From 8911b979ab320349e0e3588590b61ac48b4d4fe2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 24 Apr 2018 12:15:47 +0200 Subject: [PATCH] 4.9-stable patches added patches: cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch drm-vc4-fix-memory-leak-during-bo-teardown.patch x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch --- ...ets-except-with-smb1-posix-exensions.patch | 74 +++++++++++++++ ...buffer-enabling-from-low-power-state.patch | 93 +++++++++++++++++++ ...4-fix-memory-leak-during-bo-teardown.patch | 54 +++++++++++ ...nt-32bit-truncation-in-calc_hpet_ref.patch | 54 +++++++++++ 4 files changed, 275 insertions(+) create mode 100644 queue-4.9/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch create mode 100644 queue-4.9/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch create mode 100644 queue-4.9/drm-vc4-fix-memory-leak-during-bo-teardown.patch create mode 100644 queue-4.9/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch diff --git a/queue-4.9/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch b/queue-4.9/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch new file mode 100644 index 00000000000..2b0102e9874 --- /dev/null +++ b/queue-4.9/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch @@ -0,0 +1,74 @@ +From 1d0cffa674cfa7d185a302c8c6850fc50b893bed Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 20 Apr 2018 12:19:07 -0500 +Subject: cifs: do not allow creating sockets except with SMB1 posix exensions + +From: Steve French + +commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream. + +RHBZ: 1453123 + +Since at least the 3.10 kernel and likely a lot earlier we have +not been able to create unix domain sockets in a cifs share +when mounted using the SFU mount option (except when mounted +with the cifs unix extensions to Samba e.g.) +Trying to create a socket, for example using the af_unix command from +xfstests will cause : +BUG: unable to handle kernel NULL pointer dereference at 00000000 +00000040 + +Since no one uses or depends on being able to create unix domains sockets +on a cifs share the easiest fix to stop this vulnerability is to simply +not allow creation of any other special files than char or block devices +when sfu is used. + +Added update to Ronnie's patch to handle a tcon link leak, and +to address a buf leak noticed by Gustavo and Colin. + +Acked-by: Gustavo A. R. Silva +CC: Colin Ian King +Reviewed-by: Pavel Shilovsky +Reported-by: Eryu Guan +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -673,6 +673,9 @@ int cifs_mknod(struct inode *inode, stru + goto mknod_out; + } + ++ if (!S_ISCHR(mode) && !S_ISBLK(mode)) ++ goto mknod_out; ++ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) + goto mknod_out; + +@@ -681,10 +684,8 @@ int cifs_mknod(struct inode *inode, stru + + buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); + if (buf == NULL) { +- kfree(full_path); + rc = -ENOMEM; +- free_xid(xid); +- return rc; ++ goto mknod_out; + } + + if (backup_cred(cifs_sb)) +@@ -731,7 +732,7 @@ int cifs_mknod(struct inode *inode, stru + pdev->minor = cpu_to_le64(MINOR(device_number)); + rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, + &bytes_written, iov, 1); +- } /* else if (S_ISFIFO) */ ++ } + tcon->ses->server->ops->close(xid, tcon, &fid); + d_drop(direntry); + diff --git a/queue-4.9/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch b/queue-4.9/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch new file mode 100644 index 00000000000..2078339f052 --- /dev/null +++ b/queue-4.9/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch @@ -0,0 +1,93 @@ +From 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 16 Apr 2018 18:53:09 +0300 +Subject: drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 upstream. + +LSPCON adapters in low-power state may ignore the first I2C write during +TMDS output buffer enabling, resulting in a blank screen even with an +otherwise enabled pipe. Fix this by reading back and validating the +written value a few times. + +The problem was noticed on GLK machines with an onboard LSPCON adapter +after entering/exiting DC5 power state. Doing an I2C read of the adapter +ID as the first transaction - instead of the I2C write to enable the +TMDS buffers - returns the correct value. Based on this we assume that +the transaction itself is sent properly, it's only the adapter that is +not ready for some reason to accept this first write after waking from +low-power state. In my case the second I2C write attempt always +succeeded. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105854 +Cc: Clinton Taylor +Cc: Ville Syrjälä +Cc: stable@vger.kernel.org +Signed-off-by: Imre Deak +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20180416155309.11100-1-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_dual_mode_helper.c | 39 ++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_dual_mode_helper.c ++++ b/drivers/gpu/drm/drm_dp_dual_mode_helper.c +@@ -322,19 +322,44 @@ int drm_dp_dual_mode_set_tmds_output(enu + { + uint8_t tmds_oen = enable ? 0 : DP_DUAL_MODE_TMDS_DISABLE; + ssize_t ret; ++ int retry; + + if (type < DRM_DP_DUAL_MODE_TYPE2_DVI) + return 0; + +- ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN, +- &tmds_oen, sizeof(tmds_oen)); +- if (ret) { +- DRM_DEBUG_KMS("Failed to %s TMDS output buffers\n", +- enable ? "enable" : "disable"); +- return ret; ++ /* ++ * LSPCON adapters in low-power state may ignore the first write, so ++ * read back and verify the written value a few times. ++ */ ++ for (retry = 0; retry < 3; retry++) { ++ uint8_t tmp; ++ ++ ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN, ++ &tmds_oen, sizeof(tmds_oen)); ++ if (ret) { ++ DRM_DEBUG_KMS("Failed to %s TMDS output buffers (%d attempts)\n", ++ enable ? "enable" : "disable", ++ retry + 1); ++ return ret; ++ } ++ ++ ret = drm_dp_dual_mode_read(adapter, DP_DUAL_MODE_TMDS_OEN, ++ &tmp, sizeof(tmp)); ++ if (ret) { ++ DRM_DEBUG_KMS("I2C read failed during TMDS output buffer %s (%d attempts)\n", ++ enable ? "enabling" : "disabling", ++ retry + 1); ++ return ret; ++ } ++ ++ if (tmp == tmds_oen) ++ return 0; + } + +- return 0; ++ DRM_DEBUG_KMS("I2C write value mismatch during TMDS output buffer %s\n", ++ enable ? "enabling" : "disabling"); ++ ++ return -EIO; + } + EXPORT_SYMBOL(drm_dp_dual_mode_set_tmds_output); + diff --git a/queue-4.9/drm-vc4-fix-memory-leak-during-bo-teardown.patch b/queue-4.9/drm-vc4-fix-memory-leak-during-bo-teardown.patch new file mode 100644 index 00000000000..dac2066c372 --- /dev/null +++ b/queue-4.9/drm-vc4-fix-memory-leak-during-bo-teardown.patch @@ -0,0 +1,54 @@ +From c0db1b677e1d584fab5d7ac76a32e1c0157542e0 Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman +Date: Mon, 2 Apr 2018 15:10:35 +0800 +Subject: drm/vc4: Fix memory leak during BO teardown + +From: Daniel J Blueman + +commit c0db1b677e1d584fab5d7ac76a32e1c0157542e0 upstream. + +During BO teardown, an indirect list 'uniform_addr_offsets' wasn't being +freed leading to leaking many 128B allocations. Fix the memory leak by +releasing it at teardown time. + +Cc: stable@vger.kernel.org +Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.") +Signed-off-by: Daniel J Blueman +Signed-off-by: Eric Anholt +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180402071035.25356-1-daniel@quora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_bo.c | 2 ++ + drivers/gpu/drm/vc4/vc4_validate_shaders.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -80,6 +80,7 @@ static void vc4_bo_destroy(struct vc4_bo + struct vc4_dev *vc4 = to_vc4_dev(obj->dev); + + if (bo->validated_shader) { ++ kfree(bo->validated_shader->uniform_addr_offsets); + kfree(bo->validated_shader->texture_samples); + kfree(bo->validated_shader); + bo->validated_shader = NULL; +@@ -328,6 +329,7 @@ void vc4_free_object(struct drm_gem_obje + } + + if (bo->validated_shader) { ++ kfree(bo->validated_shader->uniform_addr_offsets); + kfree(bo->validated_shader->texture_samples); + kfree(bo->validated_shader); + bo->validated_shader = NULL; +--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c ++++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c +@@ -874,6 +874,7 @@ vc4_validate_shader(struct drm_gem_cma_o + fail: + kfree(validation_state.branch_targets); + if (validated_shader) { ++ kfree(validated_shader->uniform_addr_offsets); + kfree(validated_shader->texture_samples); + kfree(validated_shader); + } diff --git a/queue-4.9/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch b/queue-4.9/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch new file mode 100644 index 00000000000..2fef168ffd5 --- /dev/null +++ b/queue-4.9/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch @@ -0,0 +1,54 @@ +From d3878e164dcd3925a237a20e879432400e369172 Mon Sep 17 00:00:00 2001 +From: Xiaoming Gao +Date: Fri, 13 Apr 2018 17:48:08 +0800 +Subject: x86/tsc: Prevent 32bit truncation in calc_hpet_ref() + +From: Xiaoming Gao + +commit d3878e164dcd3925a237a20e879432400e369172 upstream. + +The TSC calibration code uses HPET as reference. The conversion normalizes +the delta of two HPET timestamps: + + hpetref = ((tshpet1 - tshpet2) * HPET_PERIOD) / 1e6 + +and then divides the normalized delta of the corresponding TSC timestamps +by the result to calulate the TSC frequency. + + tscfreq = ((tstsc1 - tstsc2 ) * 1e6) / hpetref + +This uses do_div() which takes an u32 as the divisor, which worked so far +because the HPET frequency was low enough that 'hpetref' never exceeded +32bit. + +On Skylake machines the HPET frequency increased so 'hpetref' can exceed +32bit. do_div() truncates the divisor, which causes the calibration to +fail. + +Use div64_u64() to avoid the problem. + +[ tglx: Fixes whitespace mangled patch and rewrote changelog ] + +Signed-off-by: Xiaoming Gao +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: peterz@infradead.org +Cc: hpa@zytor.com +Link: https://lkml.kernel.org/r/38894564-4fc9-b8ec-353f-de702839e44e@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/tsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -409,7 +409,7 @@ static unsigned long calc_hpet_ref(u64 d + hpet2 -= hpet1; + tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD)); + do_div(tmp, 1000000); +- do_div(deltatsc, tmp); ++ deltatsc = div64_u64(deltatsc, tmp); + + return (unsigned long) deltatsc; + } -- 2.47.3