From: Greg Kroah-Hartman Date: Tue, 3 Sep 2019 19:10:58 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.191~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e61fa550af821192b0c965af8ac0095544d6d017;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch intel_th-pci-add-support-for-another-lewisburg-pch.patch intel_th-pci-add-tiger-lake-support.patch mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch stm-class-fix-a-double-free-of-stm_source_device.patch vmci-release-resource-if-the-work-is-already-queued.patch --- diff --git a/queue-4.14/crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch b/queue-4.14/crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch new file mode 100644 index 00000000000..e3712da4dee --- /dev/null +++ b/queue-4.14/crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch @@ -0,0 +1,48 @@ +From 5871cd93692c8071fb9358daccb715b5081316ac Mon Sep 17 00:00:00 2001 +From: Gary R Hook +Date: Mon, 19 Aug 2019 22:23:27 +0000 +Subject: crypto: ccp - Ignore unconfigured CCP device on suspend/resume + +From: Gary R Hook + +commit 5871cd93692c8071fb9358daccb715b5081316ac upstream. + +If a CCP is unconfigured (e.g. there are no available queues) then +there will be no data structures allocated for the device. Thus, we +must check for validity of a pointer before trying to access structure +members. + +Fixes: 720419f01832f ("crypto: ccp - Introduce the AMD Secure Processor device") +Cc: +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-dev.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/crypto/ccp/ccp-dev.c ++++ b/drivers/crypto/ccp/ccp-dev.c +@@ -540,6 +540,10 @@ int ccp_dev_suspend(struct sp_device *sp + unsigned long flags; + unsigned int i; + ++ /* If there's no device there's nothing to do */ ++ if (!ccp) ++ return 0; ++ + spin_lock_irqsave(&ccp->cmd_lock, flags); + + ccp->suspending = 1; +@@ -564,6 +568,10 @@ int ccp_dev_resume(struct sp_device *sp) + unsigned long flags; + unsigned int i; + ++ /* If there's no device there's nothing to do */ ++ if (!ccp) ++ return 0; ++ + spin_lock_irqsave(&ccp->cmd_lock, flags); + + ccp->suspending = 0; diff --git a/queue-4.14/drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch b/queue-4.14/drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch new file mode 100644 index 00000000000..82ed42629ab --- /dev/null +++ b/queue-4.14/drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch @@ -0,0 +1,69 @@ +From 0a3dfbb5cd9033752639ef33e319c2f2863c713a Mon Sep 17 00:00:00 2001 +From: Xiong Zhang +Date: Tue, 20 Aug 2019 13:46:17 +0800 +Subject: drm/i915: Don't deballoon unused ggtt drm_mm_node in linux guest + +From: Xiong Zhang + +commit 0a3dfbb5cd9033752639ef33e319c2f2863c713a upstream. + +The following call trace may exist in linux guest dmesg when guest i915 +driver is unloaded. +[ 90.776610] [drm:vgt_deballoon_space.isra.0 [i915]] deballoon space: range [0x0 - 0x0] 0 KiB. +[ 90.776621] BUG: unable to handle kernel NULL pointer dereference at 00000000000000c0 +[ 90.776691] IP: drm_mm_remove_node+0x4d/0x320 [drm] +[ 90.776718] PGD 800000012c7d0067 P4D 800000012c7d0067 PUD 138e4c067 PMD 0 +[ 90.777091] task: ffff9adab60f2f00 task.stack: ffffaf39c0fe0000 +[ 90.777142] RIP: 0010:drm_mm_remove_node+0x4d/0x320 [drm] +[ 90.777573] Call Trace: +[ 90.777653] intel_vgt_deballoon+0x4c/0x60 [i915] +[ 90.777729] i915_ggtt_cleanup_hw+0x121/0x190 [i915] +[ 90.777792] i915_driver_unload+0x145/0x180 [i915] +[ 90.777856] i915_pci_remove+0x15/0x20 [i915] +[ 90.777890] pci_device_remove+0x3b/0xc0 +[ 90.777916] device_release_driver_internal+0x157/0x220 +[ 90.777945] driver_detach+0x39/0x70 +[ 90.777967] bus_remove_driver+0x51/0xd0 +[ 90.777990] pci_unregister_driver+0x23/0x90 +[ 90.778019] SyS_delete_module+0x1da/0x240 +[ 90.778045] entry_SYSCALL_64_fastpath+0x24/0x87 +[ 90.778072] RIP: 0033:0x7f34312af067 +[ 90.778092] RSP: 002b:00007ffdea3da0d8 EFLAGS: 00000206 +[ 90.778297] RIP: drm_mm_remove_node+0x4d/0x320 [drm] RSP: ffffaf39c0fe3dc0 +[ 90.778344] ---[ end trace f4b1bc8305fc59dd ]--- + +Four drm_mm_node are used to reserve guest ggtt space, but some of them +may be skipped and not initialised due to space constraints in +intel_vgt_balloon(). If drm_mm_remove_node() is called with +uninitialized drm_mm_node, the above call trace occurs. + +This patch check drm_mm_node's validity before calling +drm_mm_remove_node(). + +Fixes: ff8f797557c7("drm/i915: return the correct usable aperture size under gvt environment") +Cc: stable@vger.kernel.org +Signed-off-by: Xiong Zhang +Acked-by: Zhenyu Wang +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/1566279978-9659-1-git-send-email-xiong.y.zhang@intel.com +(cherry picked from commit 4776f3529d6b1e47f02904ad1d264d25ea22b27b) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_vgpu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_vgpu.c ++++ b/drivers/gpu/drm/i915/i915_vgpu.c +@@ -100,6 +100,9 @@ static struct _balloon_info_ bl_info; + static void vgt_deballoon_space(struct i915_ggtt *ggtt, + struct drm_mm_node *node) + { ++ if (!drm_mm_node_allocated(node)) ++ return; ++ + DRM_DEBUG_DRIVER("deballoon space: range [0x%llx - 0x%llx] %llu KiB.\n", + node->start, + node->start + node->size, diff --git a/queue-4.14/intel_th-pci-add-support-for-another-lewisburg-pch.patch b/queue-4.14/intel_th-pci-add-support-for-another-lewisburg-pch.patch new file mode 100644 index 00000000000..d3ca888c8ff --- /dev/null +++ b/queue-4.14/intel_th-pci-add-support-for-another-lewisburg-pch.patch @@ -0,0 +1,34 @@ +From 164eb56e3b64f3a816238d410c9efec7567a82ef Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 21 Aug 2019 10:49:54 +0300 +Subject: intel_th: pci: Add support for another Lewisburg PCH + +From: Alexander Shishkin + +commit 164eb56e3b64f3a816238d410c9efec7567a82ef upstream. + +Add support for the Trace Hub in another Lewisburg PCH. + +Signed-off-by: Alexander Shishkin +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20190821074955.3925-4-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -149,6 +149,11 @@ static const struct pci_device_id intel_ + .driver_data = (kernel_ulong_t)0, + }, + { ++ /* Lewisburg PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa226), ++ .driver_data = (kernel_ulong_t)0, ++ }, ++ { + /* Gemini Lake */ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x318e), + .driver_data = (kernel_ulong_t)&intel_th_2x, diff --git a/queue-4.14/intel_th-pci-add-tiger-lake-support.patch b/queue-4.14/intel_th-pci-add-tiger-lake-support.patch new file mode 100644 index 00000000000..95c0a6779b0 --- /dev/null +++ b/queue-4.14/intel_th-pci-add-tiger-lake-support.patch @@ -0,0 +1,34 @@ +From 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 21 Aug 2019 10:49:55 +0300 +Subject: intel_th: pci: Add Tiger Lake support + +From: Alexander Shishkin + +commit 9c78255fdde45c6b9a1ee30f652f7b34c727f5c7 upstream. + +This adds support for the Trace Hub in Tiger Lake PCH. + +Signed-off-by: Alexander Shishkin +Cc: stable@vger.kernel.org # v4.14+ +Link: https://lore.kernel.org/r/20190821074955.3925-5-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -188,6 +188,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x45c5), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Tiger Lake PCH */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa0a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-4.14/mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch b/queue-4.14/mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch new file mode 100644 index 00000000000..5444da3eaf4 --- /dev/null +++ b/queue-4.14/mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch @@ -0,0 +1,48 @@ +From 72741084d903e65e121c27bd29494d941729d4a1 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 27 Aug 2019 10:10:43 +0200 +Subject: mmc: core: Fix init of SD cards reporting an invalid VDD range + +From: Ulf Hansson + +commit 72741084d903e65e121c27bd29494d941729d4a1 upstream. + +The OCR register defines the supported range of VDD voltages for SD cards. +However, it has turned out that some SD cards reports an invalid voltage +range, for example having bit7 set. + +When a host supports MMC_CAP2_FULL_PWR_CYCLE and some of the voltages from +the invalid VDD range, this triggers the core to run a power cycle of the +card to try to initialize it at the lowest common supported voltage. +Obviously this fails, since the card can't support it. + +Let's fix this problem, by clearing invalid bits from the read OCR register +for SD cards, before proceeding with the VDD voltage negotiation. + +Cc: stable@vger.kernel.org +Reported-by: Philip Langdale +Signed-off-by: Ulf Hansson +Reviewed-by: Philip Langdale +Tested-by: Philip Langdale +Tested-by: Manuel Presnitz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/sd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -1232,6 +1232,12 @@ int mmc_attach_sd(struct mmc_host *host) + goto err; + } + ++ /* ++ * Some SD cards claims an out of spec VDD voltage range. Let's treat ++ * these bits as being in-valid and especially also bit7. ++ */ ++ ocr &= ~0x7FFF; ++ + rocr = mmc_select_voltage(host, ocr); + + /* diff --git a/queue-4.14/mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch b/queue-4.14/mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch new file mode 100644 index 00000000000..f210058a649 --- /dev/null +++ b/queue-4.14/mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch @@ -0,0 +1,37 @@ +From 7871aa60ae0086fe4626abdf5ed13eeddf306c61 Mon Sep 17 00:00:00 2001 +From: Eugen Hristev +Date: Thu, 8 Aug 2019 08:35:40 +0000 +Subject: mmc: sdhci-of-at91: add quirk for broken HS200 + +From: Eugen Hristev + +commit 7871aa60ae0086fe4626abdf5ed13eeddf306c61 upstream. + +HS200 is not implemented in the driver, but the controller claims it +through caps. Remove it via a quirk, to make sure the mmc core do not try +to enable HS200, as it causes the eMMC initialization to fail. + +Signed-off-by: Eugen Hristev +Acked-by: Ludovic Desroches +Acked-by: Adrian Hunter +Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-at91.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -364,6 +364,9 @@ static int sdhci_at91_probe(struct platf + pm_runtime_set_autosuspend_delay(&pdev->dev, 50); + pm_runtime_use_autosuspend(&pdev->dev); + ++ /* HS200 is broken at this moment */ ++ host->quirks2 = SDHCI_QUIRK2_BROKEN_HS200; ++ + ret = sdhci_add_host(host); + if (ret) + goto pm_runtime_disable; diff --git a/queue-4.14/series b/queue-4.14/series index c88e86ae329..58f89710e8f 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -36,3 +36,11 @@ usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch usb-storage-ums-realtek-whitelist-auto-delink-support.patch uprobes-x86-fix-detection-of-32-bit-user-mode.patch +mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch +mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch +stm-class-fix-a-double-free-of-stm_source_device.patch +intel_th-pci-add-support-for-another-lewisburg-pch.patch +intel_th-pci-add-tiger-lake-support.patch +drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch +vmci-release-resource-if-the-work-is-already-queued.patch +crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch diff --git a/queue-4.14/stm-class-fix-a-double-free-of-stm_source_device.patch b/queue-4.14/stm-class-fix-a-double-free-of-stm_source_device.patch new file mode 100644 index 00000000000..622d63e162c --- /dev/null +++ b/queue-4.14/stm-class-fix-a-double-free-of-stm_source_device.patch @@ -0,0 +1,36 @@ +From 961b6ffe0e2c403b09a8efe4a2e986b3c415391a Mon Sep 17 00:00:00 2001 +From: Ding Xiang +Date: Wed, 21 Aug 2019 10:49:52 +0300 +Subject: stm class: Fix a double free of stm_source_device + +From: Ding Xiang + +commit 961b6ffe0e2c403b09a8efe4a2e986b3c415391a upstream. + +In the error path of stm_source_register_device(), the kfree is +unnecessary, as the put_device() before it ends up calling +stm_source_device_release() to free stm_source_device, leading to +a double free at the outer kfree() call. Remove it. + +Signed-off-by: Ding Xiang +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2fa ("stm class: Introduce an abstraction for System Trace Module devices") +Link: https://lore.kernel.org/linux-arm-kernel/1563354988-23826-1-git-send-email-dingxiang@cmss.chinamobile.com/ +Cc: stable@vger.kernel.org # v4.4+ +Link: https://lore.kernel.org/r/20190821074955.3925-2-alexander.shishkin@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -1107,7 +1107,6 @@ int stm_source_register_device(struct de + + err: + put_device(&src->dev); +- kfree(src); + + return err; + } diff --git a/queue-4.14/vmci-release-resource-if-the-work-is-already-queued.patch b/queue-4.14/vmci-release-resource-if-the-work-is-already-queued.patch new file mode 100644 index 00000000000..108b4aee153 --- /dev/null +++ b/queue-4.14/vmci-release-resource-if-the-work-is-already-queued.patch @@ -0,0 +1,91 @@ +From ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 Mon Sep 17 00:00:00 2001 +From: Nadav Amit +Date: Tue, 20 Aug 2019 13:26:38 -0700 +Subject: VMCI: Release resource if the work is already queued + +From: Nadav Amit + +commit ba03a9bbd17b149c373c0ea44017f35fc2cd0f28 upstream. + +Francois reported that VMware balloon gets stuck after a balloon reset, +when the VMCI doorbell is removed. A similar error can occur when the +balloon driver is removed with the following splat: + +[ 1088.622000] INFO: task modprobe:3565 blocked for more than 120 seconds. +[ 1088.622035] Tainted: G W 5.2.0 #4 +[ 1088.622087] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 1088.622205] modprobe D 0 3565 1450 0x00000000 +[ 1088.622210] Call Trace: +[ 1088.622246] __schedule+0x2a8/0x690 +[ 1088.622248] schedule+0x2d/0x90 +[ 1088.622250] schedule_timeout+0x1d3/0x2f0 +[ 1088.622252] wait_for_completion+0xba/0x140 +[ 1088.622320] ? wake_up_q+0x80/0x80 +[ 1088.622370] vmci_resource_remove+0xb9/0xc0 [vmw_vmci] +[ 1088.622373] vmci_doorbell_destroy+0x9e/0xd0 [vmw_vmci] +[ 1088.622379] vmballoon_vmci_cleanup+0x6e/0xf0 [vmw_balloon] +[ 1088.622381] vmballoon_exit+0x18/0xcc8 [vmw_balloon] +[ 1088.622394] __x64_sys_delete_module+0x146/0x280 +[ 1088.622408] do_syscall_64+0x5a/0x130 +[ 1088.622410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1088.622415] RIP: 0033:0x7f54f62791b7 +[ 1088.622421] Code: Bad RIP value. +[ 1088.622421] RSP: 002b:00007fff2a949008 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[ 1088.622426] RAX: ffffffffffffffda RBX: 000055dff8b55d00 RCX: 00007f54f62791b7 +[ 1088.622426] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055dff8b55d68 +[ 1088.622427] RBP: 000055dff8b55d00 R08: 00007fff2a947fb1 R09: 0000000000000000 +[ 1088.622427] R10: 00007f54f62f5cc0 R11: 0000000000000206 R12: 000055dff8b55d68 +[ 1088.622428] R13: 0000000000000001 R14: 000055dff8b55d68 R15: 00007fff2a94a3f0 + +The cause for the bug is that when the "delayed" doorbell is invoked, it +takes a reference on the doorbell entry and schedules work that is +supposed to run the appropriate code and drop the doorbell entry +reference. The code ignores the fact that if the work is already queued, +it will not be scheduled to run one more time. As a result one of the +references would not be dropped. When the code waits for the reference +to get to zero, during balloon reset or module removal, it gets stuck. + +Fix it. Drop the reference if schedule_work() indicates that the work is +already queued. + +Note that this bug got more apparent (or apparent at all) due to +commit ce664331b248 ("vmw_balloon: VMCI_DOORBELL_SET does not check status"). + +Fixes: 83e2ec765be03 ("VMCI: doorbell implementation.") +Reported-by: Francois Rigault +Cc: Jorgen Hansen +Cc: Adit Ranadive +Cc: Alexios Zavras +Cc: Vishnu DASA +Cc: stable@vger.kernel.org +Signed-off-by: Nadav Amit +Reviewed-by: Vishnu Dasa +Link: https://lore.kernel.org/r/20190820202638.49003-1-namit@vmware.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_vmci/vmci_doorbell.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_doorbell.c ++++ b/drivers/misc/vmw_vmci/vmci_doorbell.c +@@ -318,7 +318,8 @@ int vmci_dbell_host_context_notify(u32 s + + entry = container_of(resource, struct dbell_entry, resource); + if (entry->run_delayed) { +- schedule_work(&entry->work); ++ if (!schedule_work(&entry->work)) ++ vmci_resource_put(resource); + } else { + entry->notify_cb(entry->client_data); + vmci_resource_put(resource); +@@ -366,7 +367,8 @@ static void dbell_fire_entries(u32 notif + atomic_read(&dbell->active) == 1) { + if (dbell->run_delayed) { + vmci_resource_get(&dbell->resource); +- schedule_work(&dbell->work); ++ if (!schedule_work(&dbell->work)) ++ vmci_resource_put(&dbell->resource); + } else { + dbell->notify_cb(dbell->client_data); + }