--- /dev/null
+From 1d0cffa674cfa7d185a302c8c6850fc50b893bed Mon Sep 17 00:00:00 2001
+From: Steve French <smfrench@gmail.com>
+Date: Fri, 20 Apr 2018 12:19:07 -0500
+Subject: cifs: do not allow creating sockets except with SMB1 posix exensions
+
+From: Steve French <smfrench@gmail.com>
+
+commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream.
+
+RHBZ: 1453123
+
+Since at least the 3.10 kernel and likely a lot earlier we have
+not been able to create unix domain sockets in a cifs share
+when mounted using the SFU mount option (except when mounted
+with the cifs unix extensions to Samba e.g.)
+Trying to create a socket, for example using the af_unix command from
+xfstests will cause :
+BUG: unable to handle kernel NULL pointer dereference at 00000000
+00000040
+
+Since no one uses or depends on being able to create unix domains sockets
+on a cifs share the easiest fix to stop this vulnerability is to simply
+not allow creation of any other special files than char or block devices
+when sfu is used.
+
+Added update to Ronnie's patch to handle a tcon link leak, and
+to address a buf leak noticed by Gustavo and Colin.
+
+Acked-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+CC: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Reported-by: Eryu Guan <eguan@redhat.com>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <smfrench@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/dir.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -673,6 +673,9 @@ int cifs_mknod(struct inode *inode, stru
+ goto mknod_out;
+ }
+
++ if (!S_ISCHR(mode) && !S_ISBLK(mode))
++ goto mknod_out;
++
+ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL))
+ goto mknod_out;
+
+@@ -681,10 +684,8 @@ int cifs_mknod(struct inode *inode, stru
+
+ buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL);
+ if (buf == NULL) {
+- kfree(full_path);
+ rc = -ENOMEM;
+- free_xid(xid);
+- return rc;
++ goto mknod_out;
+ }
+
+ if (backup_cred(cifs_sb))
+@@ -731,7 +732,7 @@ int cifs_mknod(struct inode *inode, stru
+ pdev->minor = cpu_to_le64(MINOR(device_number));
+ rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms,
+ &bytes_written, iov, 1);
+- } /* else if (S_ISFIFO) */
++ }
+ tcon->ses->server->ops->close(xid, tcon, &fid);
+ d_drop(direntry);
+
--- /dev/null
+From 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Mon, 16 Apr 2018 18:53:09 +0300
+Subject: drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 upstream.
+
+LSPCON adapters in low-power state may ignore the first I2C write during
+TMDS output buffer enabling, resulting in a blank screen even with an
+otherwise enabled pipe. Fix this by reading back and validating the
+written value a few times.
+
+The problem was noticed on GLK machines with an onboard LSPCON adapter
+after entering/exiting DC5 power state. Doing an I2C read of the adapter
+ID as the first transaction - instead of the I2C write to enable the
+TMDS buffers - returns the correct value. Based on this we assume that
+the transaction itself is sent properly, it's only the adapter that is
+not ready for some reason to accept this first write after waking from
+low-power state. In my case the second I2C write attempt always
+succeeded.
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105854
+Cc: Clinton Taylor <clinton.a.taylor@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180416155309.11100-1-imre.deak@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_dp_dual_mode_helper.c | 39 ++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/drm_dp_dual_mode_helper.c
++++ b/drivers/gpu/drm/drm_dp_dual_mode_helper.c
+@@ -322,19 +322,44 @@ int drm_dp_dual_mode_set_tmds_output(enu
+ {
+ uint8_t tmds_oen = enable ? 0 : DP_DUAL_MODE_TMDS_DISABLE;
+ ssize_t ret;
++ int retry;
+
+ if (type < DRM_DP_DUAL_MODE_TYPE2_DVI)
+ return 0;
+
+- ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN,
+- &tmds_oen, sizeof(tmds_oen));
+- if (ret) {
+- DRM_DEBUG_KMS("Failed to %s TMDS output buffers\n",
+- enable ? "enable" : "disable");
+- return ret;
++ /*
++ * LSPCON adapters in low-power state may ignore the first write, so
++ * read back and verify the written value a few times.
++ */
++ for (retry = 0; retry < 3; retry++) {
++ uint8_t tmp;
++
++ ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN,
++ &tmds_oen, sizeof(tmds_oen));
++ if (ret) {
++ DRM_DEBUG_KMS("Failed to %s TMDS output buffers (%d attempts)\n",
++ enable ? "enable" : "disable",
++ retry + 1);
++ return ret;
++ }
++
++ ret = drm_dp_dual_mode_read(adapter, DP_DUAL_MODE_TMDS_OEN,
++ &tmp, sizeof(tmp));
++ if (ret) {
++ DRM_DEBUG_KMS("I2C read failed during TMDS output buffer %s (%d attempts)\n",
++ enable ? "enabling" : "disabling",
++ retry + 1);
++ return ret;
++ }
++
++ if (tmp == tmds_oen)
++ return 0;
+ }
+
+- return 0;
++ DRM_DEBUG_KMS("I2C write value mismatch during TMDS output buffer %s\n",
++ enable ? "enabling" : "disabling");
++
++ return -EIO;
+ }
+ EXPORT_SYMBOL(drm_dp_dual_mode_set_tmds_output);
+
--- /dev/null
+From c0db1b677e1d584fab5d7ac76a32e1c0157542e0 Mon Sep 17 00:00:00 2001
+From: Daniel J Blueman <daniel@quora.org>
+Date: Mon, 2 Apr 2018 15:10:35 +0800
+Subject: drm/vc4: Fix memory leak during BO teardown
+
+From: Daniel J Blueman <daniel@quora.org>
+
+commit c0db1b677e1d584fab5d7ac76a32e1c0157542e0 upstream.
+
+During BO teardown, an indirect list 'uniform_addr_offsets' wasn't being
+freed leading to leaking many 128B allocations. Fix the memory leak by
+releasing it at teardown time.
+
+Cc: stable@vger.kernel.org
+Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.")
+Signed-off-by: Daniel J Blueman <daniel@quora.org>
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Reviewed-by: Eric Anholt <eric@anholt.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20180402071035.25356-1-daniel@quora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 2 ++
+ drivers/gpu/drm/vc4/vc4_validate_shaders.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -80,6 +80,7 @@ static void vc4_bo_destroy(struct vc4_bo
+ struct vc4_dev *vc4 = to_vc4_dev(obj->dev);
+
+ if (bo->validated_shader) {
++ kfree(bo->validated_shader->uniform_addr_offsets);
+ kfree(bo->validated_shader->texture_samples);
+ kfree(bo->validated_shader);
+ bo->validated_shader = NULL;
+@@ -328,6 +329,7 @@ void vc4_free_object(struct drm_gem_obje
+ }
+
+ if (bo->validated_shader) {
++ kfree(bo->validated_shader->uniform_addr_offsets);
+ kfree(bo->validated_shader->texture_samples);
+ kfree(bo->validated_shader);
+ bo->validated_shader = NULL;
+--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c
++++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c
+@@ -874,6 +874,7 @@ vc4_validate_shader(struct drm_gem_cma_o
+ fail:
+ kfree(validation_state.branch_targets);
+ if (validated_shader) {
++ kfree(validated_shader->uniform_addr_offsets);
+ kfree(validated_shader->texture_samples);
+ kfree(validated_shader);
+ }
--- /dev/null
+From d3878e164dcd3925a237a20e879432400e369172 Mon Sep 17 00:00:00 2001
+From: Xiaoming Gao <gxm.linux.kernel@gmail.com>
+Date: Fri, 13 Apr 2018 17:48:08 +0800
+Subject: x86/tsc: Prevent 32bit truncation in calc_hpet_ref()
+
+From: Xiaoming Gao <gxm.linux.kernel@gmail.com>
+
+commit d3878e164dcd3925a237a20e879432400e369172 upstream.
+
+The TSC calibration code uses HPET as reference. The conversion normalizes
+the delta of two HPET timestamps:
+
+ hpetref = ((tshpet1 - tshpet2) * HPET_PERIOD) / 1e6
+
+and then divides the normalized delta of the corresponding TSC timestamps
+by the result to calulate the TSC frequency.
+
+ tscfreq = ((tstsc1 - tstsc2 ) * 1e6) / hpetref
+
+This uses do_div() which takes an u32 as the divisor, which worked so far
+because the HPET frequency was low enough that 'hpetref' never exceeded
+32bit.
+
+On Skylake machines the HPET frequency increased so 'hpetref' can exceed
+32bit. do_div() truncates the divisor, which causes the calibration to
+fail.
+
+Use div64_u64() to avoid the problem.
+
+[ tglx: Fixes whitespace mangled patch and rewrote changelog ]
+
+Signed-off-by: Xiaoming Gao <newtongao@tencent.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Cc: peterz@infradead.org
+Cc: hpa@zytor.com
+Link: https://lkml.kernel.org/r/38894564-4fc9-b8ec-353f-de702839e44e@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/tsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -409,7 +409,7 @@ static unsigned long calc_hpet_ref(u64 d
+ hpet2 -= hpet1;
+ tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD));
+ do_div(tmp, 1000000);
+- do_div(deltatsc, tmp);
++ deltatsc = div64_u64(deltatsc, tmp);
+
+ return (unsigned long) deltatsc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
