From: Greg Kroah-Hartman Date: Tue, 3 Sep 2019 19:10:42 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.191~26 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bdb8f50e2fcaedec09a00e57e23dc4cc251361a7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch stm-class-fix-a-double-free-of-stm_source_device.patch vmci-release-resource-if-the-work-is-already-queued.patch --- diff --git a/queue-4.9/mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch b/queue-4.9/mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch new file mode 100644 index 00000000000..02ae5fb1664 --- /dev/null +++ b/queue-4.9/mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch @@ -0,0 +1,48 @@ +From 72741084d903e65e121c27bd29494d941729d4a1 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 27 Aug 2019 10:10:43 +0200 +Subject: mmc: core: Fix init of SD cards reporting an invalid VDD range + +From: Ulf Hansson + +commit 72741084d903e65e121c27bd29494d941729d4a1 upstream. + +The OCR register defines the supported range of VDD voltages for SD cards. +However, it has turned out that some SD cards reports an invalid voltage +range, for example having bit7 set. + +When a host supports MMC_CAP2_FULL_PWR_CYCLE and some of the voltages from +the invalid VDD range, this triggers the core to run a power cycle of the +card to try to initialize it at the lowest common supported voltage. +Obviously this fails, since the card can't support it. + +Let's fix this problem, by clearing invalid bits from the read OCR register +for SD cards, before proceeding with the VDD voltage negotiation. + +Cc: stable@vger.kernel.org +Reported-by: Philip Langdale +Signed-off-by: Ulf Hansson +Reviewed-by: Philip Langdale +Tested-by: Philip Langdale +Tested-by: Manuel Presnitz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/sd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -1259,6 +1259,12 @@ int mmc_attach_sd(struct mmc_host *host) + goto err; + } + ++ /* ++ * Some SD cards claims an out of spec VDD voltage range. Let's treat ++ * these bits as being in-valid and especially also bit7. ++ */ ++ ocr &= ~0x7FFF; ++ + rocr = mmc_select_voltage(host, ocr); + + /* diff --git a/queue-4.9/mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch b/queue-4.9/mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch new file mode 100644 index 00000000000..6a04af05ca1 --- /dev/null +++ b/queue-4.9/mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch @@ -0,0 +1,37 @@ +From 7871aa60ae0086fe4626abdf5ed13eeddf306c61 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Thu, 8 Aug 2019 08:35:40 +0000 +Subject: mmc: sdhci-of-at91: add quirk for broken HS200 + +From: Eugen Hristev + +commit 7871aa60ae0086fe4626abdf5ed13eeddf306c61 upstream. + +HS200 is not implemented in the driver, but the controller claims it +through caps. Remove it via a quirk, to make sure the mmc core do not try +to enable HS200, as it causes the eMMC initialization to fail. + +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Acked-by: Adrian Hunter +Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-at91.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -317,6 +317,9 @@ static int sdhci_at91_probe(struct platf + pm_runtime_set_autosuspend_delay(&pdev->dev, 50); + pm_runtime_use_autosuspend(&pdev->dev); + ++ /* HS200 is broken at this moment */ ++ host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200; ++ + ret = sdhci_add_host(host); + if (ret) + goto pm_runtime_disable; diff --git a/queue-4.9/series b/queue-4.9/series index dc89c6ab14e..3564b2cf5bd 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -71,3 +71,7 @@ usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.p usb-storage-ums-realtek-whitelist-auto-delink-support.patch ptrace-x86-make-user_64bit_mode-available-to-32-bit-.patch uprobes-x86-fix-detection-of-32-bit-user-mode.patch +mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch +mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch +stm-class-fix-a-double-free-of-stm_source_device.patch +vmci-release-resource-if-the-work-is-already-queued.patch diff --git a/queue-4.9/stm-class-fix-a-double-free-of-stm_source_device.patch b/queue-4.9/stm-class-fix-a-double-free-of-stm_source_device.patch new file mode 100644 index 00000000000..622d63e162c --- /dev/null +++ b/queue-4.9/stm-class-fix-a-double-free-of-stm_source_device.patch @@ -0,0 +1,36 @@ +From 961b6ffe0e2c403b09a8efe4a2e986b3c415391a Mon Sep 17 00:00:00 2001 +From: Ding Xiang +Date: Wed, 21 Aug 2019 10:49:52 +0300 +Subject: stm class: Fix a double free of stm_source_device + +From: Ding Xiang + +commit 961b6ffe0e2c403b09a8efe4a2e986b3c415391a upstream. + +In the error path of stm_source_register_device(), the kfree is +unnecessary, as the put_device() before it ends up calling +stm_source_device_release() to free stm_source_device, leading to +a double free at the outer kfree() call. Remove it. + +Signed-off-by: Ding Xiang +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2fa ("stm class: Introduce an abstraction for System Trace Module devices") +Link: https://lore.kernel.org/linux-arm-kernel/1563354988-23826-1-git-send-email-dingxiang@cmss.chinamobile.com/ +Cc: stable@vger.kernel.org # v4.4+ +Link: https://lore.kernel.org/r/20190821074955.3925-2-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -1107,7 +1107,6 @@ int stm_source_register_device(struct de + + err: + put_device(&src->dev); +- kfree(src); + + return err; + } diff --git a/queue-4.9/vmci-release-resource-if-the-work-is-already-queued.patch b/queue-4.9/vmci-release-resource-if-the-work-is-already-queued.patch new file mode 100644 index 00000000000..108b4aee153 --- /dev/null +++ b/queue-4.9/vmci-release-resource-if-the-work-is-already-queued.patch @@ -0,0 +1,91 @@ +From ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 20 Aug 2019 13:26:38 -0700 +Subject: VMCI: Release resource if the work is already queued + +From: Nadav Amit + +commit ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 upstream. + +Francois reported that VMware balloon gets stuck after a balloon reset, +when the VMCI doorbell is removed. A similar error can occur when the +balloon driver is removed with the following splat: + +[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds. +[ 1088.622035] Tainted: G W 5.2.0 #4 +[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 1088.622205] modprobe D 0 3565 1450 0x00000000 +[ 1088.622210] Call Trace: +[ 1088.622246] __schedule+0x2a8/0x690 +[ 1088.622248] schedule+0x2d/0x90 +[ 1088.622250] schedule_timeout+0x1d3/0x2f0 +[ 1088.622252] wait_for_completion+0xba/0x140 +[ 1088.622320] ? wake_up_q+0x80/0x80 +[ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci] +[ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci] +[ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon] +[ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon] +[ 1088.622394] __x64_sys_delete_module+0x146/0x280 +[ 1088.622408] do_syscall_64+0x5a/0x130 +[ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1088.622415] RIP: 0033:0x7f54f62791b7 +[ 1088.622421] Code: Bad RIP value. +[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7 +[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68 +[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000 +[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68 +[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0 + +The cause for the bug is that when the "delayed" doorbell is invoked, it +takes a reference on the doorbell entry and schedules work that is +supposed to run the appropriate code and drop the doorbell entry +reference. The code ignores the fact that if the work is already queued, +it will not be scheduled to run one more time. As a result one of the +references would not be dropped. When the code waits for the reference +to get to zero, during balloon reset or module removal, it gets stuck. + +Fix it. Drop the reference if schedule_work() indicates that the work is +already queued. + +Note that this bug got more apparent (or apparent at all) due to +commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status"). + +Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.") +Reported-by: Francois Rigault +Cc: Jorgen Hansen +Cc: Adit Ranadive +Cc: Alexios Zavras +Cc: Vishnu DASA +Cc: stable@vger.kernel.org +Signed-off-by: Nadav Amit +Reviewed-by: Vishnu Dasa +Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_doorbell.c ++++ b/drivers/misc/vmw_vmci/vmci_doorbell.c +@@ -318,7 +318,8 @@ int vmci_dbell_host_context_notify(u32 s + + entry = container_of(resource, struct dbell_entry, resource); + if (entry->run_delayed) { +- schedule_work(&entry->work); ++ if (!schedule_work(&entry->work)) ++ vmci_resource_put(resource); + } else { + entry->notify_cb(entry->client_data); + vmci_resource_put(resource); +@@ -366,7 +367,8 @@ static void dbell_fire_entries(u32 notif + atomic_read(&dbell->active) == 1) { + if (dbell->run_delayed) { + vmci_resource_get(&dbell->resource); +- schedule_work(&dbell->work); ++ if (!schedule_work(&dbell->work)) ++ vmci_resource_put(&dbell->resource); + } else { + dbell->notify_cb(dbell->client_data); + }