From 1f6e151cf1101bbee064a439652806e61fecddfa Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 27 Aug 2017 14:37:07 +0200 Subject: [PATCH] 4.4-stable patches added patches: cifs-fix-df-output-for-users-with-quota-limits.patch cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch drm-rcar-du-fix-display-timing-controller-parameter.patch drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch drm-release-driver-tracking-before-making-the-object-available-again.patch i2c-designware-fix-system-suspend.patch nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch perf-core-fix-group-cpu-task-validation.patch tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch --- ...f-output-for-users-with-quota-limits.patch | 57 ++++++ ...rlong-names-in-cifs_open-cifs_lookup.patch | 88 +++++++++ ...c-check-fails-return-its-value-first.patch | 102 ++++++++++ ...-crash-in-encoder-failure-error-path.patch | 47 +++++ ...-display-timing-controller-parameter.patch | 35 ++++ ...v-sync-signal-polarity-configuration.patch | 35 ++++ ...-pll-frequency-related-configuration.patch | 37 ++++ ...ar-du-lvds-rename-pllen-bit-to-pllon.patch | 43 +++++ ...re-making-the-object-available-again.patch | 56 ++++++ .../i2c-designware-fix-system-suspend.patch | 92 +++++++++ ...-page-list-when-decoding-nfsv4-write.patch | 48 +++++ ...f-core-fix-group-cpu-task-validation.patch | 182 ++++++++++++++++++ queue-4.4/series | 13 ++ ...-create_filter-when-set_str-is-false.patch | 67 +++++++ 14 files changed, 902 insertions(+) create mode 100644 queue-4.4/cifs-fix-df-output-for-users-with-quota-limits.patch create mode 100644 queue-4.4/cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch create mode 100644 queue-4.4/drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch create mode 100644 queue-4.4/drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch create mode 100644 queue-4.4/drm-rcar-du-fix-display-timing-controller-parameter.patch create mode 100644 queue-4.4/drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch create mode 100644 queue-4.4/drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch create mode 100644 queue-4.4/drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch create mode 100644 queue-4.4/drm-release-driver-tracking-before-making-the-object-available-again.patch create mode 100644 queue-4.4/i2c-designware-fix-system-suspend.patch create mode 100644 queue-4.4/nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch create mode 100644 queue-4.4/perf-core-fix-group-cpu-task-validation.patch create mode 100644 queue-4.4/tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch diff --git a/queue-4.4/cifs-fix-df-output-for-users-with-quota-limits.patch b/queue-4.4/cifs-fix-df-output-for-users-with-quota-limits.patch new file mode 100644 index 00000000000..e15d0b1f3d5 --- /dev/null +++ b/queue-4.4/cifs-fix-df-output-for-users-with-quota-limits.patch @@ -0,0 +1,57 @@ +From 42bec214d8bd432be6d32a1acb0a9079ecd4d142 Mon Sep 17 00:00:00 2001 +From: Sachin Prabhu +Date: Thu, 3 Aug 2017 13:09:03 +0530 +Subject: cifs: Fix df output for users with quota limits + +From: Sachin Prabhu + +commit 42bec214d8bd432be6d32a1acb0a9079ecd4d142 upstream. + +The df for a SMB2 share triggers a GetInfo call for +FS_FULL_SIZE_INFORMATION. The values returned are used to populate +struct statfs. + +The problem is that none of the information returned by the call +contains the total blocks available on the filesystem. Instead we use +the blocks available to the user ie. quota limitation when filling out +statfs.f_blocks. The information returned does contain Actual free units +on the filesystem and is used to populate statfs.f_bfree. For users with +quota enabled, it can lead to situations where the total free space +reported is more than the total blocks on the system ending up with df +reports like the following + + # df -h /mnt/a +Filesystem Size Used Avail Use% Mounted on +//192.168.22.10/a 2.5G -2.3G 2.5G - /mnt/a + +To fix this problem, we instead populate both statfs.f_bfree with the +same value as statfs.f_bavail ie. CallerAvailableAllocationUnits. This +is similar to what is done already in the code for cifs and df now +reports the quota information for the user used to mount the share. + + # df --si /mnt/a +Filesystem Size Used Avail Use% Mounted on +//192.168.22.10/a 2.7G 101M 2.6G 4% /mnt/a + +Signed-off-by: Sachin Prabhu +Signed-off-by: Pierguido Lambri +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2768,8 +2768,8 @@ copy_fs_info_to_kstatfs(struct smb2_fs_f + kst->f_bsize = le32_to_cpu(pfs_inf->BytesPerSector) * + le32_to_cpu(pfs_inf->SectorsPerAllocationUnit); + kst->f_blocks = le64_to_cpu(pfs_inf->TotalAllocationUnits); +- kst->f_bfree = le64_to_cpu(pfs_inf->ActualAvailableAllocationUnits); +- kst->f_bavail = le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits); ++ kst->f_bfree = kst->f_bavail = ++ le64_to_cpu(pfs_inf->CallerAvailableAllocationUnits); + return; + } + diff --git a/queue-4.4/cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch b/queue-4.4/cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch new file mode 100644 index 00000000000..238730895a0 --- /dev/null +++ b/queue-4.4/cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch @@ -0,0 +1,88 @@ +From d3edede29f74d335f81d95a4588f5f136a9f7dcf Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 23 Aug 2017 14:48:14 +1000 +Subject: cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup() + +From: Ronnie Sahlberg + +commit d3edede29f74d335f81d95a4588f5f136a9f7dcf upstream. + +Add checking for the path component length and verify it is <= the maximum +that the server advertizes via FileFsAttributeInformation. + +With this patch cifs.ko will now return ENAMETOOLONG instead of ENOENT +when users to access an overlong path. + +To test this, try to cd into a (non-existing) directory on a CIFS share +that has a too long name: +cd /mnt/aaaaaaaaaaaaaaa... + +and it now should show a good error message from the shell: +bash: cd: /mnt/aaaaaaaaaaaaaaaa...aaaaaa: File name too long + +rh bz 1153996 + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -183,15 +183,20 @@ cifs_bp_rename_retry: + } + + /* ++ * Don't allow path components longer than the server max. + * Don't allow the separator character in a path component. + * The VFS will not allow "/", but "\" is allowed by posix. + */ + static int +-check_name(struct dentry *direntry) ++check_name(struct dentry *direntry, struct cifs_tcon *tcon) + { + struct cifs_sb_info *cifs_sb = CIFS_SB(direntry->d_sb); + int i; + ++ if (unlikely(direntry->d_name.len > ++ tcon->fsAttrInfo.MaxPathNameComponentLength)) ++ return -ENAMETOOLONG; ++ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS)) { + for (i = 0; i < direntry->d_name.len; i++) { + if (direntry->d_name.name[i] == '\\') { +@@ -489,10 +494,6 @@ cifs_atomic_open(struct inode *inode, st + return finish_no_open(file, res); + } + +- rc = check_name(direntry); +- if (rc) +- return rc; +- + xid = get_xid(); + + cifs_dbg(FYI, "parent inode = 0x%p name is: %pd and dentry = 0x%p\n", +@@ -505,6 +506,11 @@ cifs_atomic_open(struct inode *inode, st + } + + tcon = tlink_tcon(tlink); ++ ++ rc = check_name(direntry, tcon); ++ if (rc) ++ goto out_free_xid; ++ + server = tcon->ses->server; + + if (server->ops->new_lease_key) +@@ -765,7 +771,7 @@ cifs_lookup(struct inode *parent_dir_ino + } + pTcon = tlink_tcon(tlink); + +- rc = check_name(direntry); ++ rc = check_name(direntry, pTcon); + if (rc) + goto lookup_out; + diff --git a/queue-4.4/drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch b/queue-4.4/drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch new file mode 100644 index 00000000000..dba28cdbc82 --- /dev/null +++ b/queue-4.4/drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch @@ -0,0 +1,102 @@ +From a0ffc51e20e90e0c1c2491de2b4b03f48b6caaba Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Tue, 15 Aug 2017 11:57:06 +0200 +Subject: drm/atomic: If the atomic check fails, return its value first + +From: Maarten Lankhorst + +commit a0ffc51e20e90e0c1c2491de2b4b03f48b6caaba upstream. + +The last part of drm_atomic_check_only is testing whether we need to +fail with -EINVAL when modeset is not allowed, but forgets to return +the value when atomic_check() fails first. + +This results in -EDEADLK being replaced by -EINVAL, and the sanity +check in drm_modeset_drop_locks kicks in: + +[ 308.531734] ------------[ cut here ]------------ +[ 308.531791] WARNING: CPU: 0 PID: 1886 at drivers/gpu/drm/drm_modeset_lock.c:217 drm_modeset_drop_locks+0x33/0xc0 [drm] +[ 308.531828] Modules linked in: +[ 308.532050] CPU: 0 PID: 1886 Comm: kms_atomic Tainted: G U W 4.13.0-rc5-patser+ #5225 +[ 308.532082] Hardware name: NUC5i7RYB, BIOS RYBDWi35.86A.0246.2015.0309.1355 03/09/2015 +[ 308.532124] task: ffff8800cd9dae00 task.stack: ffff8800ca3b8000 +[ 308.532168] RIP: 0010:drm_modeset_drop_locks+0x33/0xc0 [drm] +[ 308.532189] RSP: 0018:ffff8800ca3bf980 EFLAGS: 00010282 +[ 308.532211] RAX: dffffc0000000000 RBX: ffff8800ca3bfaf8 RCX: 0000000013a171e6 +[ 308.532235] RDX: 1ffff10019477f69 RSI: ffffffffa8ba4fa0 RDI: ffff8800ca3bfb48 +[ 308.532258] RBP: ffff8800ca3bf998 R08: 0000000000000000 R09: 0000000000000003 +[ 308.532281] R10: 0000000079dbe066 R11: 00000000f760b34b R12: 0000000000000001 +[ 308.532304] R13: dffffc0000000000 R14: 00000000ffffffea R15: ffff880096889680 +[ 308.532328] FS: 00007ff00959cec0(0000) GS:ffff8800d4e00000(0000) knlGS:0000000000000000 +[ 308.532359] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 308.532380] CR2: 0000000000000008 CR3: 00000000ca2e3000 CR4: 00000000003406f0 +[ 308.532402] Call Trace: +[ 308.532440] drm_mode_atomic_ioctl+0x19fa/0x1c00 [drm] +[ 308.532488] ? drm_atomic_set_property+0x1220/0x1220 [drm] +[ 308.532565] ? avc_has_extended_perms+0xc39/0xff0 +[ 308.532593] ? lock_downgrade+0x610/0x610 +[ 308.532640] ? drm_atomic_set_property+0x1220/0x1220 [drm] +[ 308.532680] drm_ioctl_kernel+0x154/0x1a0 [drm] +[ 308.532755] drm_ioctl+0x624/0x8f0 [drm] +[ 308.532858] ? drm_atomic_set_property+0x1220/0x1220 [drm] +[ 308.532976] ? drm_getunique+0x210/0x210 [drm] +[ 308.533061] do_vfs_ioctl+0xd92/0xe40 +[ 308.533121] ? ioctl_preallocate+0x1b0/0x1b0 +[ 308.533160] ? selinux_capable+0x20/0x20 +[ 308.533191] ? do_fcntl+0x1b1/0xbf0 +[ 308.533219] ? kasan_slab_free+0xa2/0xb0 +[ 308.533249] ? f_getown+0x4b/0xa0 +[ 308.533278] ? putname+0xcf/0xe0 +[ 308.533309] ? security_file_ioctl+0x57/0x90 +[ 308.533342] SyS_ioctl+0x4e/0x80 +[ 308.533374] entry_SYSCALL_64_fastpath+0x18/0xad +[ 308.533405] RIP: 0033:0x7ff00779e4d7 +[ 308.533431] RSP: 002b:00007fff66a043d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 308.533481] RAX: ffffffffffffffda RBX: 000000e7c7ca5910 RCX: 00007ff00779e4d7 +[ 308.533560] RDX: 00007fff66a04430 RSI: 00000000c03864bc RDI: 0000000000000003 +[ 308.533608] RBP: 00007ff007a5fb00 R08: 000000e7c7ca4620 R09: 000000e7c7ca5e60 +[ 308.533647] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000070 +[ 308.533685] R13: 0000000000000000 R14: 0000000000000000 R15: 000000e7c7ca5930 +[ 308.533770] Code: ff df 55 48 89 e5 41 55 41 54 53 48 89 fb 48 83 c7 +50 48 89 fa 48 c1 ea 03 80 3c 02 00 74 05 e8 94 d4 16 e7 48 83 7b 50 00 +74 02 <0f> ff 4c 8d 6b 58 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 +[ 308.534086] ---[ end trace 77f11e53b1df44ad ]--- + +Solve this by adding the missing return. + +This is also a bugfix because we could end up rejecting updates with +-EINVAL because of a early -EDEADLK, while if atomic_check ran to +completion it might have downgraded the modeset to a fastset. + +Signed-off-by: Maarten Lankhorst +Testcase: kms_atomic +Link: https://patchwork.freedesktop.org/patch/msgid/20170815095706.23624-1-maarten.lankhorst@linux.intel.com +Fixes: d34f20d6e2f2 ("drm: Atomic modeset ioctl") +Reviewed-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_atomic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -1247,6 +1247,9 @@ int drm_atomic_check_only(struct drm_ato + if (config->funcs->atomic_check) + ret = config->funcs->atomic_check(state->dev, state); + ++ if (ret) ++ return ret; ++ + if (!state->allow_modeset) { + for_each_crtc_in_state(state, crtc, crtc_state, i) { + if (drm_atomic_crtc_needs_modeset(crtc_state)) { +@@ -1257,7 +1260,7 @@ int drm_atomic_check_only(struct drm_ato + } + } + +- return ret; ++ return 0; + } + EXPORT_SYMBOL(drm_atomic_check_only); + diff --git a/queue-4.4/drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch b/queue-4.4/drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch new file mode 100644 index 00000000000..032af6ad14e --- /dev/null +++ b/queue-4.4/drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch @@ -0,0 +1,47 @@ +From 05ee29e94acf0d4b3998c3f93374952de8f90176 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Mon, 3 Oct 2016 20:03:22 +0300 +Subject: drm: rcar-du: Fix crash in encoder failure error path + +From: Laurent Pinchart + +commit 05ee29e94acf0d4b3998c3f93374952de8f90176 upstream. + +When an encoder fails to initialize the driver prints an error message +to the kernel log. The message contains the name of the encoder's DT +node, which is NULL for internal encoders. Use the of_node_full_name() +macro to avoid dereferencing a NULL pointer, print the output number to +add more context to the error, and make sure we still own a reference to +the encoder's DT node by delaying the of_node_put() call. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Gustavo Padovan +Signed-off-by: Thong Ho +Signed-off-by: Nhan Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c +@@ -642,13 +642,13 @@ static int rcar_du_encoders_init_one(str + } + + ret = rcar_du_encoder_init(rcdu, enc_type, output, encoder, connector); +- of_node_put(encoder); +- of_node_put(connector); +- + if (ret && ret != -EPROBE_DEFER) + dev_warn(rcdu->dev, +- "failed to initialize encoder %s (%d), skipping\n", +- encoder->full_name, ret); ++ "failed to initialize encoder %s on output %u (%d), skipping\n", ++ of_node_full_name(encoder), output, ret); ++ ++ of_node_put(encoder); ++ of_node_put(connector); + + return ret; + } diff --git a/queue-4.4/drm-rcar-du-fix-display-timing-controller-parameter.patch b/queue-4.4/drm-rcar-du-fix-display-timing-controller-parameter.patch new file mode 100644 index 00000000000..12df6057428 --- /dev/null +++ b/queue-4.4/drm-rcar-du-fix-display-timing-controller-parameter.patch @@ -0,0 +1,35 @@ +From 9cdced8a39c04cf798ddb2a27cb5952f7d39f633 Mon Sep 17 00:00:00 2001 +From: Koji Matsuoka +Date: Mon, 18 Apr 2016 16:31:30 +0900 +Subject: drm: rcar-du: Fix display timing controller parameter + +From: Koji Matsuoka + +commit 9cdced8a39c04cf798ddb2a27cb5952f7d39f633 upstream. + +There is a bug in the setting of the DES (Display Enable Signal) +register. This current setting occurs 1 dot left shift. The DES +register should be set minus one value about the specifying value +with H/W specification. This patch corrects it. + +Signed-off-by: Koji Matsuoka +Signed-off-by: Laurent Pinchart +Signed-off-by: Thong Ho +Signed-off-by: Nhan Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c +@@ -171,7 +171,7 @@ static void rcar_du_crtc_set_display_tim + mode->crtc_vsync_start - 1); + rcar_du_crtc_write(rcrtc, VCR, mode->crtc_vtotal - 1); + +- rcar_du_crtc_write(rcrtc, DESR, mode->htotal - mode->hsync_start); ++ rcar_du_crtc_write(rcrtc, DESR, mode->htotal - mode->hsync_start - 1); + rcar_du_crtc_write(rcrtc, DEWR, mode->hdisplay); + } + diff --git a/queue-4.4/drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch b/queue-4.4/drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch new file mode 100644 index 00000000000..d17c6bfae6e --- /dev/null +++ b/queue-4.4/drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch @@ -0,0 +1,35 @@ +From fd1adef3bff0663c5ac31b45bc4a05fafd43d19b Mon Sep 17 00:00:00 2001 +From: Koji Matsuoka +Date: Mon, 16 May 2016 11:28:15 +0900 +Subject: drm: rcar-du: Fix H/V sync signal polarity configuration + +From: Koji Matsuoka + +commit fd1adef3bff0663c5ac31b45bc4a05fafd43d19b upstream. + +The VSL and HSL bits in the DSMR register set the corresponding +horizontal and vertical sync signal polarity to active high. The code +got it the wrong way around, fix it. + +Signed-off-by: Koji Matsuoka +Signed-off-by: Laurent Pinchart +Signed-off-by: Thong Ho +Signed-off-by: Nhan Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c +@@ -148,8 +148,8 @@ static void rcar_du_crtc_set_display_tim + rcar_du_group_write(rcrtc->group, rcrtc->index % 2 ? OTAR2 : OTAR, 0); + + /* Signal polarities */ +- value = ((mode->flags & DRM_MODE_FLAG_PVSYNC) ? 0 : DSMR_VSL) +- | ((mode->flags & DRM_MODE_FLAG_PHSYNC) ? 0 : DSMR_HSL) ++ value = ((mode->flags & DRM_MODE_FLAG_PVSYNC) ? DSMR_VSL : 0) ++ | ((mode->flags & DRM_MODE_FLAG_PHSYNC) ? DSMR_HSL : 0) + | DSMR_DIPM_DE | DSMR_CSPM; + rcar_du_crtc_write(rcrtc, DSMR, value); + diff --git a/queue-4.4/drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch b/queue-4.4/drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch new file mode 100644 index 00000000000..fc8f9b1f2e2 --- /dev/null +++ b/queue-4.4/drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch @@ -0,0 +1,37 @@ +From 5e1ac3bdc6bbb4f378251b87625b8acfbfc4ae82 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Mon, 7 Sep 2015 16:03:25 +0300 +Subject: drm: rcar-du: lvds: Fix PLL frequency-related configuration + +From: Laurent Pinchart + +commit 5e1ac3bdc6bbb4f378251b87625b8acfbfc4ae82 upstream. + +The frequency checks don't match the datasheet, fix them. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Thong Ho +Signed-off-by: Nhan Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -56,11 +56,11 @@ static int rcar_du_lvdsenc_start(struct + return ret; + + /* PLL clock configuration */ +- if (freq <= 38000) ++ if (freq < 39000) + pllcr = LVDPLLCR_CEEN | LVDPLLCR_COSEL | LVDPLLCR_PLLDLYCNT_38M; +- else if (freq <= 60000) ++ else if (freq < 61000) + pllcr = LVDPLLCR_CEEN | LVDPLLCR_COSEL | LVDPLLCR_PLLDLYCNT_60M; +- else if (freq <= 121000) ++ else if (freq < 121000) + pllcr = LVDPLLCR_CEEN | LVDPLLCR_COSEL | LVDPLLCR_PLLDLYCNT_121M; + else + pllcr = LVDPLLCR_PLLDLYCNT_150M; diff --git a/queue-4.4/drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch b/queue-4.4/drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch new file mode 100644 index 00000000000..bbd1618f7c7 --- /dev/null +++ b/queue-4.4/drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch @@ -0,0 +1,43 @@ +From 82e7c5e4964545352accff4b44bbcaa2c38e7fc1 Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Mon, 7 Sep 2015 15:28:17 +0300 +Subject: drm: rcar-du: lvds: Rename PLLEN bit to PLLON + +From: Laurent Pinchart + +commit 82e7c5e4964545352accff4b44bbcaa2c38e7fc1 upstream. + +The bit is named PLLON in the datasheet, rename it. + +Signed-off-by: Laurent Pinchart +Signed-off-by: Thong Ho +Signed-off-by: Nhan Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 2 +- + drivers/gpu/drm/rcar-du/rcar_lvds_regs.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -102,7 +102,7 @@ static int rcar_du_lvdsenc_start(struct + /* Turn the PLL on, wait for the startup delay, and turn the output + * on. + */ +- lvdcr0 |= LVDCR0_PLLEN; ++ lvdcr0 |= LVDCR0_PLLON; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); + + usleep_range(100, 150); +--- a/drivers/gpu/drm/rcar-du/rcar_lvds_regs.h ++++ b/drivers/gpu/drm/rcar-du/rcar_lvds_regs.h +@@ -18,7 +18,7 @@ + #define LVDCR0_DMD (1 << 12) + #define LVDCR0_LVMD_MASK (0xf << 8) + #define LVDCR0_LVMD_SHIFT 8 +-#define LVDCR0_PLLEN (1 << 4) ++#define LVDCR0_PLLON (1 << 4) + #define LVDCR0_BEN (1 << 2) + #define LVDCR0_LVEN (1 << 1) + #define LVDCR0_LVRES (1 << 0) diff --git a/queue-4.4/drm-release-driver-tracking-before-making-the-object-available-again.patch b/queue-4.4/drm-release-driver-tracking-before-making-the-object-available-again.patch new file mode 100644 index 00000000000..887cd629179 --- /dev/null +++ b/queue-4.4/drm-release-driver-tracking-before-making-the-object-available-again.patch @@ -0,0 +1,56 @@ +From fe4600a548f2763dec91b3b27a1245c370ceee2a Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sat, 19 Aug 2017 13:05:58 +0100 +Subject: drm: Release driver tracking before making the object available again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit fe4600a548f2763dec91b3b27a1245c370ceee2a upstream. + +This is the same bug as we fixed in commit f6cd7daecff5 ("drm: Release +driver references to handle before making it available again"), but now +the exposure is via the PRIME lookup tables. If we remove the +object/handle from the PRIME lut, then a new request for the same +object/fd will generate a new handle, thus for a short window that +object is known to userspace by two different handles. Fix this by +releasing the driver tracking before PRIME. + +Fixes: 0ff926c7d4f0 ("drm/prime: add exported buffers to current fprivs +imported buffer list (v2)") +Signed-off-by: Chris Wilson +Cc: David Airlie +Cc: Daniel Vetter +Cc: Rob Clark +Cc: Ville Syrjälä +Cc: Thierry Reding +Reviewed-by: Daniel Vetter +Signed-off-by: Joonas Lahtinen +Link: https://patchwork.freedesktop.org/patch/msgid/20170819120558.6465-1-chris@chris-wilson.co.uk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_gem.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -715,13 +715,13 @@ drm_gem_object_release_handle(int id, vo + struct drm_gem_object *obj = ptr; + struct drm_device *dev = obj->dev; + ++ if (dev->driver->gem_close_object) ++ dev->driver->gem_close_object(obj, file_priv); ++ + if (drm_core_check_feature(dev, DRIVER_PRIME)) + drm_gem_remove_prime_handles(obj, file_priv); + drm_vma_node_revoke(&obj->vma_node, file_priv->filp); + +- if (dev->driver->gem_close_object) +- dev->driver->gem_close_object(obj, file_priv); +- + drm_gem_object_handle_unreference_unlocked(obj); + + return 0; diff --git a/queue-4.4/i2c-designware-fix-system-suspend.patch b/queue-4.4/i2c-designware-fix-system-suspend.patch new file mode 100644 index 00000000000..bde4676d320 --- /dev/null +++ b/queue-4.4/i2c-designware-fix-system-suspend.patch @@ -0,0 +1,92 @@ +From a23318feeff662c8d25d21623daebdd2e55ec221 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Wed, 9 Aug 2017 15:28:22 +0200 +Subject: i2c: designware: Fix system suspend + +From: Ulf Hansson + +commit a23318feeff662c8d25d21623daebdd2e55ec221 upstream. + +The commit 8503ff166504 ("i2c: designware: Avoid unnecessary resuming +during system suspend"), may suggest to the PM core to try out the so +called direct_complete path for system sleep. In this path, the PM core +treats a runtime suspended device as it's already in a proper low power +state for system sleep, which makes it skip calling the system sleep +callbacks for the device, except for the ->prepare() and the ->complete() +callbacks. + +However, the PM core may unset the direct_complete flag for a parent +device, in case its child device are being system suspended before. In this +scenario, the PM core invokes the system sleep callbacks, no matter if the +device is runtime suspended or not. + +Particularly in cases of an existing i2c slave device, the above path is +triggered, which breaks the assumption that the i2c device is always +runtime resumed whenever the dw_i2c_plat_suspend() is being called. + +More precisely, dw_i2c_plat_suspend() calls clk_core_disable() and +clk_core_unprepare(), for an already disabled/unprepared clock, leading to +a splat in the log about clocks calls being wrongly balanced and breaking +system sleep. + +To still allow the direct_complete path in cases when it's possible, but +also to keep the fix simple, let's runtime resume the i2c device in the +->suspend() callback, before continuing to put the device into low power +state. + +Note, in cases when the i2c device is attached to the ACPI PM domain, this +problem doesn't occur, because ACPI's ->suspend() callback, assigned to +acpi_subsys_suspend(), already calls pm_runtime_resume() for the device. + +It should also be noted that this change does not fix commit 8503ff166504 +("i2c: designware: Avoid unnecessary resuming during system suspend"). +Because for the non-ACPI case, the system sleep support was already broken +prior that point. + +Signed-off-by: Ulf Hansson +Acked-by: Rafael J. Wysocki +Tested-by: John Stultz +Tested-by: Jarkko Nikula +Acked-by: Jarkko Nikula +Reviewed-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-designware-platdrv.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-designware-platdrv.c ++++ b/drivers/i2c/busses/i2c-designware-platdrv.c +@@ -294,7 +294,7 @@ static void dw_i2c_plat_complete(struct + #endif + + #ifdef CONFIG_PM +-static int dw_i2c_plat_suspend(struct device *dev) ++static int dw_i2c_plat_runtime_suspend(struct device *dev) + { + struct platform_device *pdev = to_platform_device(dev); + struct dw_i2c_dev *i_dev = platform_get_drvdata(pdev); +@@ -318,11 +318,21 @@ static int dw_i2c_plat_resume(struct dev + return 0; + } + ++#ifdef CONFIG_PM_SLEEP ++static int dw_i2c_plat_suspend(struct device *dev) ++{ ++ pm_runtime_resume(dev); ++ return dw_i2c_plat_runtime_suspend(dev); ++} ++#endif ++ + static const struct dev_pm_ops dw_i2c_dev_pm_ops = { + .prepare = dw_i2c_plat_prepare, + .complete = dw_i2c_plat_complete, + SET_SYSTEM_SLEEP_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume) +- SET_RUNTIME_PM_OPS(dw_i2c_plat_suspend, dw_i2c_plat_resume, NULL) ++ SET_RUNTIME_PM_OPS(dw_i2c_plat_runtime_suspend, ++ dw_i2c_plat_resume, ++ NULL) + }; + + #define DW_I2C_DEV_PMOPS (&dw_i2c_dev_pm_ops) diff --git a/queue-4.4/nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch b/queue-4.4/nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch new file mode 100644 index 00000000000..d7ecca3e559 --- /dev/null +++ b/queue-4.4/nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch @@ -0,0 +1,48 @@ +From fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 18 Aug 2017 11:12:19 -0400 +Subject: nfsd: Limit end of page list when decoding NFSv4 WRITE + +From: Chuck Lever + +commit fc788f64f1f3eb31e87d4f53bcf1ab76590d5838 upstream. + +When processing an NFSv4 WRITE operation, argp->end should never +point past the end of the data in the final page of the page list. +Otherwise, nfsd4_decode_compound can walk into uninitialized memory. + +More critical, nfsd4_decode_write is failing to increment argp->pagelen +when it increments argp->pagelist. This can cause later xdr decoders +to assume more data is available than really is, which can cause server +crashes on malformed requests. + +Signed-off-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -129,7 +129,7 @@ static void next_decode_page(struct nfsd + argp->p = page_address(argp->pagelist[0]); + argp->pagelist++; + if (argp->pagelen < PAGE_SIZE) { +- argp->end = argp->p + (argp->pagelen>>2); ++ argp->end = argp->p + XDR_QUADLEN(argp->pagelen); + argp->pagelen = 0; + } else { + argp->end = argp->p + (PAGE_SIZE>>2); +@@ -1246,9 +1246,7 @@ nfsd4_decode_write(struct nfsd4_compound + argp->pagelen -= pages * PAGE_SIZE; + len -= pages * PAGE_SIZE; + +- argp->p = (__be32 *)page_address(argp->pagelist[0]); +- argp->pagelist++; +- argp->end = argp->p + XDR_QUADLEN(PAGE_SIZE); ++ next_decode_page(argp); + } + argp->p += XDR_QUADLEN(len); + diff --git a/queue-4.4/perf-core-fix-group-cpu-task-validation.patch b/queue-4.4/perf-core-fix-group-cpu-task-validation.patch new file mode 100644 index 00000000000..3853683fb61 --- /dev/null +++ b/queue-4.4/perf-core-fix-group-cpu-task-validation.patch @@ -0,0 +1,182 @@ +From 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 22 Jun 2017 15:41:38 +0100 +Subject: perf/core: Fix group {cpu,task} validation + +From: Mark Rutland + +commit 64aee2a965cf2954a038b5522f11d2cd2f0f8f3e upstream. + +Regardless of which events form a group, it does not make sense for the +events to target different tasks and/or CPUs, as this leaves the group +inconsistent and impossible to schedule. The core perf code assumes that +these are consistent across (successfully intialised) groups. + +Core perf code only verifies this when moving SW events into a HW +context. Thus, we can violate this requirement for pure SW groups and +pure HW groups, unless the relevant PMU driver happens to perform this +verification itself. These mismatched groups subsequently wreak havoc +elsewhere. + +For example, we handle watchpoints as SW events, and reserve watchpoint +HW on a per-CPU basis at pmu::event_init() time to ensure that any event +that is initialised is guaranteed to have a slot at pmu::add() time. +However, the core code only checks the group leader's cpu filter (via +event_filter_match()), and can thus install follower events onto CPUs +violating thier (mismatched) CPU filters, potentially installing them +into a CPU without sufficient reserved slots. + +This can be triggered with the below test case, resulting in warnings +from arch backends. + + #define _GNU_SOURCE + #include + #include + #include + #include + #include + #include + #include + + static int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, + int group_fd, unsigned long flags) + { + return syscall(__NR_perf_event_open, attr, pid, cpu, group_fd, flags); + } + + char watched_char; + + struct perf_event_attr wp_attr = { + .type = PERF_TYPE_BREAKPOINT, + .bp_type = HW_BREAKPOINT_RW, + .bp_addr = (unsigned long)&watched_char, + .bp_len = 1, + .size = sizeof(wp_attr), + }; + + int main(int argc, char *argv[]) + { + int leader, ret; + cpu_set_t cpus; + + /* + * Force use of CPU0 to ensure our CPU0-bound events get scheduled. + */ + CPU_ZERO(&cpus); + CPU_SET(0, &cpus); + ret = sched_setaffinity(0, sizeof(cpus), &cpus); + if (ret) { + printf("Unable to set cpu affinity\n"); + return 1; + } + + /* open leader event, bound to this task, CPU0 only */ + leader = perf_event_open(&wp_attr, 0, 0, -1, 0); + if (leader < 0) { + printf("Couldn't open leader: %d\n", leader); + return 1; + } + + /* + * Open a follower event that is bound to the same task, but a + * different CPU. This means that the group should never be possible to + * schedule. + */ + ret = perf_event_open(&wp_attr, 0, 1, leader, 0); + if (ret < 0) { + printf("Couldn't open mismatched follower: %d\n", ret); + return 1; + } else { + printf("Opened leader/follower with mismastched CPUs\n"); + } + + /* + * Open as many independent events as we can, all bound to the same + * task, CPU0 only. + */ + do { + ret = perf_event_open(&wp_attr, 0, 0, -1, 0); + } while (ret >= 0); + + /* + * Force enable/disble all events to trigger the erronoeous + * installation of the follower event. + */ + printf("Opened all events. Toggling..\n"); + for (;;) { + prctl(PR_TASK_PERF_EVENTS_DISABLE, 0, 0, 0, 0); + prctl(PR_TASK_PERF_EVENTS_ENABLE, 0, 0, 0, 0); + } + + return 0; + } + +Fix this by validating this requirement regardless of whether we're +moving events. + +Signed-off-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Zhou Chengming +Link: http://lkml.kernel.org/r/1498142498-15758-1-git-send-email-mark.rutland@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 39 +++++++++++++++++++-------------------- + 1 file changed, 19 insertions(+), 20 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8473,28 +8473,27 @@ SYSCALL_DEFINE5(perf_event_open, + goto err_context; + + /* +- * Do not allow to attach to a group in a different +- * task or CPU context: ++ * Make sure we're both events for the same CPU; ++ * grouping events for different CPUs is broken; since ++ * you can never concurrently schedule them anyhow. + */ +- if (move_group) { +- /* +- * Make sure we're both on the same task, or both +- * per-cpu events. +- */ +- if (group_leader->ctx->task != ctx->task) +- goto err_context; ++ if (group_leader->cpu != event->cpu) ++ goto err_context; ++ ++ /* ++ * Make sure we're both on the same task, or both ++ * per-CPU events. ++ */ ++ if (group_leader->ctx->task != ctx->task) ++ goto err_context; + +- /* +- * Make sure we're both events for the same CPU; +- * grouping events for different CPUs is broken; since +- * you can never concurrently schedule them anyhow. +- */ +- if (group_leader->cpu != event->cpu) +- goto err_context; +- } else { +- if (group_leader->ctx != ctx) +- goto err_context; +- } ++ /* ++ * Do not allow to attach to a group in a different task ++ * or CPU context. If we're moving SW events, we'll fix ++ * this up later, so allow that. ++ */ ++ if (!move_group && group_leader->ctx != ctx) ++ goto err_context; + + /* + * Only a group leader can be exclusive or pinned diff --git a/queue-4.4/series b/queue-4.4/series index 3533c659664..c45b0e48f7c 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -19,3 +19,16 @@ input-elan_i2c-add-elan0602-acpi-id-to-support-lenovo-yoga310.patch alsa-core-fix-unexpected-error-at-replacing-user-tlv.patch alsa-hda-add-stereo-mic-quirk-for-lenovo-g50-70-17aa-3978.patch arcv2-pae40-explicitly-set-msb-counterpart-of-slc-region-ops-addresses.patch +i2c-designware-fix-system-suspend.patch +drm-release-driver-tracking-before-making-the-object-available-again.patch +drm-atomic-if-the-atomic-check-fails-return-its-value-first.patch +drm-rcar-du-lvds-fix-pll-frequency-related-configuration.patch +drm-rcar-du-lvds-rename-pllen-bit-to-pllon.patch +drm-rcar-du-fix-crash-in-encoder-failure-error-path.patch +drm-rcar-du-fix-display-timing-controller-parameter.patch +drm-rcar-du-fix-h-v-sync-signal-polarity-configuration.patch +tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch +cifs-fix-df-output-for-users-with-quota-limits.patch +cifs-return-enametoolong-for-overlong-names-in-cifs_open-cifs_lookup.patch +nfsd-limit-end-of-page-list-when-decoding-nfsv4-write.patch +perf-core-fix-group-cpu-task-validation.patch diff --git a/queue-4.4/tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch b/queue-4.4/tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch new file mode 100644 index 00000000000..30bdd7c23ad --- /dev/null +++ b/queue-4.4/tracing-fix-freeing-of-filter-in-create_filter-when-set_str-is-false.patch @@ -0,0 +1,67 @@ +From 8b0db1a5bdfcee0dbfa89607672598ae203c9045 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Wed, 23 Aug 2017 12:46:27 -0400 +Subject: tracing: Fix freeing of filter in create_filter() when set_str is false + +From: Steven Rostedt (VMware) + +commit 8b0db1a5bdfcee0dbfa89607672598ae203c9045 upstream. + +Performing the following task with kmemleak enabled: + + # cd /sys/kernel/tracing/events/irq/irq_handler_entry/ + # echo 'enable_event:kmem:kmalloc:3 if irq >' > trigger + # echo 'enable_event:kmem:kmalloc:3 if irq > 31' > trigger + # echo scan > /sys/kernel/debug/kmemleak + # cat /sys/kernel/debug/kmemleak +unreferenced object 0xffff8800b9290308 (size 32): + comm "bash", pid 1114, jiffies 4294848451 (age 141.139s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4a/0xa0 + [] kmem_cache_alloc_trace+0x158/0x290 + [] create_filter_start.constprop.28+0x99/0x940 + [] create_filter+0xa9/0x160 + [] create_event_filter+0xc/0x10 + [] set_trigger_filter+0xe5/0x210 + [] event_enable_trigger_func+0x324/0x490 + [] event_trigger_write+0x1a2/0x260 + [] __vfs_write+0xd7/0x380 + [] vfs_write+0x101/0x260 + [] SyS_write+0xab/0x130 + [] entry_SYSCALL_64_fastpath+0x1f/0xbe + [] 0xffffffffffffffff + +The function create_filter() is passed a 'filterp' pointer that gets +allocated, and if "set_str" is true, it is up to the caller to free it, even +on error. The problem is that the pointer is not freed by create_filter() +when set_str is false. This is a bug, and it is not up to the caller to free +the filter on error if it doesn't care about the string. + +Link: http://lkml.kernel.org/r/1502705898-27571-2-git-send-email-chuhu@redhat.com + +Fixes: 38b78eb85 ("tracing: Factorize filter creation") +Reported-by: Chunyu Hu +Tested-by: Chunyu Hu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_filter.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -1979,6 +1979,10 @@ static int create_filter(struct trace_ev + if (err && set_str) + append_filter_err(ps, filter); + } ++ if (err && !set_str) { ++ free_event_filter(filter); ++ filter = NULL; ++ } + create_filter_finish(ps); + + *filterp = filter; -- 2.47.3