--- /dev/null
+From 42bec214d8bd432be6d32a1acb0a9079ecd4d142 Mon Sep 17 00:00:00 2001
+From: Sachin Prabhu <sprabhu@redhat.com>
+Date: Thu, 3 Aug 2017 13:09:03 +0530
+Subject: cifs: Fix df output for users with quota limits
+
+From: Sachin Prabhu <sprabhu@redhat.com>
+
+commit 42bec214d8bd432be6d32a1acb0a9079ecd4d142 upstream.
+
+The df for a SMB2 share triggers a GetInfo call for
+FS_FULL_SIZE_INFORMATION. The values returned are used to populate
+struct statfs.
+
+The problem is that none of the information returned by the call
+contains the total blocks available on the filesystem. Instead we use
+the blocks available to the user ie. quota limitation when filling out
+statfs.f_blocks. The information returned does contain Actual free units
+on the filesystem and is used to populate statfs.f_bfree. For users with
+quota enabled, it can lead to situations where the total free space
+reported is more than the total blocks on the system ending up with df
+reports like the following
+
+ # df -h /mnt/a
+Filesystem Size Used Avail Use% Mounted on
+//192.168.22.10/a 2.5G -2.3G 2.5G - /mnt/a
+
+To fix this problem, we instead populate both statfs.f_bfree with the
+same value as statfs.f_bavail ie. CallerAvailableAllocationUnits. This
+is similar to what is done already in the code for cifs and df now
+reports the quota information for the user used to mount the share.
+
+ # df --si /mnt/a
+Filesystem Size Used Avail Use% Mounted on
+//192.168.22.10/a 2.7G 101M 2.6G 4% /mnt/a
+
+Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
+Signed-off-by: Pierguido Lambri <plambri@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -2768,8 +2768,8 @@ copy_fs_info_to_kstatfs(struct smb2_fs_f
+ kst->f_bsize = le32_to_cpu(pfs_inf->BytesPerSector) *
+ le32_to_cpu(pfs_inf->SectorsPerAllocationUnit);
+ kst->f_blocks = le64_to_cpu(pfs_inf->TotalAllocationUnits);
+- kst->f_bfree = le64_to_cpu(pfs_inf->ActualAvailableAllocationUnits);
+- kst->f_bavail = le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
++ kst->f_bfree = kst->f_bavail =
++ le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits);
+ return;
+ }
+
--- /dev/null
+From d3edede29f74d335f81d95a4588f5f136a9f7dcf Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 23 Aug 2017 14:48:14 +1000
+Subject: cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream.
+
+Add checking for the path component length and verify it is <= the maximum
+that the server advertizes via FileFsAttributeInformation.
+
+With this patch cifs.ko will now return ENAMETOOLONG instead of ENOENT
+when users to access an overlong path.
+
+To test this, try to cd into a (non-existing) directory on a CIFS share
+that has a too long name:
+cd /mnt/aaaaaaaaaaaaaaa...
+
+and it now should show a good error message from the shell:
+bash: cd: /mnt/aaaaaaaaaaaaaaaa...aaaaaa: File name too long
+
+rh bz 1153996
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -183,15 +183,20 @@ cifs_bp_rename_retry:
+ }
+
+ /*
++ * Don't allow path components longer than the server max.
+ * Don't allow the separator character in a path component.
+ * The VFS will not allow "/", but "\" is allowed by posix.
+ */
+ static int
+-check_name(struct dentry *direntry)
++check_name(struct dentry *direntry, struct cifs_tcon *tcon)
+ {
+ struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb);
+ int i;
+
++ if (unlikely(direntry->d_name.len >
++ tcon->fsAttrInfo.MaxPathNameComponentLength))
++ return -ENAMETOOLONG;
++
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) {
+ for (i = 0; i < direntry->d_name.len; i++) {
+ if (direntry->d_name.name[i] == '\\') {
+@@ -489,10 +494,6 @@ cifs_atomic_open(struct inode *inode, st
+ return finish_no_open(file, res);
+ }
+
+- rc = check_name(direntry);
+- if (rc)
+- return rc;
+-
+ xid = get_xid();
+
+ cifs_dbg(FYI, "parent inode = 0x%p name is: %pd and dentry = 0x%p\n",
+@@ -505,6 +506,11 @@ cifs_atomic_open(struct inode *inode, st
+ }
+
+ tcon = tlink_tcon(tlink);
++
++ rc = check_name(direntry, tcon);
++ if (rc)
++ goto out_free_xid;
++
+ server = tcon->ses->server;
+
+ if (server->ops->new_lease_key)
+@@ -765,7 +771,7 @@ cifs_lookup(struct inode *parent_dir_ino
+ }
+ pTcon = tlink_tcon(tlink);
+
+- rc = check_name(direntry);
++ rc = check_name(direntry, pTcon);
+ if (rc)
+ goto lookup_out;
+
--- /dev/null
+From a0ffc51e20e90e0c1c2491de2b4b03f48b6caaba Mon Sep 17 00:00:00 2001
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Date: Tue, 15 Aug 2017 11:57:06 +0200
+Subject: drm/atomic: If the atomic check fails, return its value first
+
+From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+
+commit a0ffc51e20e90e0c1c2491de2b4b03f48b6caaba upstream.
+
+The last part of drm_atomic_check_only is testing whether we need to
+fail with -EINVAL when modeset is not allowed, but forgets to return
+the value when atomic_check() fails first.
+
+This results in -EDEADLK being replaced by -EINVAL, and the sanity
+check in drm_modeset_drop_locks kicks in:
+
+[ 308.531734] ------------[ cut here ]------------
+[ 308.531791] WARNING: CPU: 0 PID: 1886 at drivers/gpu/drm/drm_modeset_lock.c:217 drm_modeset_drop_locks+0x33/0xc0 [drm]
+[ 308.531828] Modules linked in:
+[ 308.532050] CPU: 0 PID: 1886 Comm: kms_atomic Tainted: G U W 4.13.0-rc5-patser+ #5225
+[ 308.532082] Hardware name: NUC5i7RYB, BIOS RYBDWi35.86A.0246.2015.0309.1355 03/09/2015
+[ 308.532124] task: ffff8800cd9dae00 task.stack: ffff8800ca3b8000
+[ 308.532168] RIP: 0010:drm_modeset_drop_locks+0x33/0xc0 [drm]
+[ 308.532189] RSP: 0018:ffff8800ca3bf980 EFLAGS: 00010282
+[ 308.532211] RAX: dffffc0000000000 RBX: ffff8800ca3bfaf8 RCX: 0000000013a171e6
+[ 308.532235] RDX: 1ffff10019477f69 RSI: ffffffffa8ba4fa0 RDI: ffff8800ca3bfb48
+[ 308.532258] RBP: ffff8800ca3bf998 R08: 0000000000000000 R09: 0000000000000003
+[ 308.532281] R10: 0000000079dbe066 R11: 00000000f760b34b R12: 0000000000000001
+[ 308.532304] R13: dffffc0000000000 R14: 00000000ffffffea R15: ffff880096889680
+[ 308.532328] FS: 00007ff00959cec0(0000) GS:ffff8800d4e00000(0000) knlGS:0000000000000000
+[ 308.532359] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 308.532380] CR2: 0000000000000008 CR3: 00000000ca2e3000 CR4: 00000000003406f0
+[ 308.532402] Call Trace:
+[ 308.532440] drm_mode_atomic_ioctl+0x19fa/0x1c00 [drm]
+[ 308.532488] ? drm_atomic_set_property+0x1220/0x1220 [drm]
+[ 308.532565] ? avc_has_extended_perms+0xc39/0xff0
+[ 308.532593] ? lock_downgrade+0x610/0x610
+[ 308.532640] ? drm_atomic_set_property+0x1220/0x1220 [drm]
+[ 308.532680] drm_ioctl_kernel+0x154/0x1a0 [drm]
+[ 308.532755] drm_ioctl+0x624/0x8f0 [drm]
+[ 308.532858] ? drm_atomic_set_property+0x1220/0x1220 [drm]
+[ 308.532976] ? drm_getunique+0x210/0x210 [drm]
+[ 308.533061] do_vfs_ioctl+0xd92/0xe40
+[ 308.533121] ? ioctl_preallocate+0x1b0/0x1b0
+[ 308.533160] ? selinux_capable+0x20/0x20
+[ 308.533191] ? do_fcntl+0x1b1/0xbf0
+[ 308.533219] ? kasan_slab_free+0xa2/0xb0
+[ 308.533249] ? f_getown+0x4b/0xa0
+[ 308.533278] ? putname+0xcf/0xe0
+[ 308.533309] ? security_file_ioctl+0x57/0x90
+[ 308.533342] SyS_ioctl+0x4e/0x80
+[ 308.533374] entry_SYSCALL_64_fastpath+0x18/0xad
+[ 308.533405] RIP: 0033:0x7ff00779e4d7
+[ 308.533431] RSP: 002b:00007fff66a043d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 308.533481] RAX: ffffffffffffffda RBX: 000000e7c7ca5910 RCX: 00007ff00779e4d7
+[ 308.533560] RDX: 00007fff66a04430 RSI: 00000000c03864bc RDI: 0000000000000003
+[ 308.533608] RBP: 00007ff007a5fb00 R08: 000000e7c7ca4620 R09: 000000e7c7ca5e60
+[ 308.533647] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000070
+[ 308.533685] R13: 0000000000000000 R14: 0000000000000000 R15: 000000e7c7ca5930
+[ 308.533770] Code: ff df 55 48 89 e5 41 55 41 54 53 48 89 fb 48 83 c7
+50 48 89 fa 48 c1 ea 03 80 3c 02 00 74 05 e8 94 d4 16 e7 48 83 7b 50 00
+74 02 <0f> ff 4c 8d 6b 58 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1
+[ 308.534086] ---[ end trace 77f11e53b1df44ad ]---
+
+Solve this by adding the missing return.
+
+This is also a bugfix because we could end up rejecting updates with
+-EINVAL because of a early -EDEADLK, while if atomic_check ran to
+completion it might have downgraded the modeset to a fastset.
+
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Testcase: kms_atomic
+Link: https://patchwork.freedesktop.org/patch/msgid/20170815095706.23624-1-maarten.lankhorst@linux.intel.com
+Fixes: d34f20d6e2f2 ("drm: Atomic modeset ioctl")
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_atomic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_atomic.c
++++ b/drivers/gpu/drm/drm_atomic.c
+@@ -1247,6 +1247,9 @@ int drm_atomic_check_only(struct drm_ato
+ if (config->funcs->atomic_check)
+ ret = config->funcs->atomic_check(state->dev, state);
+
++ if (ret)
++ return ret;
++
+ if (!state->allow_modeset) {
+ for_each_crtc_in_state(state, crtc, crtc_state, i) {
+ if (drm_atomic_crtc_needs_modeset(crtc_state)) {
+@@ -1257,7 +1260,7 @@ int drm_atomic_check_only(struct drm_ato
+ }
+ }
+
+- return ret;
++ return 0;
+ }
+ EXPORT_SYMBOL(drm_atomic_check_only);
+
--- /dev/null
+From 05ee29e94acf0d4b3998c3f93374952de8f90176 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Mon, 3 Oct 2016 20:03:22 +0300
+Subject: drm: rcar-du: Fix crash in encoder failure error path
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+commit 05ee29e94acf0d4b3998c3f93374952de8f90176 upstream.
+
+When an encoder fails to initialize the driver prints an error message
+to the kernel log. The message contains the name of the encoder's DT
+node, which is NULL for internal encoders. Use the of_node_full_name()
+macro to avoid dereferencing a NULL pointer, print the output number to
+add more context to the error, and make sure we still own a reference to
+the encoder's DT node by delaying the of_node_put() call.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Reviewed-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Thong Ho <thong.ho.px@rvc.renesas.com>
+Signed-off-by: Nhan Nguyen <nhan.nguyen.yb@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
+@@ -642,13 +642,13 @@ static int rcar_du_encoders_init_one(str
+ }
+
+ ret = rcar_du_encoder_init(rcdu, enc_type, output, encoder, connector);
+- of_node_put(encoder);
+- of_node_put(connector);
+-
+ if (ret && ret != -EPROBE_DEFER)
+ dev_warn(rcdu->dev,
+- "failed to initialize encoder %s (%d), skipping\n",
+- encoder->full_name, ret);
++ "failed to initialize encoder %s on output %u (%d), skipping\n",
++ of_node_full_name(encoder), output, ret);
++
++ of_node_put(encoder);
++ of_node_put(connector);
+
+ return ret;
+ }
--- /dev/null
+From 9cdced8a39c04cf798ddb2a27cb5952f7d39f633 Mon Sep 17 00:00:00 2001
+From: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+Date: Mon, 18 Apr 2016 16:31:30 +0900
+Subject: drm: rcar-du: Fix display timing controller parameter
+
+From: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+
+commit 9cdced8a39c04cf798ddb2a27cb5952f7d39f633 upstream.
+
+There is a bug in the setting of the DES (Display Enable Signal)
+register. This current setting occurs 1 dot left shift. The DES
+register should be set minus one value about the specifying value
+with H/W specification. This patch corrects it.
+
+Signed-off-by: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Thong Ho <thong.ho.px@rvc.renesas.com>
+Signed-off-by: Nhan Nguyen <nhan.nguyen.yb@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+@@ -171,7 +171,7 @@ static void rcar_du_crtc_set_display_tim
+ mode->crtc_vsync_start - 1);
+ rcar_du_crtc_write(rcrtc, VCR, mode->crtc_vtotal - 1);
+
+- rcar_du_crtc_write(rcrtc, DESR, mode->htotal - mode->hsync_start);
++ rcar_du_crtc_write(rcrtc, DESR, mode->htotal - mode->hsync_start - 1);
+ rcar_du_crtc_write(rcrtc, DEWR, mode->hdisplay);
+ }
+
--- /dev/null
+From fd1adef3bff0663c5ac31b45bc4a05fafd43d19b Mon Sep 17 00:00:00 2001
+From: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+Date: Mon, 16 May 2016 11:28:15 +0900
+Subject: drm: rcar-du: Fix H/V sync signal polarity configuration
+
+From: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+
+commit fd1adef3bff0663c5ac31b45bc4a05fafd43d19b upstream.
+
+The VSL and HSL bits in the DSMR register set the corresponding
+horizontal and vertical sync signal polarity to active high. The code
+got it the wrong way around, fix it.
+
+Signed-off-by: Koji Matsuoka <koji.matsuoka.xm@renesas.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Thong Ho <thong.ho.px@rvc.renesas.com>
+Signed-off-by: Nhan Nguyen <nhan.nguyen.yb@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+@@ -148,8 +148,8 @@ static void rcar_du_crtc_set_display_tim
+ rcar_du_group_write(rcrtc->group, rcrtc->index % 2 ? OTAR2 : OTAR, 0);
+
+ /* Signal polarities */
+- value = ((mode->flags & DRM_MODE_FLAG_PVSYNC) ? 0 : DSMR_VSL)
+- | ((mode->flags & DRM_MODE_FLAG_PHSYNC) ? 0 : DSMR_HSL)
++ value = ((mode->flags & DRM_MODE_FLAG_PVSYNC) ? DSMR_VSL : 0)
++ | ((mode->flags & DRM_MODE_FLAG_PHSYNC) ? DSMR_HSL : 0)
+ | DSMR_DIPM_DE | DSMR_CSPM;
+ rcar_du_crtc_write(rcrtc, DSMR, value);
+
--- /dev/null
+From 5e1ac3bdc6bbb4f378251b87625b8acfbfc4ae82 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Mon, 7 Sep 2015 16:03:25 +0300
+Subject: drm: rcar-du: lvds: Fix PLL frequency-related configuration
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+commit 5e1ac3bdc6bbb4f378251b87625b8acfbfc4ae82 upstream.
+
+The frequency checks don't match the datasheet, fix them.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Thong Ho <thong.ho.px@rvc.renesas.com>
+Signed-off-by: Nhan Nguyen <nhan.nguyen.yb@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
+@@ -56,11 +56,11 @@ static int rcar_du_lvdsenc_start(struct
+ return ret;
+
+ /* PLL clock configuration */
+- if (freq <= 38000)
++ if (freq < 39000)
+ pllcr = LVDPLLCR_CEEN | LVDPLLCR_COSEL | LVDPLLCR_PLLDLYCNT_38M;
+- else if (freq <= 60000)
++ else if (freq < 61000)
+ pllcr = LVDPLLCR_CEEN | LVDPLLCR_COSEL | LVDPLLCR_PLLDLYCNT_60M;
+- else if (freq <= 121000)
++ else if (freq < 121000)
+ pllcr = LVDPLLCR_CEEN | LVDPLLCR_COSEL | LVDPLLCR_PLLDLYCNT_121M;
+ else
+ pllcr = LVDPLLCR_PLLDLYCNT_150M;
--- /dev/null
+From 82e7c5e4964545352accff4b44bbcaa2c38e7fc1 Mon Sep 17 00:00:00 2001
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Date: Mon, 7 Sep 2015 15:28:17 +0300
+Subject: drm: rcar-du: lvds: Rename PLLEN bit to PLLON
+
+From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+
+commit 82e7c5e4964545352accff4b44bbcaa2c38e7fc1 upstream.
+
+The bit is named PLLON in the datasheet, rename it.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Thong Ho <thong.ho.px@rvc.renesas.com>
+Signed-off-by: Nhan Nguyen <nhan.nguyen.yb@renesas.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 2 +-
+ drivers/gpu/drm/rcar-du/rcar_lvds_regs.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c
+@@ -102,7 +102,7 @@ static int rcar_du_lvdsenc_start(struct
+ /* Turn the PLL on, wait for the startup delay, and turn the output
+ * on.
+ */
+- lvdcr0 |= LVDCR0_PLLEN;
++ lvdcr0 |= LVDCR0_PLLON;
+ rcar_lvds_write(lvds, LVDCR0, lvdcr0);
+
+ usleep_range(100, 150);
+--- a/drivers/gpu/drm/rcar-du/rcar_lvds_regs.h
++++ b/drivers/gpu/drm/rcar-du/rcar_lvds_regs.h
+@@ -18,7 +18,7 @@
+ #define LVDCR0_DMD (1 << 12)
+ #define LVDCR0_LVMD_MASK (0xf << 8)
+ #define LVDCR0_LVMD_SHIFT 8
+-#define LVDCR0_PLLEN (1 << 4)
++#define LVDCR0_PLLON (1 << 4)
+ #define LVDCR0_BEN (1 << 2)
+ #define LVDCR0_LVEN (1 << 1)
+ #define LVDCR0_LVRES (1 << 0)
--- /dev/null
+From fe4600a548f2763dec91b3b27a1245c370ceee2a Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Sat, 19 Aug 2017 13:05:58 +0100
+Subject: drm: Release driver tracking before making the object available again
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit fe4600a548f2763dec91b3b27a1245c370ceee2a upstream.
+
+This is the same bug as we fixed in commit f6cd7daecff5 ("drm: Release
+driver references to handle before making it available again"), but now
+the exposure is via the PRIME lookup tables. If we remove the
+object/handle from the PRIME lut, then a new request for the same
+object/fd will generate a new handle, thus for a short window that
+object is known to userspace by two different handles. Fix this by
+releasing the driver tracking before PRIME.
+
+Fixes: 0ff926c7d4f0 ("drm/prime: add exported buffers to current fprivs
+imported buffer list (v2)")
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel.vetter@intel.com>
+Cc: Rob Clark <robdclark@gmail.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Thierry Reding <treding@nvidia.com>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20170819120558.6465-1-chris@chris-wilson.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_gem.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem.c
++++ b/drivers/gpu/drm/drm_gem.c
+@@ -715,13 +715,13 @@ drm_gem_object_release_handle(int id, vo
+ struct drm_gem_object *obj = ptr;
+ struct drm_device *dev = obj->dev;
+
++ if (dev->driver->gem_close_object)
++ dev->driver->gem_close_object(obj, file_priv);
++
+ if (drm_core_check_feature(dev, DRIVER_PRIME))
+ drm_gem_remove_prime_handles(obj, file_priv);
+ drm_vma_node_revoke(&obj->vma_node, file_priv->filp);
+
+- if (dev->driver->gem_close_object)
+- dev->driver->gem_close_object(obj, file_priv);
+-
+ drm_gem_object_handle_unreference_unlocked(obj);
+
+ return 0;
--- /dev/null
+From a23318feeff662c8d25d21623daebdd2e55ec221 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 9 Aug 2017 15:28:22 +0200
+Subject: i2c: designware: Fix system suspend
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit a23318feeff662c8d25d21623daebdd2e55ec221 upstream.
+
+The commit 8503ff166504 ("i2c: designware: Avoid unnecessary resuming
+during system suspend"), may suggest to the PM core to try out the so
+called direct_complete path for system sleep. In this path, the PM core
+treats a runtime suspended device as it's already in a proper low power
+state for system sleep, which makes it skip calling the system sleep
+callbacks for the device, except for the ->prepare() and the ->complete()
+callbacks.
+
+However, the PM core may unset the direct_complete flag for a parent
+device, in case its child device are being system suspended before. In this
+scenario, the PM core invokes the system sleep callbacks, no matter if the
+device is runtime suspended or not.
+
+Particularly in cases of an existing i2c slave device, the above path is
+triggered, which breaks the assumption that the i2c device is always
+runtime resumed whenever the dw_i2c_plat_suspend() is being called.
+
+More precisely, dw_i2c_plat_suspend() calls clk_core_disable() and
+clk_core_unprepare(), for an already disabled/unprepared clock, leading to
+a splat in the log about clocks calls being wrongly balanced and breaking
+system sleep.
+
+To still allow the direct_complete path in cases when it's possible, but
+also to keep the fix simple, let's runtime resume the i2c device in the
+->suspend() callback, before continuing to put the device into low power
+state.
+
+Note, in cases when the i2c device is attached to the ACPI PM domain, this
+problem doesn't occur, because ACPI's ->suspend() callback, assigned to
+acpi_subsys_suspend(), already calls pm_runtime_resume() for the device.
+
+It should also be noted that this change does not fix commit 8503ff166504
+("i2c: designware: Avoid unnecessary resuming during system suspend").
+Because for the non-ACPI case, the system sleep support was already broken
+prior that point.
+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Tested-by: John Stultz <john.stultz@linaro.org>
+Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-designware-platdrv.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-designware-platdrv.c
++++ b/drivers/i2c/busses/i2c-designware-platdrv.c
+@@ -294,7 +294,7 @@ static void dw_i2c_plat_complete(struct
+ #endif
+
+ #ifdef CONFIG_PM
+-static int dw_i2c_plat_suspend(struct device *dev)
++static int dw_i2c_plat_runtime_suspend(struct device *dev)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct dw_i2c_dev *i_dev = platform_get_drvdata(pdev);
+@@ -318,11 +318,21 @@ static int dw_i2c_plat_resume(struct dev
+ return 0;
+ }
+
++#ifdef CONFIG_PM_SLEEP
++static int dw_i2c_plat_suspend(struct device *dev)
++{
++ pm_runtime_resume(dev);
++ return dw_i2c_plat_runtime_suspend(dev);
++}
++#endif
++
+ static const struct dev_pm_ops dw_i2c_dev_pm_ops = {
+ .prepare = dw_i2c_plat_prepare,
+ .complete = dw_i2c_plat_complete,
+ SET_SYSTEM_SLEEP_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume)
+- SET_RUNTIME_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume, NULL)
++ SET_RUNTIME_PM_OPS(dw_i2c_plat_runtime_suspend,
++ dw_i2c_plat_resume,
++ NULL)
+ };
+
+ #define DW_I2C_DEV_PMOPS (&dw_i2c_dev_pm_ops)
--- /dev/null
+From fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 18 Aug 2017 11:12:19 -0400
+Subject: nfsd: Limit end of page list when decoding NFSv4 WRITE
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 upstream.
+
+When processing an NFSv4 WRITE operation, argp->end should never
+point past the end of the data in the final page of the page list.
+Otherwise, nfsd4_decode_compound can walk into uninitialized memory.
+
+More critical, nfsd4_decode_write is failing to increment argp->pagelen
+when it increments argp->pagelist. This can cause later xdr decoders
+to assume more data is available than really is, which can cause server
+crashes on malformed requests.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4xdr.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -129,7 +129,7 @@ static void next_decode_page(struct nfsd
+ argp->p = page_address(argp->pagelist[0]);
+ argp->pagelist++;
+ if (argp->pagelen < PAGE_SIZE) {
+- argp->end = argp->p + (argp->pagelen>>2);
++ argp->end = argp->p + XDR_QUADLEN(argp->pagelen);
+ argp->pagelen = 0;
+ } else {
+ argp->end = argp->p + (PAGE_SIZE>>2);
+@@ -1246,9 +1246,7 @@ nfsd4_decode_write(struct nfsd4_compound
+ argp->pagelen -= pages * PAGE_SIZE;
+ len -= pages * PAGE_SIZE;
+
+- argp->p = (__be32 *)page_address(argp->pagelist[0]);
+- argp->pagelist++;
+- argp->end = argp->p + XDR_QUADLEN(PAGE_SIZE);
++ next_decode_page(argp);
+ }
+ argp->p += XDR_QUADLEN(len);
+
--- /dev/null
+From 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 22 Jun 2017 15:41:38 +0100
+Subject: perf/core: Fix group {cpu,task} validation
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e upstream.
+
+Regardless of which events form a group, it does not make sense for the
+events to target different tasks and/or CPUs, as this leaves the group
+inconsistent and impossible to schedule. The core perf code assumes that
+these are consistent across (successfully intialised) groups.
+
+Core perf code only verifies this when moving SW events into a HW
+context. Thus, we can violate this requirement for pure SW groups and
+pure HW groups, unless the relevant PMU driver happens to perform this
+verification itself. These mismatched groups subsequently wreak havoc
+elsewhere.
+
+For example, we handle watchpoints as SW events, and reserve watchpoint
+HW on a per-CPU basis at pmu::event_init() time to ensure that any event
+that is initialised is guaranteed to have a slot at pmu::add() time.
+However, the core code only checks the group leader's cpu filter (via
+event_filter_match()), and can thus install follower events onto CPUs
+violating thier (mismatched) CPU filters, potentially installing them
+into a CPU without sufficient reserved slots.
+
+This can be triggered with the below test case, resulting in warnings
+from arch backends.
+
+ #define _GNU_SOURCE
+ #include <linux/hw_breakpoint.h>
+ #include <linux/perf_event.h>
+ #include <sched.h>
+ #include <stdio.h>
+ #include <sys/prctl.h>
+ #include <sys/syscall.h>
+ #include <unistd.h>
+
+ static int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu,
+ int group_fd, unsigned long flags)
+ {
+ return syscall(__NR_perf_event_open, attr, pid, cpu, group_fd, flags);
+ }
+
+ char watched_char;
+
+ struct perf_event_attr wp_attr = {
+ .type = PERF_TYPE_BREAKPOINT,
+ .bp_type = HW_BREAKPOINT_RW,
+ .bp_addr = (unsigned long)&watched_char,
+ .bp_len = 1,
+ .size = sizeof(wp_attr),
+ };
+
+ int main(int argc, char *argv[])
+ {
+ int leader, ret;
+ cpu_set_t cpus;
+
+ /*
+ * Force use of CPU0 to ensure our CPU0-bound events get scheduled.
+ */
+ CPU_ZERO(&cpus);
+ CPU_SET(0, &cpus);
+ ret = sched_setaffinity(0, sizeof(cpus), &cpus);
+ if (ret) {
+ printf("Unable to set cpu affinity\n");
+ return 1;
+ }
+
+ /* open leader event, bound to this task, CPU0 only */
+ leader = perf_event_open(&wp_attr, 0, 0, -1, 0);
+ if (leader < 0) {
+ printf("Couldn't open leader: %d\n", leader);
+ return 1;
+ }
+
+ /*
+ * Open a follower event that is bound to the same task, but a
+ * different CPU. This means that the group should never be possible to
+ * schedule.
+ */
+ ret = perf_event_open(&wp_attr, 0, 1, leader, 0);
+ if (ret < 0) {
+ printf("Couldn't open mismatched follower: %d\n", ret);
+ return 1;
+ } else {
+ printf("Opened leader/follower with mismastched CPUs\n");
+ }
+
+ /*
+ * Open as many independent events as we can, all bound to the same
+ * task, CPU0 only.
+ */
+ do {
+ ret = perf_event_open(&wp_attr, 0, 0, -1, 0);
+ } while (ret >= 0);
+
+ /*
+ * Force enable/disble all events to trigger the erronoeous
+ * installation of the follower event.
+ */
+ printf("Opened all events. Toggling..\n");
+ for (;;) {
+ prctl(PR_TASK_PERF_EVENTS_DISABLE, 0, 0, 0, 0);
+ prctl(PR_TASK_PERF_EVENTS_ENABLE, 0, 0, 0, 0);
+ }
+
+ return 0;
+ }
+
+Fix this by validating this requirement regardless of whether we're
+moving events.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Zhou Chengming <zhouchengming1@huawei.com>
+Link: http://lkml.kernel.org/r/1498142498-15758-1-git-send-email-mark.rutland@arm.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/events/core.c | 39 +++++++++++++++++++--------------------
+ 1 file changed, 19 insertions(+), 20 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8473,28 +8473,27 @@ SYSCALL_DEFINE5(perf_event_open,
+ goto err_context;
+
+ /*
+- * Do not allow to attach to a group in a different
+- * task or CPU context:
++ * Make sure we're both events for the same CPU;
++ * grouping events for different CPUs is broken; since
++ * you can never concurrently schedule them anyhow.
+ */
+- if (move_group) {
+- /*
+- * Make sure we're both on the same task, or both
+- * per-cpu events.
+- */
+- if (group_leader->ctx->task != ctx->task)
+- goto err_context;
++ if (group_leader->cpu != event->cpu)
++ goto err_context;
++
++ /*
++ * Make sure we're both on the same task, or both
++ * per-CPU events.
++ */
++ if (group_leader->ctx->task != ctx->task)
++ goto err_context;
+
+- /*
+- * Make sure we're both events for the same CPU;
+- * grouping events for different CPUs is broken; since
+- * you can never concurrently schedule them anyhow.
+- */
+- if (group_leader->cpu != event->cpu)
+- goto err_context;
+- } else {
+- if (group_leader->ctx != ctx)
+- goto err_context;
+- }
++ /*
++ * Do not allow to attach to a group in a different task
++ * or CPU context. If we're moving SW events, we'll fix
++ * this up later, so allow that.
++ */
++ if (!move_group && group_leader->ctx != ctx)
++ goto err_context;
+
+ /*
+ * Only a group leader can be exclusive or pinned
alsa-core-fix-unexpected-error-at-replacing-user-tlv.patch
alsa-hda-add-stereo-mic-quirk-for-lenovo-g50-70-17aa-3978.patch
arcv2-pae40-explicitly-set-msb-counterpart-of-slc-region-ops-addresses.patch
+i2c-designware-fix-system-suspend.patch
+drm-release-driver-tracking-before-making-the-object-available-again.patch
+drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch
+drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch
+drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch
+drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch
+drm-rcar-du-fix-display-timing-controller-parameter.patch
+drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch
+tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch
+cifs-fix-df-output-for-users-with-quota-limits.patch
+cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch
+nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch
+perf-core-fix-group-cpu-task-validation.patch
--- /dev/null
+From 8b0db1a5bdfcee0dbfa89607672598ae203c9045 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 23 Aug 2017 12:46:27 -0400
+Subject: tracing: Fix freeing of filter in create_filter() when set_str is false
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 8b0db1a5bdfcee0dbfa89607672598ae203c9045 upstream.
+
+Performing the following task with kmemleak enabled:
+
+ # cd /sys/kernel/tracing/events/irq/irq_handler_entry/
+ # echo 'enable_event:kmem:kmalloc:3 if irq >' > trigger
+ # echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger
+ # echo scan > /sys/kernel/debug/kmemleak
+ # cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff8800b9290308 (size 32):
+ comm "bash", pid 1114, jiffies 4294848451 (age 141.139s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81cef5aa>] kmemleak_alloc+0x4a/0xa0
+ [<ffffffff81357938>] kmem_cache_alloc_trace+0x158/0x290
+ [<ffffffff81261c09>] create_filter_start.constprop.28+0x99/0x940
+ [<ffffffff812639c9>] create_filter+0xa9/0x160
+ [<ffffffff81263bdc>] create_event_filter+0xc/0x10
+ [<ffffffff812655e5>] set_trigger_filter+0xe5/0x210
+ [<ffffffff812660c4>] event_enable_trigger_func+0x324/0x490
+ [<ffffffff812652e2>] event_trigger_write+0x1a2/0x260
+ [<ffffffff8138cf87>] __vfs_write+0xd7/0x380
+ [<ffffffff8138f421>] vfs_write+0x101/0x260
+ [<ffffffff8139187b>] SyS_write+0xab/0x130
+ [<ffffffff81cfd501>] entry_SYSCALL_64_fastpath+0x1f/0xbe
+ [<ffffffffffffffff>] 0xffffffffffffffff
+
+The function create_filter() is passed a 'filterp' pointer that gets
+allocated, and if "set_str" is true, it is up to the caller to free it, even
+on error. The problem is that the pointer is not freed by create_filter()
+when set_str is false. This is a bug, and it is not up to the caller to free
+the filter on error if it doesn't care about the string.
+
+Link: http://lkml.kernel.org/r/1502705898-27571-2-git-send-email-chuhu@redhat.com
+
+Fixes: 38b78eb85 ("tracing: Factorize filter creation")
+Reported-by: Chunyu Hu <chuhu@redhat.com>
+Tested-by: Chunyu Hu <chuhu@redhat.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace_events_filter.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -1979,6 +1979,10 @@ static int create_filter(struct trace_ev
+ if (err && set_str)
+ append_filter_err(ps, filter);
+ }
++ if (err && !set_str) {
++ free_event_filter(filter);
++ filter = NULL;
++ }
+ create_filter_finish(ps);
+
+ *filterp = filter;
projects / thirdparty / kernel / stable-queue.git / commitdiff
