +1300
+Subject: MIPS: fix truncation in __cmpxchg_small for short values
+
+From: Michael Clark <michaeljclark@mac.com>
+
+commit 94ee12b507db8b5876e31c9d6c9d84f556a4b49f upstream.
+
+__cmpxchg_small erroneously uses u8 for load comparison which can
+be either char or short. This patch changes the local variable to
+u32 which is sufficiently sized, as the loaded value is already
+masked and shifted appropriately. Using an integer size avoids
+any unnecessary canonicalization from use of non native widths.
+
+This patch is part of a series that adapts the MIPS small word
+atomics code for xchg and cmpxchg on short and char to RISC-V.
+
+Cc: RISC-V Patches <patches@groups.riscv.org>
+Cc: Linux RISC-V <linux-riscv@lists.infradead.org>
+Cc: Linux MIPS <linux-mips@linux-mips.org>
+Signed-off-by: Michael Clark <michaeljclark@mac.com>
+[paul.burton@mips.com:
+ - Fix varialble typo per Jonas Gorski.
+ - Consolidate load variable with other declarations.]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Fixes: 3ba7f44d2b19 ("MIPS: cmpxchg: Implement 1 byte & 2 byte cmpxchg()")
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/cmpxchg.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/mips/kernel/cmpxchg.c
++++ b/arch/mips/kernel/cmpxchg.c
+@@ -54,10 +54,9 @@ unsigned long __xchg_small(volatile void
+ unsigned long __cmpxchg_small(volatile void *ptr, unsigned long old,
+ unsigned long new, unsigned int size)
+ {
+- u32 mask, old32, new32, load32;
++ u32 mask, old32, new32, load32, load;
+ volatile u32 *ptr32;
+ unsigned int shift;
+- u8 load;
+
+ /* Check that ptr is naturally aligned */
+ WARN_ON((unsigned long)ptr & (size - 1));
--- /dev/null
+From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 27 Feb 2019 21:29:52 +0100
+Subject: mm: enforce min addr even if capable() in expand_downwards()
+
+From: Jann Horn <jannh@google.com>
+
+commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream.
+
+security_mmap_addr() does a capability check with current_cred(), but
+we can reach this code from contexts like a VFS write handler where
+current_cred() must not be used.
+
+This can be abused on systems without SMAP to make NULL pointer
+dereferences exploitable again.
+
+Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mmap.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2348,12 +2348,11 @@ int expand_downwards(struct vm_area_stru
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ struct vm_area_struct *prev;
+- int error;
++ int error = 0;
+
+ address &= PAGE_MASK;
+- error = security_mmap_addr(address);
+- if (error)
+- return error;
++ if (address < mmap_min_addr)
++ return -EPERM;
+
+ /* Enforce stack_guard_gap */
+ prev = vma->vm_prev;
--- /dev/null
+From e30be063d6dbcc0f18b1eb25fa709fdef89201fb Mon Sep 17 00:00:00 2001
+From: BOUGH CHEN <haibo.chen@nxp.com>
+Date: Thu, 28 Feb 2019 10:15:42 +0000
+Subject: mmc: sdhci-esdhc-imx: correct the fix of ERR004536
+
+From: BOUGH CHEN <haibo.chen@nxp.com>
+
+commit e30be063d6dbcc0f18b1eb25fa709fdef89201fb upstream.
+
+Commit 18094430d6b5 ("mmc: sdhci-esdhc-imx: add ADMA Length
+Mismatch errata fix") involve the fix of ERR004536, but the
+fix is incorrect. Double confirm with IC, need to clear the
+bit 7 of register 0x6c rather than set this bit 7.
+Here is the definition of bit 7 of 0x6c:
+ 0: enable the new IC fix for ERR004536
+ 1: do not use the IC fix, keep the same as before
+
+Find this issue on i.MX845s-evk board when enable CMDQ, and
+let system in heavy loading.
+
+root@imx8mmevk:~# dd if=/dev/mmcblk2 of=/dev/null bs=1M &
+root@imx8mmevk:~# memtester 1000M > /dev/zero &
+root@imx8mmevk:~# [ 139.897220] mmc2: cqhci: timeout for tag 16
+[ 139.901417] mmc2: cqhci: ============ CQHCI REGISTER DUMP ===========
+[ 139.907862] mmc2: cqhci: Caps: 0x0000310a | Version: 0x00000510
+[ 139.914311] mmc2: cqhci: Config: 0x00001001 | Control: 0x00000000
+[ 139.920753] mmc2: cqhci: Int stat: 0x00000000 | Int enab: 0x00000006
+[ 139.927193] mmc2: cqhci: Int sig: 0x00000006 | Int Coal: 0x00000000
+[ 139.933634] mmc2: cqhci: TDL base: 0x7809c000 | TDL up32: 0x00000000
+[ 139.940073] mmc2: cqhci: Doorbell: 0x00030000 | TCN: 0x00000000
+[ 139.946518] mmc2: cqhci: Dev queue: 0x00010000 | Dev Pend: 0x00010000
+[ 139.952967] mmc2: cqhci: Task clr: 0x00000000 | SSC1: 0x00011000
+[ 139.959411] mmc2: cqhci: SSC2: 0x00000001 | DCMD rsp: 0x00000000
+[ 139.965857] mmc2: cqhci: RED mask: 0xfdf9a080 | TERRI: 0x00000000
+[ 139.972308] mmc2: cqhci: Resp idx: 0x0000002e | Resp arg: 0x00000900
+[ 139.978761] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 139.985214] mmc2: sdhci: Sys addr: 0xb2c19000 | Version: 0x00000002
+[ 139.991669] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000400
+[ 139.998127] mmc2: sdhci: Argument: 0x40110400 | Trn mode: 0x00000033
+[ 140.004618] mmc2: sdhci: Present: 0x01088a8f | Host ctl: 0x00000030
+[ 140.011113] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080
+[ 140.017583] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000000f
+[ 140.024039] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000
+[ 140.030497] mmc2: sdhci: Int enab: 0x107f4000 | Sig enab: 0x107f4000
+[ 140.036972] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502
+[ 140.043426] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x8000b407
+[ 140.049867] mmc2: sdhci: Cmd: 0x00002c1a | Max curr: 0x00ffffff
+[ 140.056314] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0xffffffff
+[ 140.062755] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00
+[ 140.069195] mmc2: sdhci: Host ctl2: 0x00000008
+[ 140.073640] mmc2: sdhci: ADMA Err: 0x00000007 | ADMA Ptr: 0x7809c108
+[ 140.080079] mmc2: sdhci: ============================================
+[ 140.086662] mmc2: running CQE recovery
+
+Fixes: 18094430d6b5 ("mmc: sdhci-esdhc-imx: add ADMA Length Mismatch errata fix")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-esdhc-imx.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc-imx.c
++++ b/drivers/mmc/host/sdhci-esdhc-imx.c
+@@ -1077,11 +1077,12 @@ static void sdhci_esdhc_imx_hwinit(struc
+ writel(readl(host->ioaddr + SDHCI_HOST_CONTROL)
+ | ESDHC_BURST_LEN_EN_INCR,
+ host->ioaddr + SDHCI_HOST_CONTROL);
++
+ /*
+- * erratum ESDHC_FLAG_ERR004536 fix for MX6Q TO1.2 and MX6DL
+- * TO1.1, it's harmless for MX6SL
+- */
+- writel(readl(host->ioaddr + 0x6c) | BIT(7),
++ * erratum ESDHC_FLAG_ERR004536 fix for MX6Q TO1.2 and MX6DL
++ * TO1.1, it's harmless for MX6SL
++ */
++ writel(readl(host->ioaddr + 0x6c) & ~BIT(7),
+ host->ioaddr + 0x6c);
+
+ /* disable DLL_CTRL delay line settings */
--- /dev/null
+From c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= <j.neuschaefer@gmx.net>
+Date: Sun, 10 Feb 2019 18:31:07 +0100
+Subject: mmc: spi: Fix card detection during probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+
+commit c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 upstream.
+
+When using the mmc_spi driver with a card-detect pin, I noticed that the
+card was not detected immediately after probe, but only after it was
+unplugged and plugged back in (and the CD IRQ fired).
+
+The call tree looks something like this:
+
+mmc_spi_probe
+ mmc_add_host
+ mmc_start_host
+ _mmc_detect_change
+ mmc_schedule_delayed_work(&host->detect, 0)
+ mmc_rescan
+ host->bus_ops->detect(host)
+ mmc_detect
+ _mmc_detect_card_removed
+ host->ops->get_cd(host)
+ mmc_gpio_get_cd -> -ENOSYS (ctx->cd_gpio not set)
+ mmc_gpiod_request_cd
+ ctx->cd_gpio = desc
+
+To fix this issue, call mmc_detect_change after the card-detect GPIO/IRQ
+is registered.
+
+Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/mmc_spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -1447,6 +1447,7 @@ static int mmc_spi_probe(struct spi_devi
+ mmc->caps &= ~MMC_CAP_NEEDS_POLL;
+ mmc_gpiod_request_cd_irq(mmc);
+ }
++ mmc_detect_change(mmc, 0);
+
+ if (host->pdata && host->pdata->flags & MMC_SPI_USE_RO_GPIO) {
+ has_ro = true;
--- /dev/null
+From 5603731a15ef9ca317c122cc8c959f1dee1798b4 Mon Sep 17 00:00:00 2001
+From: Takeshi Saito <takeshi.saito.xv@renesas.com>
+Date: Thu, 21 Feb 2019 20:38:05 +0100
+Subject: mmc: tmio: fix access width of Block Count Register
+
+From: Takeshi Saito <takeshi.saito.xv@renesas.com>
+
+commit 5603731a15ef9ca317c122cc8c959f1dee1798b4 upstream.
+
+In R-Car Gen2 or later, the maximum number of transfer blocks are
+changed from 0xFFFF to 0xFFFFFFFF. Therefore, Block Count Register
+should use iowrite32().
+
+If another system (U-boot, Hypervisor OS, etc) uses bit[31:16], this
+value will not be cleared. So, SD/MMC card initialization fails.
+
+So, check for the bigger register and use apropriate write. Also, mark
+the register as extended on Gen2.
+
+Signed-off-by: Takeshi Saito <takeshi.saito.xv@renesas.com>
+[wsa: use max_blk_count in if(), add Gen2, update commit message]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: stable@kernel.org
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+[Ulf: Fixed build error]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/renesas_sdhi_sys_dmac.c | 1 +
+ drivers/mmc/host/tmio_mmc.h | 5 +++++
+ drivers/mmc/host/tmio_mmc_core.c | 6 +++++-
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/renesas_sdhi_sys_dmac.c
++++ b/drivers/mmc/host/renesas_sdhi_sys_dmac.c
+@@ -68,6 +68,7 @@ static const struct renesas_sdhi_of_data
+ .scc_offset = 0x0300,
+ .taps = rcar_gen2_scc_taps,
+ .taps_num = ARRAY_SIZE(rcar_gen2_scc_taps),
++ .max_blk_count = 0xffffffff,
+ };
+
+ /* Definitions for sampling clocks */
+--- a/drivers/mmc/host/tmio_mmc.h
++++ b/drivers/mmc/host/tmio_mmc.h
+@@ -286,6 +286,11 @@ static inline void sd_ctrl_write32_as_16
+ writew(val >> 16, host->ctl + ((addr + 2) << host->bus_shift));
+ }
+
++static inline void sd_ctrl_write32(struct tmio_mmc_host *host, int addr, u32 val)
++{
++ iowrite32(val, host->ctl + (addr << host->bus_shift));
++}
++
+ static inline void sd_ctrl_write32_rep(struct tmio_mmc_host *host, int addr,
+ const u32 *buf, int count)
+ {
+--- a/drivers/mmc/host/tmio_mmc_core.c
++++ b/drivers/mmc/host/tmio_mmc_core.c
+@@ -46,6 +46,7 @@
+ #include <linux/regulator/consumer.h>
+ #include <linux/mmc/sdio.h>
+ #include <linux/scatterlist.h>
++#include <linux/sizes.h>
+ #include <linux/spinlock.h>
+ #include <linux/swiotlb.h>
+ #include <linux/workqueue.h>
+@@ -761,7 +762,10 @@ static int tmio_mmc_start_data(struct tm
+
+ /* Set transfer length / blocksize */
+ sd_ctrl_write16(host, CTL_SD_XFER_LEN, data->blksz);
+- sd_ctrl_write16(host, CTL_XFER_BLK_COUNT, data->blocks);
++ if (host->mmc->max_blk_count >= SZ_64K)
++ sd_ctrl_write32(host, CTL_XFER_BLK_COUNT, data->blocks);
++ else
++ sd_ctrl_write16(host, CTL_XFER_BLK_COUNT, data->blocks);
+
+ tmio_mmc_start_dma(host, data);
+
--- /dev/null
+From 5c27ff5db1491a947264d6d4e4cbe43ae6535bae Mon Sep 17 00:00:00 2001
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Mon, 18 Feb 2019 20:45:40 +0300
+Subject: mmc: tmio_mmc_core: don't claim spurious interrupts
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+commit 5c27ff5db1491a947264d6d4e4cbe43ae6535bae upstream.
+
+I have encountered an interrupt storm during the eMMC chip probing (and
+the chip finally didn't get detected). It turned out that U-Boot left
+the DMAC interrupts enabled while the Linux driver didn't use those.
+The SDHI driver's interrupt handler somehow assumes that, even if an
+SDIO interrupt didn't happen, it should return IRQ_HANDLED. I think
+that if none of the enabled interrupts happened and got handled, we
+should return IRQ_NONE -- that way the kernel IRQ code recoginizes
+a spurious interrupt and masks it off pretty quickly...
+
+Fixes: 7729c7a232a9 ("mmc: tmio: Provide separate interrupt handlers")
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/tmio_mmc_core.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/tmio_mmc_core.c
++++ b/drivers/mmc/host/tmio_mmc_core.c
+@@ -688,7 +688,7 @@ static bool __tmio_mmc_sdcard_irq(struct
+ return false;
+ }
+
+-static void __tmio_mmc_sdio_irq(struct tmio_mmc_host *host)
++static bool __tmio_mmc_sdio_irq(struct tmio_mmc_host *host)
+ {
+ struct mmc_host *mmc = host->mmc;
+ struct tmio_mmc_data *pdata = host->pdata;
+@@ -696,7 +696,7 @@ static void __tmio_mmc_sdio_irq(struct t
+ unsigned int sdio_status;
+
+ if (!(pdata->flags & TMIO_MMC_SDIO_IRQ))
+- return;
++ return false;
+
+ status = sd_ctrl_read16(host, CTL_SDIO_STATUS);
+ ireg = status & TMIO_SDIO_MASK_ALL & ~host->sdio_irq_mask;
+@@ -709,6 +709,8 @@ static void __tmio_mmc_sdio_irq(struct t
+
+ if (mmc->caps & MMC_CAP_SDIO_IRQ && ireg & TMIO_SDIO_STAT_IOIRQ)
+ mmc_signal_sdio_irq(mmc);
++
++ return ireg;
+ }
+
+ irqreturn_t tmio_mmc_irq(int irq, void *devid)
+@@ -727,9 +729,10 @@ irqreturn_t tmio_mmc_irq(int irq, void *
+ if (__tmio_mmc_sdcard_irq(host, ireg, status))
+ return IRQ_HANDLED;
+
+- __tmio_mmc_sdio_irq(host);
++ if (__tmio_mmc_sdio_irq(host))
++ return IRQ_HANDLED;
+
+- return IRQ_HANDLED;
++ return IRQ_NONE;
+ }
+ EXPORT_SYMBOL_GPL(tmio_mmc_irq);
+
svm-fix-avic-incomplete-ipi-emulation.patch
kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch
powerpc-always-initialize-input-array-when-calling-epapr_hypercall.patch
+mmc-spi-fix-card-detection-during-probe.patch
+mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch
+mmc-tmio-fix-access-width-of-block-count-register.patch
+mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch
+mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch
+mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
