From: Greg Kroah-Hartman Date: Sat, 2 Mar 2019 08:36:36 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.9.162~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a3e1b7f5b39d9248dc89fd70964358f5f19604e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch mmc-spi-fix-card-detection-during-probe.patch mmc-tmio-fix-access-width-of-block-count-register.patch mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch --- diff --git a/queue-4.14/mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch b/queue-4.14/mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch new file mode 100644 index 00000000000..5cb592e15e0 --- /dev/null +++ b/queue-4.14/mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch @@ -0,0 +1,48 @@ +From 94ee12b507db8b5876e31c9d6c9d84f556a4b49f Mon Sep 17 00:00:00 2001 +From: Michael Clark +Date: Mon, 11 Feb 2019 17:38:29 +1300 +Subject: MIPS: fix truncation in __cmpxchg_small for short values + +From: Michael Clark + +commit 94ee12b507db8b5876e31c9d6c9d84f556a4b49f upstream. + +__cmpxchg_small erroneously uses u8 for load comparison which can +be either char or short. This patch changes the local variable to +u32 which is sufficiently sized, as the loaded value is already +masked and shifted appropriately. Using an integer size avoids +any unnecessary canonicalization from use of non native widths. + +This patch is part of a series that adapts the MIPS small word +atomics code for xchg and cmpxchg on short and char to RISC-V. + +Cc: RISC-V Patches +Cc: Linux RISC-V +Cc: Linux MIPS +Signed-off-by: Michael Clark +[paul.burton@mips.com: + - Fix varialble typo per Jonas Gorski. + - Consolidate load variable with other declarations.] +Signed-off-by: Paul Burton +Fixes: 3ba7f44d2b19 ("MIPS: cmpxchg: Implement 1 byte & 2 byte cmpxchg()") +Cc: stable@vger.kernel.org # v4.13+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cmpxchg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/mips/kernel/cmpxchg.c ++++ b/arch/mips/kernel/cmpxchg.c +@@ -54,10 +54,9 @@ unsigned long __xchg_small(volatile void + unsigned long __cmpxchg_small(volatile void *ptr, unsigned long old, + unsigned long new, unsigned int size) + { +- u32 mask, old32, new32, load32; ++ u32 mask, old32, new32, load32, load; + volatile u32 *ptr32; + unsigned int shift; +- u8 load; + + /* Check that ptr is naturally aligned */ + WARN_ON((unsigned long)ptr & (size - 1)); diff --git a/queue-4.14/mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch b/queue-4.14/mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch new file mode 100644 index 00000000000..d0ac24d92fe --- /dev/null +++ b/queue-4.14/mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch @@ -0,0 +1,44 @@ +From 0a1d52994d440e21def1c2174932410b4f2a98a1 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 27 Feb 2019 21:29:52 +0100 +Subject: mm: enforce min addr even if capable() in expand_downwards() + +From: Jann Horn + +commit 0a1d52994d440e21def1c2174932410b4f2a98a1 upstream. + +security_mmap_addr() does a capability check with current_cred(), but +we can reach this code from contexts like a VFS write handler where +current_cred() must not be used. + +This can be abused on systems without SMAP to make NULL pointer +dereferences exploitable again. + +Fixes: 8869477a49c3 ("security: protect from stack expansion into low vm addresses") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mmap.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -2348,12 +2348,11 @@ int expand_downwards(struct vm_area_stru + { + struct mm_struct *mm = vma->vm_mm; + struct vm_area_struct *prev; +- int error; ++ int error = 0; + + address &= PAGE_MASK; +- error = security_mmap_addr(address); +- if (error) +- return error; ++ if (address < mmap_min_addr) ++ return -EPERM; + + /* Enforce stack_guard_gap */ + prev = vma->vm_prev; diff --git a/queue-4.14/mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch b/queue-4.14/mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch new file mode 100644 index 00000000000..94f026971b2 --- /dev/null +++ b/queue-4.14/mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch @@ -0,0 +1,83 @@ +From e30be063d6dbcc0f18b1eb25fa709fdef89201fb Mon Sep 17 00:00:00 2001 +From: BOUGH CHEN +Date: Thu, 28 Feb 2019 10:15:42 +0000 +Subject: mmc: sdhci-esdhc-imx: correct the fix of ERR004536 + +From: BOUGH CHEN + +commit e30be063d6dbcc0f18b1eb25fa709fdef89201fb upstream. + +Commit 18094430d6b5 ("mmc: sdhci-esdhc-imx: add ADMA Length +Mismatch errata fix") involve the fix of ERR004536, but the +fix is incorrect. Double confirm with IC, need to clear the +bit 7 of register 0x6c rather than set this bit 7. +Here is the definition of bit 7 of 0x6c: + 0: enable the new IC fix for ERR004536 + 1: do not use the IC fix, keep the same as before + +Find this issue on i.MX845s-evk board when enable CMDQ, and +let system in heavy loading. + +root@imx8mmevk:~# dd if=/dev/mmcblk2 of=/dev/null bs=1M & +root@imx8mmevk:~# memtester 1000M > /dev/zero & +root@imx8mmevk:~# [ 139.897220] mmc2: cqhci: timeout for tag 16 +[ 139.901417] mmc2: cqhci: ============ CQHCI REGISTER DUMP =========== +[ 139.907862] mmc2: cqhci: Caps: 0x0000310a | Version: 0x00000510 +[ 139.914311] mmc2: cqhci: Config: 0x00001001 | Control: 0x00000000 +[ 139.920753] mmc2: cqhci: Int stat: 0x00000000 | Int enab: 0x00000006 +[ 139.927193] mmc2: cqhci: Int sig: 0x00000006 | Int Coal: 0x00000000 +[ 139.933634] mmc2: cqhci: TDL base: 0x7809c000 | TDL up32: 0x00000000 +[ 139.940073] mmc2: cqhci: Doorbell: 0x00030000 | TCN: 0x00000000 +[ 139.946518] mmc2: cqhci: Dev queue: 0x00010000 | Dev Pend: 0x00010000 +[ 139.952967] mmc2: cqhci: Task clr: 0x00000000 | SSC1: 0x00011000 +[ 139.959411] mmc2: cqhci: SSC2: 0x00000001 | DCMD rsp: 0x00000000 +[ 139.965857] mmc2: cqhci: RED mask: 0xfdf9a080 | TERRI: 0x00000000 +[ 139.972308] mmc2: cqhci: Resp idx: 0x0000002e | Resp arg: 0x00000900 +[ 139.978761] mmc2: sdhci: ============ SDHCI REGISTER DUMP =========== +[ 139.985214] mmc2: sdhci: Sys addr: 0xb2c19000 | Version: 0x00000002 +[ 139.991669] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000400 +[ 139.998127] mmc2: sdhci: Argument: 0x40110400 | Trn mode: 0x00000033 +[ 140.004618] mmc2: sdhci: Present: 0x01088a8f | Host ctl: 0x00000030 +[ 140.011113] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080 +[ 140.017583] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000000f +[ 140.024039] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000 +[ 140.030497] mmc2: sdhci: Int enab: 0x107f4000 | Sig enab: 0x107f4000 +[ 140.036972] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502 +[ 140.043426] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x8000b407 +[ 140.049867] mmc2: sdhci: Cmd: 0x00002c1a | Max curr: 0x00ffffff +[ 140.056314] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0xffffffff +[ 140.062755] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00 +[ 140.069195] mmc2: sdhci: Host ctl2: 0x00000008 +[ 140.073640] mmc2: sdhci: ADMA Err: 0x00000007 | ADMA Ptr: 0x7809c108 +[ 140.080079] mmc2: sdhci: ============================================ +[ 140.086662] mmc2: running CQE recovery + +Fixes: 18094430d6b5 ("mmc: sdhci-esdhc-imx: add ADMA Length Mismatch errata fix") +Signed-off-by: Haibo Chen +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-esdhc-imx.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/sdhci-esdhc-imx.c ++++ b/drivers/mmc/host/sdhci-esdhc-imx.c +@@ -1077,11 +1077,12 @@ static void sdhci_esdhc_imx_hwinit(struc + writel(readl(host->ioaddr + SDHCI_HOST_CONTROL) + | ESDHC_BURST_LEN_EN_INCR, + host->ioaddr + SDHCI_HOST_CONTROL); ++ + /* +- * erratum ESDHC_FLAG_ERR004536 fix for MX6Q TO1.2 and MX6DL +- * TO1.1, it's harmless for MX6SL +- */ +- writel(readl(host->ioaddr + 0x6c) | BIT(7), ++ * erratum ESDHC_FLAG_ERR004536 fix for MX6Q TO1.2 and MX6DL ++ * TO1.1, it's harmless for MX6SL ++ */ ++ writel(readl(host->ioaddr + 0x6c) & ~BIT(7), + host->ioaddr + 0x6c); + + /* disable DLL_CTRL delay line settings */ diff --git a/queue-4.14/mmc-spi-fix-card-detection-during-probe.patch b/queue-4.14/mmc-spi-fix-card-detection-during-probe.patch new file mode 100644 index 00000000000..817d1c746f2 --- /dev/null +++ b/queue-4.14/mmc-spi-fix-card-detection-during-probe.patch @@ -0,0 +1,55 @@ +From c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonathan=20Neusch=C3=A4fer?= +Date: Sun, 10 Feb 2019 18:31:07 +0100 +Subject: mmc: spi: Fix card detection during probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonathan Neuschäfer + +commit c9bd505dbd9d3dc80c496f88eafe70affdcf1ba6 upstream. + +When using the mmc_spi driver with a card-detect pin, I noticed that the +card was not detected immediately after probe, but only after it was +unplugged and plugged back in (and the CD IRQ fired). + +The call tree looks something like this: + +mmc_spi_probe + mmc_add_host + mmc_start_host + _mmc_detect_change + mmc_schedule_delayed_work(&host->detect, 0) + mmc_rescan + host->bus_ops->detect(host) + mmc_detect + _mmc_detect_card_removed + host->ops->get_cd(host) + mmc_gpio_get_cd -> -ENOSYS (ctx->cd_gpio not set) + mmc_gpiod_request_cd + ctx->cd_gpio = desc + +To fix this issue, call mmc_detect_change after the card-detect GPIO/IRQ +is registered. + +Signed-off-by: Jonathan Neuschäfer +Reviewed-by: Linus Walleij +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/mmc_spi.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/mmc_spi.c ++++ b/drivers/mmc/host/mmc_spi.c +@@ -1447,6 +1447,7 @@ static int mmc_spi_probe(struct spi_devi + mmc->caps &= ~MMC_CAP_NEEDS_POLL; + mmc_gpiod_request_cd_irq(mmc); + } ++ mmc_detect_change(mmc, 0); + + if (host->pdata && host->pdata->flags & MMC_SPI_USE_RO_GPIO) { + has_ro = true; diff --git a/queue-4.14/mmc-tmio-fix-access-width-of-block-count-register.patch b/queue-4.14/mmc-tmio-fix-access-width-of-block-count-register.patch new file mode 100644 index 00000000000..1de30c79753 --- /dev/null +++ b/queue-4.14/mmc-tmio-fix-access-width-of-block-count-register.patch @@ -0,0 +1,80 @@ +From 5603731a15ef9ca317c122cc8c959f1dee1798b4 Mon Sep 17 00:00:00 2001 +From: Takeshi Saito +Date: Thu, 21 Feb 2019 20:38:05 +0100 +Subject: mmc: tmio: fix access width of Block Count Register + +From: Takeshi Saito + +commit 5603731a15ef9ca317c122cc8c959f1dee1798b4 upstream. + +In R-Car Gen2 or later, the maximum number of transfer blocks are +changed from 0xFFFF to 0xFFFFFFFF. Therefore, Block Count Register +should use iowrite32(). + +If another system (U-boot, Hypervisor OS, etc) uses bit[31:16], this +value will not be cleared. So, SD/MMC card initialization fails. + +So, check for the bigger register and use apropriate write. Also, mark +the register as extended on Gen2. + +Signed-off-by: Takeshi Saito +[wsa: use max_blk_count in if(), add Gen2, update commit message] +Signed-off-by: Wolfram Sang +Cc: stable@kernel.org +Reviewed-by: Simon Horman +[Ulf: Fixed build error] +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/renesas_sdhi_sys_dmac.c | 1 + + drivers/mmc/host/tmio_mmc.h | 5 +++++ + drivers/mmc/host/tmio_mmc_core.c | 6 +++++- + 3 files changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/renesas_sdhi_sys_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_sys_dmac.c +@@ -68,6 +68,7 @@ static const struct renesas_sdhi_of_data + .scc_offset = 0x0300, + .taps = rcar_gen2_scc_taps, + .taps_num = ARRAY_SIZE(rcar_gen2_scc_taps), ++ .max_blk_count = 0xffffffff, + }; + + /* Definitions for sampling clocks */ +--- a/drivers/mmc/host/tmio_mmc.h ++++ b/drivers/mmc/host/tmio_mmc.h +@@ -286,6 +286,11 @@ static inline void sd_ctrl_write32_as_16 + writew(val >> 16, host->ctl + ((addr + 2) << host->bus_shift)); + } + ++static inline void sd_ctrl_write32(struct tmio_mmc_host *host, int addr, u32 val) ++{ ++ iowrite32(val, host->ctl + (addr << host->bus_shift)); ++} ++ + static inline void sd_ctrl_write32_rep(struct tmio_mmc_host *host, int addr, + const u32 *buf, int count) + { +--- a/drivers/mmc/host/tmio_mmc_core.c ++++ b/drivers/mmc/host/tmio_mmc_core.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -761,7 +762,10 @@ static int tmio_mmc_start_data(struct tm + + /* Set transfer length / blocksize */ + sd_ctrl_write16(host, CTL_SD_XFER_LEN, data->blksz); +- sd_ctrl_write16(host, CTL_XFER_BLK_COUNT, data->blocks); ++ if (host->mmc->max_blk_count >= SZ_64K) ++ sd_ctrl_write32(host, CTL_XFER_BLK_COUNT, data->blocks); ++ else ++ sd_ctrl_write16(host, CTL_XFER_BLK_COUNT, data->blocks); + + tmio_mmc_start_dma(host, data); + diff --git a/queue-4.14/mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch b/queue-4.14/mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch new file mode 100644 index 00000000000..751235e45ea --- /dev/null +++ b/queue-4.14/mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch @@ -0,0 +1,73 @@ +From 5c27ff5db1491a947264d6d4e4cbe43ae6535bae Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Mon, 18 Feb 2019 20:45:40 +0300 +Subject: mmc: tmio_mmc_core: don't claim spurious interrupts + +From: Sergei Shtylyov + +commit 5c27ff5db1491a947264d6d4e4cbe43ae6535bae upstream. + +I have encountered an interrupt storm during the eMMC chip probing (and +the chip finally didn't get detected). It turned out that U-Boot left +the DMAC interrupts enabled while the Linux driver didn't use those. +The SDHI driver's interrupt handler somehow assumes that, even if an +SDIO interrupt didn't happen, it should return IRQ_HANDLED. I think +that if none of the enabled interrupts happened and got handled, we +should return IRQ_NONE -- that way the kernel IRQ code recoginizes +a spurious interrupt and masks it off pretty quickly... + +Fixes: 7729c7a232a9 ("mmc: tmio: Provide separate interrupt handlers") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Wolfram Sang +Tested-by: Wolfram Sang +Reviewed-by: Simon Horman +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/tmio_mmc_core.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/tmio_mmc_core.c ++++ b/drivers/mmc/host/tmio_mmc_core.c +@@ -688,7 +688,7 @@ static bool __tmio_mmc_sdcard_irq(struct + return false; + } + +-static void __tmio_mmc_sdio_irq(struct tmio_mmc_host *host) ++static bool __tmio_mmc_sdio_irq(struct tmio_mmc_host *host) + { + struct mmc_host *mmc = host->mmc; + struct tmio_mmc_data *pdata = host->pdata; +@@ -696,7 +696,7 @@ static void __tmio_mmc_sdio_irq(struct t + unsigned int sdio_status; + + if (!(pdata->flags & TMIO_MMC_SDIO_IRQ)) +- return; ++ return false; + + status = sd_ctrl_read16(host, CTL_SDIO_STATUS); + ireg = status & TMIO_SDIO_MASK_ALL & ~host->sdio_irq_mask; +@@ -709,6 +709,8 @@ static void __tmio_mmc_sdio_irq(struct t + + if (mmc->caps & MMC_CAP_SDIO_IRQ && ireg & TMIO_SDIO_STAT_IOIRQ) + mmc_signal_sdio_irq(mmc); ++ ++ return ireg; + } + + irqreturn_t tmio_mmc_irq(int irq, void *devid) +@@ -727,9 +729,10 @@ irqreturn_t tmio_mmc_irq(int irq, void * + if (__tmio_mmc_sdcard_irq(host, ireg, status)) + return IRQ_HANDLED; + +- __tmio_mmc_sdio_irq(host); ++ if (__tmio_mmc_sdio_irq(host)) ++ return IRQ_HANDLED; + +- return IRQ_HANDLED; ++ return IRQ_NONE; + } + EXPORT_SYMBOL_GPL(tmio_mmc_irq); + diff --git a/queue-4.14/series b/queue-4.14/series index 7c61f40d2bb..9cf1d311499 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,9 @@ cfg80211-extend-range-deviation-for-dmg.patch svm-fix-avic-incomplete-ipi-emulation.patch kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch powerpc-always-initialize-input-array-when-calling-epapr_hypercall.patch +mmc-spi-fix-card-detection-during-probe.patch +mmc-tmio_mmc_core-don-t-claim-spurious-interrupts.patch +mmc-tmio-fix-access-width-of-block-count-register.patch +mmc-sdhci-esdhc-imx-correct-the-fix-of-err004536.patch +mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch +mips-fix-truncation-in-__cmpxchg_small-for-short-values.patch