--- /dev/null
+From f771d5bb71d4df9573d12386400540516672208b Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Tue, 18 Oct 2016 10:59:09 +0800
+Subject: ALSA: hda - Adding a new group of pin cfg into ALC295 pin quirk table
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit f771d5bb71d4df9573d12386400540516672208b upstream.
+
+We have a new Dell laptop model which uses ALC295, the pin definition
+is different from the existing ones in the pin quirk table, to fix the
+headset mic detection and mic mute led's problem, we need to add the
+new pin defintion into the pin quirk table.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5793,8 +5793,6 @@ static const struct hda_model_fixup alc2
+ #define ALC295_STANDARD_PINS \
+ {0x12, 0xb7a60130}, \
+ {0x14, 0x90170110}, \
+- {0x17, 0x21014020}, \
+- {0x18, 0x21a19030}, \
+ {0x21, 0x04211020}
+
+ #define ALC298_STANDARD_PINS \
+@@ -6021,7 +6019,13 @@ static const struct snd_hda_pin_quirk al
+ ALC292_STANDARD_PINS,
+ {0x13, 0x90a60140}),
+ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
+- ALC295_STANDARD_PINS),
++ ALC295_STANDARD_PINS,
++ {0x17, 0x21014020},
++ {0x18, 0x21a19030}),
++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC295_STANDARD_PINS,
++ {0x17, 0x21014040},
++ {0x18, 0x21a19050}),
+ SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC298_STANDARD_PINS,
+ {0x17, 0x90170110}),
--- /dev/null
+From 3ab7511eafdd5c4f40d2832f09554478dfbea170 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date: Mon, 17 Oct 2016 17:23:59 +0100
+Subject: ALSA: hda - allow 40 bit DMA mask for NVidia devices
+
+From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+commit 3ab7511eafdd5c4f40d2832f09554478dfbea170 upstream.
+
+Commit 49d9e77e72cf ("ALSA: hda - Fix system panic when DMA > 40 bits
+for Nvidia audio controllers") simply disabled any DMA exceeding 32
+bits for NVidia devices, even though they are capable of performing
+DMA up to 40 bits. On some architectures (such as arm64), system memory
+is not guaranteed to be 32-bit addressable by PCI devices, and so this
+change prevents NVidia devices from working on platforms such as AMD
+Seattle.
+
+Since the original commit already mentioned that up to 40 bits of DMA
+is supported, and given that the code has been updated in the meantime
+to support a 40 bit DMA mask on other devices, revert commit 49d9e77e72cf
+and explicitly set the DMA mask to 40 bits for NVidia devices.
+
+Fixes: 49d9e77e72cf ('ALSA: hda - Fix system panic when DMA > 40 bits...')
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -334,8 +334,7 @@ enum {
+
+ /* quirks for Nvidia */
+ #define AZX_DCAPS_PRESET_NVIDIA \
+- (AZX_DCAPS_NO_MSI | /*AZX_DCAPS_ALIGN_BUFSIZE |*/ \
+- AZX_DCAPS_NO_64BIT | AZX_DCAPS_CORBRP_SELF_CLEAR |\
++ (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\
+ AZX_DCAPS_SNOOP_TYPE(NVIDIA))
+
+ #define AZX_DCAPS_PRESET_CTHDA \
+@@ -1725,6 +1724,10 @@ static int azx_first_init(struct azx *ch
+ }
+ }
+
++ /* NVidia hardware normally only supports up to 40 bits of DMA */
++ if (chip->pci->vendor == PCI_VENDOR_ID_NVIDIA)
++ dma_bits = 40;
++
+ /* disable 64bit DMA address on some devices */
+ if (chip->driver_caps & AZX_DCAPS_NO_64BIT) {
+ dev_dbg(card->dev, "Disabling 64bit DMA\n");
--- /dev/null
+From 6aecd8715802d23dc6a0859b50c62d2b0a99de3a Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 20 Oct 2016 14:03:33 +0800
+Subject: ALSA: hda - Fix headset mic detection problem for two Dell laptops
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 6aecd8715802d23dc6a0859b50c62d2b0a99de3a upstream.
+
+They uses the codec ALC255, and have the different pin cfg definition
+from the ones in the existing pin quirk table. Now adding them into
+the table to fix the problem.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5839,11 +5839,19 @@ static const struct snd_hda_pin_quirk al
+ {0x1b, 0x02011020},
+ {0x21, 0x0221101f}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x14, 0x90170110},
++ {0x1b, 0x01011020},
++ {0x21, 0x0221101f}),
++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x14, 0x90170130},
+ {0x1b, 0x01014020},
+ {0x21, 0x0221103f}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ {0x14, 0x90170130},
++ {0x1b, 0x01011020},
++ {0x21, 0x0221103f}),
++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x14, 0x90170130},
+ {0x1b, 0x02011020},
+ {0x21, 0x0221103f}),
+ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
--- /dev/null
+From ef85f299c74e6c5dd98ec0230183be33f4c2813d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 17 Dec 2015 08:12:37 +0100
+Subject: ALSA: hda - Merge RIRB_PRE_DELAY into CTX_WORKAROUND caps
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit ef85f299c74e6c5dd98ec0230183be33f4c2813d upstream.
+
+AZX_DCAPS_RIRB_PRE_DELAY is always tied with AZX_DCAPS_CTX_WORKAROUND,
+which is Creative's XFi specific. So, we can replace it and reduce
+one more bit free for DCAPS.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 2 +-
+ sound/pci/hda/hda_controller.h | 2 +-
+ sound/pci/hda/hda_intel.c | 6 ++----
+ 3 files changed, 4 insertions(+), 6 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -956,7 +956,7 @@ irqreturn_t azx_interrupt(int irq, void
+ status = azx_readb(chip, RIRBSTS);
+ if (status & RIRB_INT_MASK) {
+ if (status & RIRB_INT_RESPONSE) {
+- if (chip->driver_caps & AZX_DCAPS_RIRB_PRE_DELAY)
++ if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND)
+ udelay(80);
+ snd_hdac_bus_update_rirb(bus);
+ }
+--- a/sound/pci/hda/hda_controller.h
++++ b/sound/pci/hda/hda_controller.h
+@@ -33,7 +33,7 @@
+ #define AZX_DCAPS_SNOOP_MASK (3 << 10) /* snoop type mask */
+ #define AZX_DCAPS_SNOOP_OFF (1 << 12) /* snoop default off */
+ #define AZX_DCAPS_RIRB_DELAY (1 << 13) /* Long delay in read loop */
+-#define AZX_DCAPS_RIRB_PRE_DELAY (1 << 14) /* Put a delay before read */
++/* 14 unused */
+ #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */
+ #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */
+ #define AZX_DCAPS_POSFIX_VIA (1 << 17) /* Use VIACOMBO as default */
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2406,14 +2406,12 @@ static const struct pci_device_id azx_id
+ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
+ .class_mask = 0xffffff,
+ .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND |
+- AZX_DCAPS_NO_64BIT |
+- AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB },
++ AZX_DCAPS_NO_64BIT | AZX_DCAPS_POSFIX_LPIB },
+ #else
+ /* this entry seems still valid -- i.e. without emu20kx chip */
+ { PCI_DEVICE(0x1102, 0x0009),
+ .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND |
+- AZX_DCAPS_NO_64BIT |
+- AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB },
++ AZX_DCAPS_NO_64BIT | AZX_DCAPS_POSFIX_LPIB },
+ #endif
+ /* CM8888 */
+ { PCI_DEVICE(0x13f6, 0x5011),
--- /dev/null
+From 7d9a180895ee8c301df7f9447429009795c56c21 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 17 Dec 2015 08:23:39 +0100
+Subject: ALSA: hda - Raise AZX_DCAPS_RIRB_DELAY handling into top drivers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 7d9a180895ee8c301df7f9447429009795c56c21 upstream.
+
+AZX_DCAPS_RIRB_DELAY is dedicated only for Nvidia and its purpose is
+just to set a flag in bus. So it's better to be set in the toplevel
+driver, either hda_intel.c or hda_tegra.c, instead of the common
+hda_controller.c. This also allows us to strip this flag from dcaps,
+so save one more bit there.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 5 -----
+ sound/pci/hda/hda_controller.h | 2 +-
+ sound/pci/hda/hda_intel.c | 7 ++++++-
+ sound/pci/hda/hda_tegra.c | 5 +++--
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -1055,11 +1055,6 @@ int azx_bus_init(struct azx *chip, const
+ if (chip->driver_caps & AZX_DCAPS_CORBRP_SELF_CLEAR)
+ bus->core.corbrp_self_clear = true;
+
+- if (chip->driver_caps & AZX_DCAPS_RIRB_DELAY) {
+- dev_dbg(chip->card->dev, "Enable delay in RIRB handling\n");
+- bus->needs_damn_long_delay = 1;
+- }
+-
+ if (chip->driver_caps & AZX_DCAPS_4K_BDLE_BOUNDARY)
+ bus->core.align_bdle_4k = true;
+
+--- a/sound/pci/hda/hda_controller.h
++++ b/sound/pci/hda/hda_controller.h
+@@ -32,7 +32,7 @@
+ #define AZX_DCAPS_NO_MSI (1 << 9) /* No MSI support */
+ #define AZX_DCAPS_SNOOP_MASK (3 << 10) /* snoop type mask */
+ #define AZX_DCAPS_SNOOP_OFF (1 << 12) /* snoop default off */
+-#define AZX_DCAPS_RIRB_DELAY (1 << 13) /* Long delay in read loop */
++/* 13 unused */
+ /* 14 unused */
+ #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */
+ #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -334,7 +334,7 @@ enum {
+
+ /* quirks for Nvidia */
+ #define AZX_DCAPS_PRESET_NVIDIA \
+- (AZX_DCAPS_RIRB_DELAY | AZX_DCAPS_NO_MSI | /*AZX_DCAPS_ALIGN_BUFSIZE |*/ \
++ (AZX_DCAPS_NO_MSI | /*AZX_DCAPS_ALIGN_BUFSIZE |*/ \
+ AZX_DCAPS_NO_64BIT | AZX_DCAPS_CORBRP_SELF_CLEAR |\
+ AZX_DCAPS_SNOOP_TYPE(NVIDIA))
+
+@@ -1637,6 +1637,11 @@ static int azx_create(struct snd_card *c
+ return err;
+ }
+
++ if (chip->driver_type == AZX_DRIVER_NVIDIA) {
++ dev_dbg(chip->card->dev, "Enable delay in RIRB handling\n");
++ chip->bus.needs_damn_long_delay = 1;
++ }
++
+ err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops);
+ if (err < 0) {
+ dev_err(card->dev, "Error creating device [card]!\n");
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -464,6 +464,8 @@ static int hda_tegra_create(struct snd_c
+ if (err < 0)
+ return err;
+
++ chip->bus.needs_damn_long_delay = 1;
++
+ err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops);
+ if (err < 0) {
+ dev_err(card->dev, "Error creating device\n");
+@@ -481,8 +483,7 @@ MODULE_DEVICE_TABLE(of, hda_tegra_match)
+
+ static int hda_tegra_probe(struct platform_device *pdev)
+ {
+- const unsigned int driver_flags = AZX_DCAPS_RIRB_DELAY |
+- AZX_DCAPS_CORBRP_SELF_CLEAR;
++ const unsigned int driver_flags = AZX_DCAPS_CORBRP_SELF_CLEAR;
+ struct snd_card *card;
+ struct azx *chip;
+ struct hda_tegra *hda;
--- /dev/null
+From bdc3478f90cd4d2928197f36629d5cf93b64dbe9 Mon Sep 17 00:00:00 2001
+From: Marcel Hasler <mahasler@gmail.com>
+Date: Thu, 27 Oct 2016 00:42:27 +0200
+Subject: ALSA: usb-audio: Add quirk for Syntek STK1160
+
+From: Marcel Hasler <mahasler@gmail.com>
+
+commit bdc3478f90cd4d2928197f36629d5cf93b64dbe9 upstream.
+
+The stk1160 chip needs QUIRK_AUDIO_ALIGN_TRANSFER. This patch resolves
+the issue reported on the mailing list
+(http://marc.info/?l=linux-sound&m=139223599126215&w=2) and also fixes
+bug 180071 (https://bugzilla.kernel.org/show_bug.cgi?id=180071).
+
+Signed-off-by: Marcel Hasler <mahasler@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -2907,6 +2907,23 @@ AU0828_DEVICE(0x2040, 0x7260, "Hauppauge
+ AU0828_DEVICE(0x2040, 0x7213, "Hauppauge", "HVR-950Q"),
+ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"),
+
++/* Syntek STK1160 */
++{
++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE |
++ USB_DEVICE_ID_MATCH_INT_CLASS |
++ USB_DEVICE_ID_MATCH_INT_SUBCLASS,
++ .idVendor = 0x05e1,
++ .idProduct = 0x0408,
++ .bInterfaceClass = USB_CLASS_AUDIO,
++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .vendor_name = "Syntek",
++ .product_name = "STK1160",
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_AUDIO_ALIGN_TRANSFER
++ }
++},
++
+ /* Digidesign Mbox */
+ {
+ /* Thanks to Clemens Ladisch <clemens@ladisch.de> */
--- /dev/null
+From 03dab869b7b239c4e013ec82aea22e181e441cfc Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Wed, 26 Oct 2016 15:01:54 +0100
+Subject: KEYS: Fix short sprintf buffer in /proc/keys show function
+
+From: David Howells <dhowells@redhat.com>
+
+commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream.
+
+This fixes CVE-2016-7042.
+
+Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
+is turned on, this can cause a panic due to stack corruption.
+
+The problem is that xbuf[] is not big enough to hold a 64-bit timeout
+rendered as weeks:
+
+ (gdb) p 0xffffffffffffffffULL/(60*60*24*7)
+ $2 = 30500568904943
+
+That's 14 chars plus NUL, not 11 chars plus NUL.
+
+Expand the buffer to 16 chars.
+
+I think the unpatched code apparently works if the stack-protector is not
+enabled because on a 32-bit machine the buffer won't be overflowed and on a
+64-bit machine there's a 64-bit aligned pointer at one side and an int that
+isn't checked again on the other side.
+
+The panic incurred looks something like:
+
+Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
+CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
+Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
+ ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
+ ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
+Call Trace:
+ [<ffffffff813d941f>] dump_stack+0x63/0x84
+ [<ffffffff811b2cb6>] panic+0xde/0x22a
+ [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
+ [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
+ [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
+ [<ffffffff81350410>] ? key_validate+0x50/0x50
+ [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
+ [<ffffffff8126b31c>] seq_read+0x2cc/0x390
+ [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
+ [<ffffffff81244fc7>] __vfs_read+0x37/0x150
+ [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
+ [<ffffffff81246156>] vfs_read+0x96/0x130
+ [<ffffffff81247635>] SyS_read+0x55/0xc0
+ [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
+
+Reported-by: Ondrej Kozina <okozina@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Ondrej Kozina <okozina@redhat.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_fil
+ struct timespec now;
+ unsigned long timo;
+ key_ref_t key_ref, skey_ref;
+- char xbuf[12];
++ char xbuf[16];
+ int rc;
+
+ struct keyring_search_context ctx = {
--- /dev/null
+From 58d789678546d46d7bbd809dd7dab417c0f23655 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Thu, 20 Oct 2016 15:46:18 +1100
+Subject: libxfs: clean up _calc_dquots_per_chunk
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 58d789678546d46d7bbd809dd7dab417c0f23655 upstream.
+
+The function xfs_calc_dquots_per_chunk takes a parameter in units
+of basic blocks. The kernel seems to get the units wrong, but
+userspace got 'fixed' by commenting out the unnecessary conversion.
+Fix both.
+
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Dave Chinner <david@fromorbit.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/libxfs/xfs_dquot_buf.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/xfs/libxfs/xfs_dquot_buf.c
++++ b/fs/xfs/libxfs/xfs_dquot_buf.c
+@@ -191,8 +191,7 @@ xfs_dquot_buf_verify_crc(
+ if (mp->m_quotainfo)
+ ndquots = mp->m_quotainfo->qi_dqperchunk;
+ else
+- ndquots = xfs_calc_dquots_per_chunk(
+- XFS_BB_TO_FSB(mp, bp->b_length));
++ ndquots = xfs_calc_dquots_per_chunk(bp->b_length);
+
+ for (i = 0; i < ndquots; i++, d++) {
+ if (!xfs_verify_cksum((char *)d, sizeof(struct xfs_dqblk),
--- /dev/null
+From 1bc11d70b5db7c6bb1414b283d7f09b1fe1ac0d0 Mon Sep 17 00:00:00 2001
+From: Alexander Polakov <apolyakov@beget.ru>
+Date: Thu, 27 Oct 2016 17:46:27 -0700
+Subject: mm/list_lru.c: avoid error-path NULL pointer deref
+
+From: Alexander Polakov <apolyakov@beget.ru>
+
+commit 1bc11d70b5db7c6bb1414b283d7f09b1fe1ac0d0 upstream.
+
+As described in https://bugzilla.kernel.org/show_bug.cgi?id=177821:
+
+After some analysis it seems to be that the problem is in alloc_super().
+In case list_lru_init_memcg() fails it goes into destroy_super(), which
+calls list_lru_destroy().
+
+And in list_lru_init() we see that in case memcg_init_list_lru() fails,
+lru->node is freed, but not set NULL, which then leads list_lru_destroy()
+to believe it is initialized and call memcg_destroy_list_lru().
+memcg_destroy_list_lru() in turn can access lru->node[i].memcg_lrus,
+which is NULL.
+
+[akpm@linux-foundation.org: add comment]
+Signed-off-by: Alexander Polakov <apolyakov@beget.ru>
+Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/list_lru.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/list_lru.c
++++ b/mm/list_lru.c
+@@ -554,6 +554,8 @@ int __list_lru_init(struct list_lru *lru
+ err = memcg_init_list_lru(lru, memcg_aware);
+ if (err) {
+ kfree(lru->node);
++ /* Do this so a list_lru_destroy() doesn't crash: */
++ lru->node = NULL;
+ goto out;
+ }
+
--- /dev/null
+From 89a2848381b5fcd9c4d9c0cd97680e3b28730e31 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Thu, 27 Oct 2016 17:46:56 -0700
+Subject: mm: memcontrol: do not recurse in direct reclaim
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit 89a2848381b5fcd9c4d9c0cd97680e3b28730e31 upstream.
+
+On 4.0, we saw a stack corruption from a page fault entering direct
+memory cgroup reclaim, calling into btrfs_releasepage(), which then
+tried to allocate an extent and recursed back into a kmem charge ad
+nauseam:
+
+ [...]
+ btrfs_releasepage+0x2c/0x30
+ try_to_release_page+0x32/0x50
+ shrink_page_list+0x6da/0x7a0
+ shrink_inactive_list+0x1e5/0x510
+ shrink_lruvec+0x605/0x7f0
+ shrink_zone+0xee/0x320
+ do_try_to_free_pages+0x174/0x440
+ try_to_free_mem_cgroup_pages+0xa7/0x130
+ try_charge+0x17b/0x830
+ memcg_charge_kmem+0x40/0x80
+ new_slab+0x2d9/0x5a0
+ __slab_alloc+0x2fd/0x44f
+ kmem_cache_alloc+0x193/0x1e0
+ alloc_extent_state+0x21/0xc0
+ __clear_extent_bit+0x2b5/0x400
+ try_release_extent_mapping+0x1a3/0x220
+ __btrfs_releasepage+0x31/0x70
+ btrfs_releasepage+0x2c/0x30
+ try_to_release_page+0x32/0x50
+ shrink_page_list+0x6da/0x7a0
+ shrink_inactive_list+0x1e5/0x510
+ shrink_lruvec+0x605/0x7f0
+ shrink_zone+0xee/0x320
+ do_try_to_free_pages+0x174/0x440
+ try_to_free_mem_cgroup_pages+0xa7/0x130
+ try_charge+0x17b/0x830
+ mem_cgroup_try_charge+0x65/0x1c0
+ handle_mm_fault+0x117f/0x1510
+ __do_page_fault+0x177/0x420
+ do_page_fault+0xc/0x10
+ page_fault+0x22/0x30
+
+On later kernels, kmem charging is opt-in rather than opt-out, and that
+particular kmem allocation in btrfs_releasepage() is no longer being
+charged and won't recurse and overrun the stack anymore.
+
+But it's not impossible for an accounted allocation to happen from the
+memcg direct reclaim context, and we needed to reproduce this crash many
+times before we even got a useful stack trace out of it.
+
+Like other direct reclaimers, mark tasks in memcg reclaim PF_MEMALLOC to
+avoid recursing into any other form of direct reclaim. Then let
+recursive charges from PF_MEMALLOC contexts bypass the cgroup limit.
+
+Link: http://lkml.kernel.org/r/20161025141050.GA13019@cmpxchg.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memcontrol.c | 9 +++++++++
+ mm/vmscan.c | 2 ++
+ 2 files changed, 11 insertions(+)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -2055,6 +2055,15 @@ retry:
+ current->flags & PF_EXITING))
+ goto force;
+
++ /*
++ * Prevent unbounded recursion when reclaim operations need to
++ * allocate memory. This might exceed the limits temporarily,
++ * but we prefer facilitating memory reclaim and getting back
++ * under the limit over triggering OOM kills in these cases.
++ */
++ if (unlikely(current->flags & PF_MEMALLOC))
++ goto force;
++
+ if (unlikely(task_in_memcg_oom(current)))
+ goto nomem;
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -2910,7 +2910,9 @@ unsigned long try_to_free_mem_cgroup_pag
+ sc.may_writepage,
+ sc.gfp_mask);
+
++ current->flags |= PF_MEMALLOC;
+ nr_reclaimed = do_try_to_free_pages(zonelist, &sc);
++ current->flags &= ~PF_MEMALLOC;
+
+ trace_mm_vmscan_memcg_reclaim_end(nr_reclaimed);
+
i2c-core-fix-null-pointer-dereference-under-race-condition.patch
drm-dp-mst-clear-port-pdt-when-tearing-down-the-i2c-adapter.patch
h8300-fix-syscall-restarting.patch
+libxfs-clean-up-_calc_dquots_per_chunk.patch
+mm-list_lru.c-avoid-error-path-null-pointer-deref.patch
+mm-memcontrol-do-not-recurse-in-direct-reclaim.patch
+keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch
+alsa-usb-audio-add-quirk-for-syntek-stk1160.patch
+alsa-hda-merge-rirb_pre_delay-into-ctx_workaround-caps.patch
+alsa-hda-raise-azx_dcaps_rirb_delay-handling-into-top-drivers.patch
+alsa-hda-allow-40-bit-dma-mask-for-nvidia-devices.patch
+alsa-hda-adding-a-new-group-of-pin-cfg-into-alc295-pin-quirk-table.patch
+alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
