From e68a0861ccecab6ff2c6287a50b1cd6b89e109e1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 24 Apr 2018 12:15:09 +0200 Subject: [PATCH] 4.16-stable patches added patches: btrfs-fix-race-condition-between-delayed-refs-and-blockgroup-removal.patch btrfs-fix-unaligned-access-in-readdir.patch cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch cifs-smbd-check-for-iov-length-on-sending-the-last-iov.patch clocksource-imx-tpm-correct-etime-return-condition-check.patch drm-i915-audio-fix-audio-detection-issue-on-glk.patch drm-i915-bios-filter-out-invalid-ddc-pins-from-vbt-child-devices.patch drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch drm-i915-gvt-add-drm_format_mod-update.patch drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch drm-vc4-fix-memory-leak-during-bo-teardown.patch posix-cpu-timers-ensure-set_process_cpu_timer-is-always-evaluated.patch x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch --- ...-delayed-refs-and-blockgroup-removal.patch | 163 +++++++++++++++++ ...trfs-fix-unaligned-access-in-readdir.patch | 79 ++++++++ ...ets-except-with-smb1-posix-exensions.patch | 74 ++++++++ ...r-iov-length-on-sending-the-last-iov.patch | 35 ++++ ...correct-etime-return-condition-check.patch | 42 +++++ ...dio-fix-audio-detection-issue-on-glk.patch | 46 +++++ ...alid-ddc-pins-from-vbt-child-devices.patch | 172 ++++++++++++++++++ ...free-a-kmem_cache_alloc-return-value.patch | 40 ++++ ...buffer-enabling-from-low-power-state.patch | 93 ++++++++++ ...m-i915-gvt-add-drm_format_mod-update.patch | 31 ++++ ...throw-error-on-unhandled-vfio-ioctls.patch | 33 ++++ ...4-fix-memory-leak-during-bo-teardown.patch | 54 ++++++ ...rocess_cpu_timer-is-always-evaluated.patch | 59 ++++++ ...c-id-0xffffffff-from-being-accounted.patch | 48 +++++ ...nt-32bit-truncation-in-calc_hpet_ref.patch | 54 ++++++ 15 files changed, 1023 insertions(+) create mode 100644 queue-4.16/btrfs-fix-race-condition-between-delayed-refs-and-blockgroup-removal.patch create mode 100644 queue-4.16/btrfs-fix-unaligned-access-in-readdir.patch create mode 100644 queue-4.16/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch create mode 100644 queue-4.16/cifs-smbd-check-for-iov-length-on-sending-the-last-iov.patch create mode 100644 queue-4.16/clocksource-imx-tpm-correct-etime-return-condition-check.patch create mode 100644 queue-4.16/drm-i915-audio-fix-audio-detection-issue-on-glk.patch create mode 100644 queue-4.16/drm-i915-bios-filter-out-invalid-ddc-pins-from-vbt-child-devices.patch create mode 100644 queue-4.16/drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch create mode 100644 queue-4.16/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch create mode 100644 queue-4.16/drm-i915-gvt-add-drm_format_mod-update.patch create mode 100644 queue-4.16/drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch create mode 100644 queue-4.16/drm-vc4-fix-memory-leak-during-bo-teardown.patch create mode 100644 queue-4.16/posix-cpu-timers-ensure-set_process_cpu_timer-is-always-evaluated.patch create mode 100644 queue-4.16/x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch create mode 100644 queue-4.16/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch diff --git a/queue-4.16/btrfs-fix-race-condition-between-delayed-refs-and-blockgroup-removal.patch b/queue-4.16/btrfs-fix-race-condition-between-delayed-refs-and-blockgroup-removal.patch new file mode 100644 index 00000000000..81d9b7a919a --- /dev/null +++ b/queue-4.16/btrfs-fix-race-condition-between-delayed-refs-and-blockgroup-removal.patch @@ -0,0 +1,163 @@ +From 5e388e95815408c27f3612190d089afc0774b870 Mon Sep 17 00:00:00 2001 +From: Nikolay Borisov +Date: Wed, 18 Apr 2018 09:41:54 +0300 +Subject: btrfs: Fix race condition between delayed refs and blockgroup removal + +From: Nikolay Borisov + +commit 5e388e95815408c27f3612190d089afc0774b870 upstream. + +When the delayed refs for a head are all run, eventually +cleanup_ref_head is called which (in case of deletion) obtains a +reference for the relevant btrfs_space_info struct by querying the bg +for the range. This is problematic because when the last extent of a +bg is deleted a race window emerges between removal of that bg and the +subsequent invocation of cleanup_ref_head. This can result in cache being null +and either a null pointer dereference or assertion failure. + + task: ffff8d04d31ed080 task.stack: ffff9e5dc10cc000 + RIP: 0010:assfail.constprop.78+0x18/0x1a [btrfs] + RSP: 0018:ffff9e5dc10cfbe8 EFLAGS: 00010292 + RAX: 0000000000000044 RBX: 0000000000000000 RCX: 0000000000000000 + RDX: ffff8d04ffc1f868 RSI: ffff8d04ffc178c8 RDI: ffff8d04ffc178c8 + RBP: ffff8d04d29e5ea0 R08: 00000000000001f0 R09: 0000000000000001 + R10: ffff9e5dc0507d58 R11: 0000000000000001 R12: ffff8d04d29e5ea0 + R13: ffff8d04d29e5f08 R14: ffff8d04efe29b40 R15: ffff8d04efe203e0 + FS: 00007fbf58ead500(0000) GS:ffff8d04ffc00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fe6c6975648 CR3: 0000000013b2a000 CR4: 00000000000006f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + __btrfs_run_delayed_refs+0x10e7/0x12c0 [btrfs] + btrfs_run_delayed_refs+0x68/0x250 [btrfs] + btrfs_should_end_transaction+0x42/0x60 [btrfs] + btrfs_truncate_inode_items+0xaac/0xfc0 [btrfs] + btrfs_evict_inode+0x4c6/0x5c0 [btrfs] + evict+0xc6/0x190 + do_unlinkat+0x19c/0x300 + do_syscall_64+0x74/0x140 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + RIP: 0033:0x7fbf589c57a7 + +To fix this, introduce a new flag "is_system" to head_ref structs, +which is populated at insertion time. This allows to decouple the +querying for the spaceinfo from querying the possibly deleted bg. + +Fixes: d7eae3403f46 ("Btrfs: rework delayed ref total_bytes_pinned accounting") +CC: stable@vger.kernel.org # 4.14+ +Suggested-by: Omar Sandoval +Signed-off-by: Nikolay Borisov +Reviewed-by: Omar Sandoval +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/delayed-ref.c | 19 ++++++++++++++----- + fs/btrfs/delayed-ref.h | 1 + + fs/btrfs/extent-tree.c | 16 +++++++++++----- + 3 files changed, 26 insertions(+), 10 deletions(-) + +--- a/fs/btrfs/delayed-ref.c ++++ b/fs/btrfs/delayed-ref.c +@@ -553,8 +553,10 @@ add_delayed_ref_head(struct btrfs_fs_inf + struct btrfs_delayed_ref_head *head_ref, + struct btrfs_qgroup_extent_record *qrecord, + u64 bytenr, u64 num_bytes, u64 ref_root, u64 reserved, +- int action, int is_data, int *qrecord_inserted_ret, ++ int action, int is_data, int is_system, ++ int *qrecord_inserted_ret, + int *old_ref_mod, int *new_ref_mod) ++ + { + struct btrfs_delayed_ref_head *existing; + struct btrfs_delayed_ref_root *delayed_refs; +@@ -598,6 +600,7 @@ add_delayed_ref_head(struct btrfs_fs_inf + head_ref->ref_mod = count_mod; + head_ref->must_insert_reserved = must_insert_reserved; + head_ref->is_data = is_data; ++ head_ref->is_system = is_system; + head_ref->ref_tree = RB_ROOT; + INIT_LIST_HEAD(&head_ref->ref_add_list); + RB_CLEAR_NODE(&head_ref->href_node); +@@ -785,6 +788,7 @@ int btrfs_add_delayed_tree_ref(struct bt + struct btrfs_delayed_ref_root *delayed_refs; + struct btrfs_qgroup_extent_record *record = NULL; + int qrecord_inserted; ++ int is_system = (ref_root == BTRFS_CHUNK_TREE_OBJECTID); + + BUG_ON(extent_op && extent_op->is_data); + ref = kmem_cache_alloc(btrfs_delayed_tree_ref_cachep, GFP_NOFS); +@@ -813,8 +817,8 @@ int btrfs_add_delayed_tree_ref(struct bt + */ + head_ref = add_delayed_ref_head(fs_info, trans, head_ref, record, + bytenr, num_bytes, 0, 0, action, 0, +- &qrecord_inserted, old_ref_mod, +- new_ref_mod); ++ is_system, &qrecord_inserted, ++ old_ref_mod, new_ref_mod); + + add_delayed_tree_ref(fs_info, trans, head_ref, &ref->node, bytenr, + num_bytes, parent, ref_root, level, action); +@@ -881,7 +885,7 @@ int btrfs_add_delayed_data_ref(struct bt + */ + head_ref = add_delayed_ref_head(fs_info, trans, head_ref, record, + bytenr, num_bytes, ref_root, reserved, +- action, 1, &qrecord_inserted, ++ action, 1, 0, &qrecord_inserted, + old_ref_mod, new_ref_mod); + + add_delayed_data_ref(fs_info, trans, head_ref, &ref->node, bytenr, +@@ -911,9 +915,14 @@ int btrfs_add_delayed_extent_op(struct b + delayed_refs = &trans->transaction->delayed_refs; + spin_lock(&delayed_refs->lock); + ++ /* ++ * extent_ops just modify the flags of an extent and they don't result ++ * in ref count changes, hence it's safe to pass false/0 for is_system ++ * argument ++ */ + add_delayed_ref_head(fs_info, trans, head_ref, NULL, bytenr, + num_bytes, 0, 0, BTRFS_UPDATE_DELAYED_HEAD, +- extent_op->is_data, NULL, NULL, NULL); ++ extent_op->is_data, 0, NULL, NULL, NULL); + + spin_unlock(&delayed_refs->lock); + return 0; +--- a/fs/btrfs/delayed-ref.h ++++ b/fs/btrfs/delayed-ref.h +@@ -139,6 +139,7 @@ struct btrfs_delayed_ref_head { + */ + unsigned int must_insert_reserved:1; + unsigned int is_data:1; ++ unsigned int is_system:1; + unsigned int processing:1; + }; + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -2615,13 +2615,19 @@ static int cleanup_ref_head(struct btrfs + trace_run_delayed_ref_head(fs_info, head, 0); + + if (head->total_ref_mod < 0) { +- struct btrfs_block_group_cache *cache; ++ struct btrfs_space_info *space_info; ++ u64 flags; + +- cache = btrfs_lookup_block_group(fs_info, head->bytenr); +- ASSERT(cache); +- percpu_counter_add(&cache->space_info->total_bytes_pinned, ++ if (head->is_data) ++ flags = BTRFS_BLOCK_GROUP_DATA; ++ else if (head->is_system) ++ flags = BTRFS_BLOCK_GROUP_SYSTEM; ++ else ++ flags = BTRFS_BLOCK_GROUP_METADATA; ++ space_info = __find_space_info(fs_info, flags); ++ ASSERT(space_info); ++ percpu_counter_add(&space_info->total_bytes_pinned, + -head->num_bytes); +- btrfs_put_block_group(cache); + + if (head->is_data) { + spin_lock(&delayed_refs->lock); diff --git a/queue-4.16/btrfs-fix-unaligned-access-in-readdir.patch b/queue-4.16/btrfs-fix-unaligned-access-in-readdir.patch new file mode 100644 index 00000000000..08bcb7aed32 --- /dev/null +++ b/queue-4.16/btrfs-fix-unaligned-access-in-readdir.patch @@ -0,0 +1,79 @@ +From 92d32170847bfff2dd08af2c016085779f2fd2a1 Mon Sep 17 00:00:00 2001 +From: David Sterba +Date: Mon, 16 Apr 2018 21:10:14 +0200 +Subject: btrfs: fix unaligned access in readdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Sterba + +commit 92d32170847bfff2dd08af2c016085779f2fd2a1 upstream. + +The last update to readdir introduced a temporary buffer to store the +emitted readdir data, but as there are file names of variable length, +there's a lot of unaligned access. + +This was observed on a sparc64 machine: + + Kernel unaligned access at TPC[102f3080] btrfs_real_readdir+0x51c/0x718 [btrfs] + +Fixes: 23b5ec74943 ("btrfs: fix readdir deadlock with pagefault") +CC: stable@vger.kernel.org # 4.14+ +Reported-and-tested-by: René Rebe +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/inode.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + #include "ctree.h" + #include "disk-io.h" + #include "transaction.h" +@@ -5951,11 +5952,13 @@ static int btrfs_filldir(void *addr, int + struct dir_entry *entry = addr; + char *name = (char *)(entry + 1); + +- ctx->pos = entry->offset; +- if (!dir_emit(ctx, name, entry->name_len, entry->ino, +- entry->type)) ++ ctx->pos = get_unaligned(&entry->offset); ++ if (!dir_emit(ctx, name, get_unaligned(&entry->name_len), ++ get_unaligned(&entry->ino), ++ get_unaligned(&entry->type))) + return 1; +- addr += sizeof(struct dir_entry) + entry->name_len; ++ addr += sizeof(struct dir_entry) + ++ get_unaligned(&entry->name_len); + ctx->pos++; + } + return 0; +@@ -6045,14 +6048,15 @@ again: + } + + entry = addr; +- entry->name_len = name_len; ++ put_unaligned(name_len, &entry->name_len); + name_ptr = (char *)(entry + 1); + read_extent_buffer(leaf, name_ptr, (unsigned long)(di + 1), + name_len); +- entry->type = btrfs_filetype_table[btrfs_dir_type(leaf, di)]; ++ put_unaligned(btrfs_filetype_table[btrfs_dir_type(leaf, di)], ++ &entry->type); + btrfs_dir_item_key_to_cpu(leaf, di, &location); +- entry->ino = location.objectid; +- entry->offset = found_key.offset; ++ put_unaligned(location.objectid, &entry->ino); ++ put_unaligned(found_key.offset, &entry->offset); + entries++; + addr += sizeof(struct dir_entry) + name_len; + total_len += sizeof(struct dir_entry) + name_len; diff --git a/queue-4.16/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch b/queue-4.16/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch new file mode 100644 index 00000000000..89804db4058 --- /dev/null +++ b/queue-4.16/cifs-do-not-allow-creating-sockets-except-with-smb1-posix-exensions.patch @@ -0,0 +1,74 @@ +From 1d0cffa674cfa7d185a302c8c6850fc50b893bed Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 20 Apr 2018 12:19:07 -0500 +Subject: cifs: do not allow creating sockets except with SMB1 posix exensions + +From: Steve French + +commit 1d0cffa674cfa7d185a302c8c6850fc50b893bed upstream. + +RHBZ: 1453123 + +Since at least the 3.10 kernel and likely a lot earlier we have +not been able to create unix domain sockets in a cifs share +when mounted using the SFU mount option (except when mounted +with the cifs unix extensions to Samba e.g.) +Trying to create a socket, for example using the af_unix command from +xfstests will cause : +BUG: unable to handle kernel NULL pointer dereference at 00000000 +00000040 + +Since no one uses or depends on being able to create unix domains sockets +on a cifs share the easiest fix to stop this vulnerability is to simply +not allow creation of any other special files than char or block devices +when sfu is used. + +Added update to Ronnie's patch to handle a tcon link leak, and +to address a buf leak noticed by Gustavo and Colin. + +Acked-by: Gustavo A. R. Silva +CC: Colin Ian King +Reviewed-by: Pavel Shilovsky +Reported-by: Eryu Guan +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -684,6 +684,9 @@ int cifs_mknod(struct inode *inode, stru + goto mknod_out; + } + ++ if (!S_ISCHR(mode) && !S_ISBLK(mode)) ++ goto mknod_out; ++ + if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)) + goto mknod_out; + +@@ -692,10 +695,8 @@ int cifs_mknod(struct inode *inode, stru + + buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); + if (buf == NULL) { +- kfree(full_path); + rc = -ENOMEM; +- free_xid(xid); +- return rc; ++ goto mknod_out; + } + + if (backup_cred(cifs_sb)) +@@ -742,7 +743,7 @@ int cifs_mknod(struct inode *inode, stru + pdev->minor = cpu_to_le64(MINOR(device_number)); + rc = tcon->ses->server->ops->sync_write(xid, &fid, &io_parms, + &bytes_written, iov, 1); +- } /* else if (S_ISFIFO) */ ++ } + tcon->ses->server->ops->close(xid, tcon, &fid); + d_drop(direntry); + diff --git a/queue-4.16/cifs-smbd-check-for-iov-length-on-sending-the-last-iov.patch b/queue-4.16/cifs-smbd-check-for-iov-length-on-sending-the-last-iov.patch new file mode 100644 index 00000000000..da66f08a725 --- /dev/null +++ b/queue-4.16/cifs-smbd-check-for-iov-length-on-sending-the-last-iov.patch @@ -0,0 +1,35 @@ +From ab60ee7bf9a84954f50a66a3d835860e80f99b7f Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Tue, 17 Apr 2018 12:17:05 -0700 +Subject: cifs: smbd: Check for iov length on sending the last iov + +From: Long Li + +commit ab60ee7bf9a84954f50a66a3d835860e80f99b7f upstream. + +When sending the last iov that breaks into smaller buffers to fit the +transfer size, it's necessary to check if this is the last iov. + +If this is the latest iov, stop and proceed to send pages. + +Signed-off-by: Long Li +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smbdirect.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -2194,6 +2194,8 @@ int smbd_send(struct smbd_connection *in + goto done; + } + i++; ++ if (i == rqst->rq_nvec) ++ break; + } + start = i; + buflen = 0; diff --git a/queue-4.16/clocksource-imx-tpm-correct-etime-return-condition-check.patch b/queue-4.16/clocksource-imx-tpm-correct-etime-return-condition-check.patch new file mode 100644 index 00000000000..9b31ec13f68 --- /dev/null +++ b/queue-4.16/clocksource-imx-tpm-correct-etime-return-condition-check.patch @@ -0,0 +1,42 @@ +From 7407188489c62a7b5694bc75a6db2b82af94c9a5 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Thu, 19 Apr 2018 14:04:43 +0800 +Subject: clocksource/imx-tpm: Correct -ETIME return condition check + +From: Anson Huang + +commit 7407188489c62a7b5694bc75a6db2b82af94c9a5 upstream. + +The additional brakects added to tpm_set_next_event's return value +computation causes (int) forced type conversion NOT taking effect, and the +incorrect value return will cause various system timer issue, like RCU +stall etc.. + +Remove the additional brackets to make sure tpm_set_next_event always +returns correct value. + +Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support") +Signed-off-by: Anson Huang +Signed-off-by: Thomas Gleixner +Acked-by: Dong Aisheng +Cc: stable@vger.kernel.org +Cc: daniel.lezcano@linaro.org +Cc: Linux-imx@nxp.com +Link: https://lkml.kernel.org/r/1524117883-2484-1-git-send-email-Anson.Huang@nxp.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/timer-imx-tpm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -105,7 +105,7 @@ static int tpm_set_next_event(unsigned l + * of writing CNT registers which may cause the min_delta event got + * missed, so we need add a ETIME check here in case it happened. + */ +- return (int)((next - now) <= 0) ? -ETIME : 0; ++ return (int)(next - now) <= 0 ? -ETIME : 0; + } + + static int tpm_set_state_oneshot(struct clock_event_device *evt) diff --git a/queue-4.16/drm-i915-audio-fix-audio-detection-issue-on-glk.patch b/queue-4.16/drm-i915-audio-fix-audio-detection-issue-on-glk.patch new file mode 100644 index 00000000000..609b5422979 --- /dev/null +++ b/queue-4.16/drm-i915-audio-fix-audio-detection-issue-on-glk.patch @@ -0,0 +1,46 @@ +From b4615730530be85fc45ab4631c2ad6d8e2d0b97d Mon Sep 17 00:00:00 2001 +From: Gaurav K Singh +Date: Tue, 17 Apr 2018 23:52:18 +0530 +Subject: drm/i915/audio: Fix audio detection issue on GLK + +From: Gaurav K Singh + +commit b4615730530be85fc45ab4631c2ad6d8e2d0b97d upstream. + +On Geminilake, sometimes audio card is not getting +detected after reboot. This is a spurious issue happening on +Geminilake. HW codec and HD audio controller link was going +out of sync for which there was a fix in i915 driver but +was not getting invoked for GLK. Extending this fix to GLK as well. + +Tested by Du,Wenkai on GLK board. + +Bspec: 21829 + +v2: Instead of checking GEN9_BC, BXT and GLK macros, use IS_GEN9 macro (Jani N) + +Cc: # b651bd2a3ae3 ("drm/i915/audio: Fix audio enumeration issue on BXT") +Cc: +Signed-off-by: Gaurav K Singh +Reviewed-by: Abhay Kumar +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/1523989338-29677-1-git-send-email-gaurav.k.singh@intel.com +(cherry picked from commit 8221229046e862977ae93ec9d34aa583fbd10397) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_audio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_audio.c ++++ b/drivers/gpu/drm/i915/intel_audio.c +@@ -729,7 +729,7 @@ static void i915_audio_component_codec_w + struct drm_i915_private *dev_priv = kdev_to_i915(kdev); + u32 tmp; + +- if (!IS_GEN9_BC(dev_priv)) ++ if (!IS_GEN9(dev_priv)) + return; + + i915_audio_component_get_power(kdev); diff --git a/queue-4.16/drm-i915-bios-filter-out-invalid-ddc-pins-from-vbt-child-devices.patch b/queue-4.16/drm-i915-bios-filter-out-invalid-ddc-pins-from-vbt-child-devices.patch new file mode 100644 index 00000000000..371b9538dce --- /dev/null +++ b/queue-4.16/drm-i915-bios-filter-out-invalid-ddc-pins-from-vbt-child-devices.patch @@ -0,0 +1,172 @@ +From a3520b8992e57bc94ab6ec9f95f09c6c932555fd Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Wed, 11 Apr 2018 16:15:18 +0300 +Subject: drm/i915/bios: filter out invalid DDC pins from VBT child devices + +From: Jani Nikula + +commit a3520b8992e57bc94ab6ec9f95f09c6c932555fd upstream. + +The VBT contains the DDC pin to use for specific ports. Alas, sometimes +the field appears to contain bogus data, and while we check for it later +on in intel_gmbus_get_adapter() we fail to check the returned NULL on +errors. Oops results. + +The simplest approach seems to be to catch and ignore the bogus DDC pins +already at the VBT parsing phase, reverting to fixed per port default +pins. This doesn't guarantee display working, but at least it prevents +the oops. And we continue to be fuzzed by VBT. + +One affected machine is Dell Latitude 5590 where a BIOS upgrade added +invalid DDC pins. + +Typical backtrace: + +[ 35.461411] WARN_ON(!intel_gmbus_is_valid_pin(dev_priv, pin)) +[ 35.461432] WARNING: CPU: 6 PID: 411 at drivers/gpu/drm/i915/intel_i2c.c:844 intel_gmbus_get_adapter+0x32/0x37 [i915] +[ 35.461437] Modules linked in: i915 ahci libahci dm_snapshot dm_bufio dm_raid raid456 async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx +[ 35.461445] CPU: 6 PID: 411 Comm: kworker/u16:2 Not tainted 4.16.0-rc7.x64-g1cda370ffded #1 +[ 35.461447] Hardware name: Dell Inc. Latitude 5590/0MM81M, BIOS 1.1.9 03/13/2018 +[ 35.461450] Workqueue: events_unbound async_run_entry_fn +[ 35.461465] RIP: 0010:intel_gmbus_get_adapter+0x32/0x37 [i915] +[ 35.461467] RSP: 0018:ffff9b4e43d47c40 EFLAGS: 00010286 +[ 35.461469] RAX: 0000000000000000 RBX: ffff98f90639f800 RCX: ffffffffae051960 +[ 35.461471] RDX: 0000000000000001 RSI: 0000000000000092 RDI: 0000000000000246 +[ 35.461472] RBP: ffff98f905410000 R08: 0000004d062a83f6 R09: 00000000000003bd +[ 35.461474] R10: 0000000000000031 R11: ffffffffad4eda58 R12: ffff98f905410000 +[ 35.461475] R13: ffff98f9064c1000 R14: ffff9b4e43d47cf0 R15: ffff98f905410000 +[ 35.461477] FS: 0000000000000000(0000) GS:ffff98f92e580000(0000) knlGS:0000000000000000 +[ 35.461479] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 35.461481] CR2: 00007f5682359008 CR3: 00000001b700c005 CR4: 00000000003606e0 +[ 35.461483] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 35.461484] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 35.461486] Call Trace: +[ 35.461501] intel_hdmi_set_edid+0x37/0x27f [i915] +[ 35.461515] intel_hdmi_detect+0x7c/0x97 [i915] +[ 35.461518] drm_helper_probe_single_connector_modes+0xe1/0x6c0 +[ 35.461521] drm_setup_crtcs+0x129/0xa6a +[ 35.461523] ? __switch_to_asm+0x34/0x70 +[ 35.461525] ? __switch_to_asm+0x34/0x70 +[ 35.461527] ? __switch_to_asm+0x40/0x70 +[ 35.461528] ? __switch_to_asm+0x34/0x70 +[ 35.461529] ? __switch_to_asm+0x40/0x70 +[ 35.461531] ? __switch_to_asm+0x34/0x70 +[ 35.461532] ? __switch_to_asm+0x40/0x70 +[ 35.461534] ? __switch_to_asm+0x34/0x70 +[ 35.461536] __drm_fb_helper_initial_config_and_unlock+0x34/0x46f +[ 35.461538] ? __switch_to_asm+0x40/0x70 +[ 35.461541] ? _cond_resched+0x10/0x33 +[ 35.461557] intel_fbdev_initial_config+0xf/0x1c [i915] +[ 35.461560] async_run_entry_fn+0x2e/0xf5 +[ 35.461563] process_one_work+0x15b/0x364 +[ 35.461565] worker_thread+0x2c/0x3a0 +[ 35.461567] ? process_one_work+0x364/0x364 +[ 35.461568] kthread+0x10c/0x122 +[ 35.461570] ? _kthread_create_on_node+0x5d/0x5d +[ 35.461572] ret_from_fork+0x35/0x40 +[ 35.461574] Code: 74 16 89 f6 48 8d 04 b6 48 c1 e0 05 48 29 f0 48 8d 84 c7 e8 11 00 00 c3 48 c7 c6 b0 19 1e c0 48 c7 c7 64 8a 1c c0 e8 47 88 ed ec <0f> 0b 31 c0 c3 8b 87 a4 04 00 00 80 e4 fc 09 c6 89 b7 a4 04 00 +[ 35.461604] WARNING: CPU: 6 PID: 411 at drivers/gpu/drm/i915/intel_i2c.c:844 intel_gmbus_get_adapter+0x32/0x37 [i915] +[ 35.461606] ---[ end trace 4fe1e63e2dd93373 ]--- +[ 35.461609] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 +[ 35.461613] IP: i2c_transfer+0x4/0x86 +[ 35.461614] PGD 0 P4D 0 +[ 35.461616] Oops: 0000 [#1] SMP PTI +[ 35.461618] Modules linked in: i915 ahci libahci dm_snapshot dm_bufio dm_raid raid456 async_raid6_recov async_pq raid6_pq async_xor xor async_memcpy async_tx +[ 35.461624] CPU: 6 PID: 411 Comm: kworker/u16:2 Tainted: G W 4.16.0-rc7.x64-g1cda370ffded #1 +[ 35.461625] Hardware name: Dell Inc. Latitude 5590/0MM81M, BIOS 1.1.9 03/13/2018 +[ 35.461628] Workqueue: events_unbound async_run_entry_fn +[ 35.461630] RIP: 0010:i2c_transfer+0x4/0x86 +[ 35.461631] RSP: 0018:ffff9b4e43d47b30 EFLAGS: 00010246 +[ 35.461633] RAX: ffff9b4e43d47b6e RBX: 0000000000000005 RCX: 0000000000000001 +[ 35.461635] RDX: 0000000000000002 RSI: ffff9b4e43d47b80 RDI: 0000000000000000 +[ 35.461636] RBP: ffff9b4e43d47bd8 R08: 0000004d062a83f6 R09: 00000000000003bd +[ 35.461638] R10: 0000000000000031 R11: ffffffffad4eda58 R12: 0000000000000002 +[ 35.461639] R13: 0000000000000001 R14: ffff9b4e43d47b6f R15: ffff9b4e43d47c07 +[ 35.461641] FS: 0000000000000000(0000) GS:ffff98f92e580000(0000) knlGS:0000000000000000 +[ 35.461643] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 35.461645] CR2: 0000000000000010 CR3: 00000001b700c005 CR4: 00000000003606e0 +[ 35.461646] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 35.461647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 35.461649] Call Trace: +[ 35.461652] drm_do_probe_ddc_edid+0xb3/0x128 +[ 35.461654] drm_get_edid+0xe5/0x38d +[ 35.461669] intel_hdmi_set_edid+0x45/0x27f [i915] +[ 35.461684] intel_hdmi_detect+0x7c/0x97 [i915] +[ 35.461687] drm_helper_probe_single_connector_modes+0xe1/0x6c0 +[ 35.461689] drm_setup_crtcs+0x129/0xa6a +[ 35.461691] ? __switch_to_asm+0x34/0x70 +[ 35.461693] ? __switch_to_asm+0x34/0x70 +[ 35.461694] ? __switch_to_asm+0x40/0x70 +[ 35.461696] ? __switch_to_asm+0x34/0x70 +[ 35.461697] ? __switch_to_asm+0x40/0x70 +[ 35.461698] ? __switch_to_asm+0x34/0x70 +[ 35.461700] ? __switch_to_asm+0x40/0x70 +[ 35.461701] ? __switch_to_asm+0x34/0x70 +[ 35.461703] __drm_fb_helper_initial_config_and_unlock+0x34/0x46f +[ 35.461705] ? __switch_to_asm+0x40/0x70 +[ 35.461707] ? _cond_resched+0x10/0x33 +[ 35.461724] intel_fbdev_initial_config+0xf/0x1c [i915] +[ 35.461727] async_run_entry_fn+0x2e/0xf5 +[ 35.461729] process_one_work+0x15b/0x364 +[ 35.461731] worker_thread+0x2c/0x3a0 +[ 35.461733] ? process_one_work+0x364/0x364 +[ 35.461734] kthread+0x10c/0x122 +[ 35.461736] ? _kthread_create_on_node+0x5d/0x5d +[ 35.461738] ret_from_fork+0x35/0x40 +[ 35.461739] Code: 5c fa e1 ad 48 89 df e8 ea fb ff ff e9 2a ff ff ff 0f 1f 44 00 00 31 c0 e9 43 fd ff ff 31 c0 45 31 e4 e9 c5 fd ff ff 41 54 55 53 <48> 8b 47 10 48 83 78 10 00 74 70 41 89 d4 48 89 f5 48 89 fb 65 +[ 35.461756] RIP: i2c_transfer+0x4/0x86 RSP: ffff9b4e43d47b30 +[ 35.461757] CR2: 0000000000000010 +[ 35.461759] ---[ end trace 4fe1e63e2dd93374 ]--- + +Based on a patch by Fei Li. + +v2: s/reverting/sticking/ (Chris) + +Cc: stable@vger.kernel.org +Cc: Fei Li +Co-developed-by: Fei Li +Reported-by: Pavel Nakonechnyi +Reported-and-tested-by: Seweryn Kokot +Reported-and-tested-by: Laszlo Valko +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105549 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105961 +Reviewed-by: Chris Wilson +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20180411131519.9091-1-jani.nikula@intel.com +(cherry picked from commit f212bf9abe5de9f938fecea7df07046e74052dde) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_bios.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -1255,7 +1255,6 @@ static void parse_ddi_port(struct drm_i9 + return; + + aux_channel = child->aux_channel; +- ddc_pin = child->ddc_pin; + + is_dvi = child->device_type & DEVICE_TYPE_TMDS_DVI_SIGNALING; + is_dp = child->device_type & DEVICE_TYPE_DISPLAYPORT_OUTPUT; +@@ -1302,9 +1301,15 @@ static void parse_ddi_port(struct drm_i9 + DRM_DEBUG_KMS("Port %c is internal DP\n", port_name(port)); + + if (is_dvi) { +- info->alternate_ddc_pin = map_ddc_pin(dev_priv, ddc_pin); +- +- sanitize_ddc_pin(dev_priv, port); ++ ddc_pin = map_ddc_pin(dev_priv, child->ddc_pin); ++ if (intel_gmbus_is_valid_pin(dev_priv, ddc_pin)) { ++ info->alternate_ddc_pin = ddc_pin; ++ sanitize_ddc_pin(dev_priv, port); ++ } else { ++ DRM_DEBUG_KMS("Port %c has invalid DDC pin %d, " ++ "sticking to defaults\n", ++ port_name(port), ddc_pin); ++ } + } + + if (is_dp) { diff --git a/queue-4.16/drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch b/queue-4.16/drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch new file mode 100644 index 00000000000..1bc0b0d32ec --- /dev/null +++ b/queue-4.16/drm-i915-do-no-use-kfree-to-free-a-kmem_cache_alloc-return-value.patch @@ -0,0 +1,40 @@ +From fcf1fadf4c65eea6c519c773d2d9901e8ad94f5f Mon Sep 17 00:00:00 2001 +From: Xidong Wang +Date: Wed, 4 Apr 2018 10:38:24 +0100 +Subject: drm/i915: Do no use kfree() to free a kmem_cache_alloc() return value + +From: Xidong Wang + +commit fcf1fadf4c65eea6c519c773d2d9901e8ad94f5f upstream. + +Along the eb_lookup_vmas() error path, the return value from +kmem_cache_alloc() was freed using kfree(). Fix it to use the proper +kmem_cache_free() instead. + +Fixes: d1b48c1e7184 ("drm/i915: Replace execbuf vma ht with an idr") +Signed-off-by: Xidong Wang +Cc: Chris Wilson +Cc: Tvrtko Ursulin +Cc: # v4.14+ +Reviewed-by: Chris Wilson +Signed-off-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/20180404093824.9313-1-chris@chris-wilson.co.uk +(cherry picked from commit 6be1187dbffa0027ea379c53f7ca0c782515c610) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -728,7 +728,7 @@ static int eb_lookup_vmas(struct i915_ex + + err = radix_tree_insert(handles_vma, handle, vma); + if (unlikely(err)) { +- kfree(lut); ++ kmem_cache_free(eb->i915->luts, lut); + goto err_obj; + } + diff --git a/queue-4.16/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch b/queue-4.16/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch new file mode 100644 index 00000000000..514df3293dc --- /dev/null +++ b/queue-4.16/drm-i915-fix-lspcon-tmds-output-buffer-enabling-from-low-power-state.patch @@ -0,0 +1,93 @@ +From 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 16 Apr 2018 18:53:09 +0300 +Subject: drm/i915: Fix LSPCON TMDS output buffer enabling from low-power state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak + +commit 7eb2c4dd54ff841f2fe509a84973eb25fa20bda2 upstream. + +LSPCON adapters in low-power state may ignore the first I2C write during +TMDS output buffer enabling, resulting in a blank screen even with an +otherwise enabled pipe. Fix this by reading back and validating the +written value a few times. + +The problem was noticed on GLK machines with an onboard LSPCON adapter +after entering/exiting DC5 power state. Doing an I2C read of the adapter +ID as the first transaction - instead of the I2C write to enable the +TMDS buffers - returns the correct value. Based on this we assume that +the transaction itself is sent properly, it's only the adapter that is +not ready for some reason to accept this first write after waking from +low-power state. In my case the second I2C write attempt always +succeeded. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=105854 +Cc: Clinton Taylor +Cc: Ville Syrjälä +Cc: stable@vger.kernel.org +Signed-off-by: Imre Deak +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20180416155309.11100-1-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_dual_mode_helper.c | 39 ++++++++++++++++++++++++------ + 1 file changed, 32 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_dual_mode_helper.c ++++ b/drivers/gpu/drm/drm_dp_dual_mode_helper.c +@@ -350,19 +350,44 @@ int drm_dp_dual_mode_set_tmds_output(enu + { + uint8_t tmds_oen = enable ? 0 : DP_DUAL_MODE_TMDS_DISABLE; + ssize_t ret; ++ int retry; + + if (type < DRM_DP_DUAL_MODE_TYPE2_DVI) + return 0; + +- ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN, +- &tmds_oen, sizeof(tmds_oen)); +- if (ret) { +- DRM_DEBUG_KMS("Failed to %s TMDS output buffers\n", +- enable ? "enable" : "disable"); +- return ret; ++ /* ++ * LSPCON adapters in low-power state may ignore the first write, so ++ * read back and verify the written value a few times. ++ */ ++ for (retry = 0; retry < 3; retry++) { ++ uint8_t tmp; ++ ++ ret = drm_dp_dual_mode_write(adapter, DP_DUAL_MODE_TMDS_OEN, ++ &tmds_oen, sizeof(tmds_oen)); ++ if (ret) { ++ DRM_DEBUG_KMS("Failed to %s TMDS output buffers (%d attempts)\n", ++ enable ? "enable" : "disable", ++ retry + 1); ++ return ret; ++ } ++ ++ ret = drm_dp_dual_mode_read(adapter, DP_DUAL_MODE_TMDS_OEN, ++ &tmp, sizeof(tmp)); ++ if (ret) { ++ DRM_DEBUG_KMS("I2C read failed during TMDS output buffer %s (%d attempts)\n", ++ enable ? "enabling" : "disabling", ++ retry + 1); ++ return ret; ++ } ++ ++ if (tmp == tmds_oen) ++ return 0; + } + +- return 0; ++ DRM_DEBUG_KMS("I2C write value mismatch during TMDS output buffer %s\n", ++ enable ? "enabling" : "disabling"); ++ ++ return -EIO; + } + EXPORT_SYMBOL(drm_dp_dual_mode_set_tmds_output); + diff --git a/queue-4.16/drm-i915-gvt-add-drm_format_mod-update.patch b/queue-4.16/drm-i915-gvt-add-drm_format_mod-update.patch new file mode 100644 index 00000000000..f859053bee4 --- /dev/null +++ b/queue-4.16/drm-i915-gvt-add-drm_format_mod-update.patch @@ -0,0 +1,31 @@ +From 10996f802109c83421ca30556cfe36ffc3bebae3 Mon Sep 17 00:00:00 2001 +From: Tina Zhang +Date: Wed, 28 Mar 2018 13:49:29 +0800 +Subject: drm/i915/gvt: Add drm_format_mod update + +From: Tina Zhang + +commit 10996f802109c83421ca30556cfe36ffc3bebae3 upstream. + +Add drm_format_mod update, which is omitted. + +Fixes: e546e281("drm/i915/gvt: Dmabuf support for GVT-g") +Cc: stable@vger.kernel.org +Signed-off-by: Tina Zhang +Signed-off-by: Zhenyu Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/dmabuf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/i915/gvt/dmabuf.c ++++ b/drivers/gpu/drm/i915/gvt/dmabuf.c +@@ -323,6 +323,7 @@ static void update_fb_info(struct vfio_d + struct intel_vgpu_fb_info *fb_info) + { + gvt_dmabuf->drm_format = fb_info->drm_format; ++ gvt_dmabuf->drm_format_mod = fb_info->drm_format_mod; + gvt_dmabuf->width = fb_info->width; + gvt_dmabuf->height = fb_info->height; + gvt_dmabuf->stride = fb_info->stride; diff --git a/queue-4.16/drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch b/queue-4.16/drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch new file mode 100644 index 00000000000..4d5e0af6637 --- /dev/null +++ b/queue-4.16/drm-i915-gvt-throw-error-on-unhandled-vfio-ioctls.patch @@ -0,0 +1,33 @@ +From 9f591ae60e1be026901398ef99eede91237aa3a1 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 21 Mar 2018 15:08:47 +0100 +Subject: drm/i915/gvt: throw error on unhandled vfio ioctls + +From: Gerd Hoffmann + +commit 9f591ae60e1be026901398ef99eede91237aa3a1 upstream. + +On unknown/unhandled ioctls the driver should return an error, so +userspace knows it tried to use something unsupported. + +Cc: stable@vger.kernel.org +Signed-off-by: Gerd Hoffmann +Reviewed-by: Alex Williamson +Signed-off-by: Zhenyu Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/kvmgt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gvt/kvmgt.c ++++ b/drivers/gpu/drm/i915/gvt/kvmgt.c +@@ -1284,7 +1284,7 @@ static long intel_vgpu_ioctl(struct mdev + + } + +- return 0; ++ return -ENOTTY; + } + + static ssize_t diff --git a/queue-4.16/drm-vc4-fix-memory-leak-during-bo-teardown.patch b/queue-4.16/drm-vc4-fix-memory-leak-during-bo-teardown.patch new file mode 100644 index 00000000000..a7d40b75f3f --- /dev/null +++ b/queue-4.16/drm-vc4-fix-memory-leak-during-bo-teardown.patch @@ -0,0 +1,54 @@ +From c0db1b677e1d584fab5d7ac76a32e1c0157542e0 Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman +Date: Mon, 2 Apr 2018 15:10:35 +0800 +Subject: drm/vc4: Fix memory leak during BO teardown + +From: Daniel J Blueman + +commit c0db1b677e1d584fab5d7ac76a32e1c0157542e0 upstream. + +During BO teardown, an indirect list 'uniform_addr_offsets' wasn't being +freed leading to leaking many 128B allocations. Fix the memory leak by +releasing it at teardown time. + +Cc: stable@vger.kernel.org +Fixes: 6d45c81d229d ("drm/vc4: Add support for branching in shader validation.") +Signed-off-by: Daniel J Blueman +Signed-off-by: Eric Anholt +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180402071035.25356-1-daniel@quora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vc4/vc4_bo.c | 2 ++ + drivers/gpu/drm/vc4/vc4_validate_shaders.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_bo.c ++++ b/drivers/gpu/drm/vc4/vc4_bo.c +@@ -195,6 +195,7 @@ static void vc4_bo_destroy(struct vc4_bo + vc4_bo_set_label(obj, -1); + + if (bo->validated_shader) { ++ kfree(bo->validated_shader->uniform_addr_offsets); + kfree(bo->validated_shader->texture_samples); + kfree(bo->validated_shader); + bo->validated_shader = NULL; +@@ -591,6 +592,7 @@ void vc4_free_object(struct drm_gem_obje + } + + if (bo->validated_shader) { ++ kfree(bo->validated_shader->uniform_addr_offsets); + kfree(bo->validated_shader->texture_samples); + kfree(bo->validated_shader); + bo->validated_shader = NULL; +--- a/drivers/gpu/drm/vc4/vc4_validate_shaders.c ++++ b/drivers/gpu/drm/vc4/vc4_validate_shaders.c +@@ -942,6 +942,7 @@ vc4_validate_shader(struct drm_gem_cma_o + fail: + kfree(validation_state.branch_targets); + if (validated_shader) { ++ kfree(validated_shader->uniform_addr_offsets); + kfree(validated_shader->texture_samples); + kfree(validated_shader); + } diff --git a/queue-4.16/posix-cpu-timers-ensure-set_process_cpu_timer-is-always-evaluated.patch b/queue-4.16/posix-cpu-timers-ensure-set_process_cpu_timer-is-always-evaluated.patch new file mode 100644 index 00000000000..8960678f8d0 --- /dev/null +++ b/queue-4.16/posix-cpu-timers-ensure-set_process_cpu_timer-is-always-evaluated.patch @@ -0,0 +1,59 @@ +From c3bca5d450b620dd3d36e14b5e1f43639fd47d6b Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Tue, 17 Apr 2018 14:57:42 -0700 +Subject: posix-cpu-timers: Ensure set_process_cpu_timer is always evaluated + +From: Laura Abbott + +commit c3bca5d450b620dd3d36e14b5e1f43639fd47d6b upstream. + +Commit a9445e47d897 ("posix-cpu-timers: Make set_process_cpu_timer() +more robust") moved the check into the 'if' statement. Unfortunately, +it did so on the right side of an && which means that it may get short +circuited and never evaluated. This is easily reproduced with: + +$ cat loop.c +void main() { + struct rlimit res; + /* set the CPU time limit */ + getrlimit(RLIMIT_CPU,&res); + res.rlim_cur = 2; + res.rlim_max = 2; + setrlimit(RLIMIT_CPU,&res); + + while (1); +} + +Which will hang forever instead of being killed. Fix this by pulling the +evaluation out of the if statement but checking the return value instead. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1568337 +Fixes: a9445e47d897 ("posix-cpu-timers: Make set_process_cpu_timer() more robust") +Signed-off-by: Laura Abbott +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: "Max R . P . Grossmann" +Cc: John Stultz +Link: https://lkml.kernel.org/r/20180417215742.2521-1-labbott@redhat.com +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/posix-cpu-timers.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -1205,10 +1205,12 @@ void set_process_cpu_timer(struct task_s + u64 *newval, u64 *oldval) + { + u64 now; ++ int ret; + + WARN_ON_ONCE(clock_idx == CPUCLOCK_SCHED); ++ ret = cpu_timer_sample_group(clock_idx, tsk, &now); + +- if (oldval && cpu_timer_sample_group(clock_idx, tsk, &now) != -EINVAL) { ++ if (oldval && ret != -EINVAL) { + /* + * We are setting itimer. The *oldval is absolute and we update + * it to be relative, *newval argument is relative and we update diff --git a/queue-4.16/x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch b/queue-4.16/x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch new file mode 100644 index 00000000000..d1948252106 --- /dev/null +++ b/queue-4.16/x86-acpi-prevent-x2apic-id-0xffffffff-from-being-accounted.patch @@ -0,0 +1,48 @@ +From 10daf10ab154e31237a8c07242be3063fb6a9bf4 Mon Sep 17 00:00:00 2001 +From: Dou Liyang +Date: Thu, 12 Apr 2018 09:40:52 +0800 +Subject: x86/acpi: Prevent X2APIC id 0xffffffff from being accounted +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dou Liyang + +commit 10daf10ab154e31237a8c07242be3063fb6a9bf4 upstream. + +RongQing reported that there are some X2APIC id 0xffffffff in his machine's +ACPI MADT table, which makes the number of possible CPU inaccurate. + +The reason is that the ACPI X2APIC parser has no sanity check for APIC ID +0xffffffff, which is an invalid id in all APIC types. See "Intel® 64 +Architecture x2APIC Specification", Chapter 2.4.1. + +Add a sanity check to acpi_parse_x2apic() which ignores the invalid id. + +Reported-by: Li RongQing +Signed-off-by: Dou Liyang +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: len.brown@intel.com +Cc: rjw@rjwysocki.net +Cc: hpa@zytor.com +Link: https://lkml.kernel.org/r/20180412014052.25186-1-douly.fnst@cn.fujitsu.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/acpi/boot.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -215,6 +215,10 @@ acpi_parse_x2apic(struct acpi_subtable_h + apic_id = processor->local_apic_id; + enabled = processor->lapic_flags & ACPI_MADT_ENABLED; + ++ /* Ignore invalid ID */ ++ if (apic_id == 0xffffffff) ++ return 0; ++ + /* + * We need to register disabled CPU as well to permit + * counting disabled CPUs. This allows us to size diff --git a/queue-4.16/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch b/queue-4.16/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch new file mode 100644 index 00000000000..f78068b635a --- /dev/null +++ b/queue-4.16/x86-tsc-prevent-32bit-truncation-in-calc_hpet_ref.patch @@ -0,0 +1,54 @@ +From d3878e164dcd3925a237a20e879432400e369172 Mon Sep 17 00:00:00 2001 +From: Xiaoming Gao +Date: Fri, 13 Apr 2018 17:48:08 +0800 +Subject: x86/tsc: Prevent 32bit truncation in calc_hpet_ref() + +From: Xiaoming Gao + +commit d3878e164dcd3925a237a20e879432400e369172 upstream. + +The TSC calibration code uses HPET as reference. The conversion normalizes +the delta of two HPET timestamps: + + hpetref = ((tshpet1 - tshpet2) * HPET_PERIOD) / 1e6 + +and then divides the normalized delta of the corresponding TSC timestamps +by the result to calulate the TSC frequency. + + tscfreq = ((tstsc1 - tstsc2 ) * 1e6) / hpetref + +This uses do_div() which takes an u32 as the divisor, which worked so far +because the HPET frequency was low enough that 'hpetref' never exceeded +32bit. + +On Skylake machines the HPET frequency increased so 'hpetref' can exceed +32bit. do_div() truncates the divisor, which causes the calibration to +fail. + +Use div64_u64() to avoid the problem. + +[ tglx: Fixes whitespace mangled patch and rewrote changelog ] + +Signed-off-by: Xiaoming Gao +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Cc: peterz@infradead.org +Cc: hpa@zytor.com +Link: https://lkml.kernel.org/r/38894564-4fc9-b8ec-353f-de702839e44e@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/tsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -317,7 +317,7 @@ static unsigned long calc_hpet_ref(u64 d + hpet2 -= hpet1; + tmp = ((u64)hpet2 * hpet_readl(HPET_PERIOD)); + do_div(tmp, 1000000); +- do_div(deltatsc, tmp); ++ deltatsc = div64_u64(deltatsc, tmp); + + return (unsigned long) deltatsc; + } -- 2.47.3