--- /dev/null
+From 26d99834f89e76514076d9cd06f61e56e6a509b8 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Mon, 22 Jan 2018 22:02:05 +0100
+Subject: 9p/trans_virtio: discard zero-length reply
+
+From: Greg Kurz <groug@kaod.org>
+
+commit 26d99834f89e76514076d9cd06f61e56e6a509b8 upstream.
+
+When a 9p request is successfully flushed, the server is expected to just
+mark it as used without sending a 9p reply (ie, without writing data into
+the buffer). In this case, virtqueue_get_buf() will return len == 0 and
+we must not report a REQ_STATUS_RCVD status to the client, otherwise the
+client will erroneously assume the request has not been flushed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/9p/trans_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -160,7 +160,8 @@ static void req_done(struct virtqueue *v
+ spin_unlock_irqrestore(&chan->lock, flags);
+ /* Wakeup if anyone waiting for VirtIO ring space. */
+ wake_up(chan->vc_wq);
+- p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
++ if (len)
++ p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
+ }
+ }
+
--- /dev/null
+From 3f2f7c553d077be6a30cb96b2976a2c940bf5335 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 29 Jan 2018 14:23:15 +0800
+Subject: ALSA: hda - Fix headset mic detection problem for two Dell machines
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f2f7c553d077be6a30cb96b2976a2c940bf5335 upstream.
+
+One of them has the codec of alc256 and the other one has the codec
+of alc289.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5994,6 +5994,11 @@ static const struct snd_hda_pin_quirk al
+ {0x14, 0x90170110},
+ {0x21, 0x02211020}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0x90a60130},
++ {0x14, 0x90170110},
++ {0x14, 0x01011020},
++ {0x21, 0x0221101f}),
++ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC256_STANDARD_PINS),
+ SND_HDA_PIN_QUIRK(0x10ec0280, 0x103c, "HP", ALC280_FIXUP_HP_GPIO4,
+ {0x12, 0x90a60130},
+@@ -6049,6 +6054,10 @@ static const struct snd_hda_pin_quirk al
+ {0x12, 0x90a60120},
+ {0x14, 0x90170110},
+ {0x21, 0x0321101f}),
++ SND_HDA_PIN_QUIRK(0x10ec0289, 0x1028, "Dell", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
++ {0x12, 0xb7a60130},
++ {0x14, 0x90170110},
++ {0x21, 0x04211020}),
+ SND_HDA_PIN_QUIRK(0x10ec0290, 0x103c, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1,
+ ALC290_STANDARD_PINS,
+ {0x15, 0x04211040},
--- /dev/null
+From 61fcf8ece9b6b09450250c4ca40cc3b81a96a68d Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Fri, 2 Feb 2018 15:26:46 +0800
+Subject: ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 61fcf8ece9b6b09450250c4ca40cc3b81a96a68d upstream.
+
+Thinkpad Dock device support for ALC298 platform.
+It need to use SSID for the quirk table.
+Because IdeaPad also has ALC298 platform.
+Use verb for the quirk table will confuse.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4455,6 +4455,28 @@ static void alc_fixup_tpt440_dock(struct
+ }
+ }
+
++static void alc_fixup_tpt470_dock(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ static const struct hda_pintbl pincfgs[] = {
++ { 0x17, 0x21211010 }, /* dock headphone */
++ { 0x19, 0x21a11010 }, /* dock mic */
++ { }
++ };
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
++ /* Enable DOCK device */
++ snd_hda_codec_write(codec, 0x17, 0,
++ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0);
++ /* Enable DOCK device */
++ snd_hda_codec_write(codec, 0x19, 0,
++ AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0);
++ snd_hda_apply_pincfgs(codec, pincfgs);
++ }
++}
++
+ static void alc_shutup_dell_xps13(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+@@ -4877,6 +4899,7 @@ enum {
+ ALC292_FIXUP_TPT460,
+ ALC298_FIXUP_SPK_VOLUME,
+ ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER,
++ ALC298_FIXUP_TPT470_DOCK,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -5568,6 +5591,12 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE
+ },
++ [ALC298_FIXUP_TPT470_DOCK] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc_fixup_tpt470_dock,
++ .chained = true,
++ .chain_id = ALC293_FIXUP_LENOVO_SPK_NOISE
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -5729,8 +5758,16 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x2218, "Thinkpad X1 Carbon 2nd", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2223, "ThinkPad T550", ALC292_FIXUP_TPT440_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2226, "ThinkPad X250", ALC292_FIXUP_TPT440_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x222d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x222e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x2231, "Thinkpad T560", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x2233, "Thinkpad", ALC292_FIXUP_TPT460),
++ SND_PCI_QUIRK(0x17aa, 0x2245, "Thinkpad T470", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x2246, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x2247, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x30bb, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x30e2, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+ SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
+@@ -5749,7 +5786,12 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x5050, "Thinkpad T560p", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x5051, "Thinkpad L460", ALC292_FIXUP_TPT460),
+ SND_PCI_QUIRK(0x17aa, 0x5053, "Thinkpad T460", ALC292_FIXUP_TPT460),
++ SND_PCI_QUIRK(0x17aa, 0x505d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x505f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x5062, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x5109, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
++ SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
+ SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
+ SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
--- /dev/null
+From fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 Mon Sep 17 00:00:00 2001
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+Date: Wed, 14 Feb 2018 11:29:15 +0100
+Subject: ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
+
+From: Jan-Marek Glogowski <glogow@fbihome.de>
+
+commit fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 upstream.
+
+These laptops have a combined jack to attach headsets, the U727 on
+the left, the U757 on the right, but a headsets microphone doesn't
+work. Using hdajacksensetest I found that pin 0x19 changed the
+present state when plugging the headset, in addition to 0x21, but
+didn't have the correct configuration (shown as "Not connected").
+
+So this sets the configuration to the same values as the headphone
+pin 0x21 except for the device type microphone, which makes it
+work correctly. With the patch the configured pins for U727 are
+
+Pin 0x12 (Internal Mic, Mobile-In): present = No
+Pin 0x14 (Internal Speaker): present = No
+Pin 0x19 (Black Mic, Left side): present = No
+Pin 0x1d (Internal Aux): present = No
+Pin 0x21 (Black Headphone, Left side): present = No
+
+Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3130,6 +3130,19 @@ static void alc269_fixup_pincfg_no_hp_to
+ spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
+ }
+
++static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21);
++ unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19);
++
++ if (cfg_headphone && cfg_headset_mic == 0x411111f0)
++ snd_hda_codec_set_pincfg(codec, 0x19,
++ (cfg_headphone & ~AC_DEFCFG_DEVICE) |
++ (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT));
++}
++
+ static void alc269_fixup_hweq(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -4819,6 +4832,7 @@ enum {
+ ALC269_FIXUP_LIFEBOOK_EXTMIC,
+ ALC269_FIXUP_LIFEBOOK_HP_PIN,
+ ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT,
++ ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC,
+ ALC269_FIXUP_AMIC,
+ ALC269_FIXUP_DMIC,
+ ALC269VB_FIXUP_AMIC,
+@@ -5010,6 +5024,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc269_fixup_pincfg_no_hp_to_lineout,
+ },
++ [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc269_fixup_pincfg_U7x7_headset_mic,
++ },
+ [ALC269_FIXUP_AMIC] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -5733,6 +5751,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT),
+ SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN),
+ SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN),
++ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
+ SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x1458, 0xfa53, "Gigabyte BXBT-2807", ALC283_FIXUP_HEADSET_MIC),
--- /dev/null
+From d15d662e89fc667b90cd294b0eb45694e33144da Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 12 Feb 2018 15:20:51 +0100
+Subject: ALSA: seq: Fix racy pool initializations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
+
+ALSA sequencer core initializes the event pool on demand by invoking
+snd_seq_pool_init() when the first write happens and the pool is
+empty. Meanwhile user can reset the pool size manually via ioctl
+concurrently, and this may lead to UAF or out-of-bound accesses since
+the function tries to vmalloc / vfree the buffer.
+
+A simple fix is to just wrap the snd_seq_pool_init() call with the
+recently introduced client->ioctl_mutex; as the calls for
+snd_seq_pool_init() from other side are always protected with this
+mutex, we can avoid the race.
+
+Reported-by: 范龙飞 <long7573@126.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -999,7 +999,7 @@ static ssize_t snd_seq_write(struct file
+ {
+ struct snd_seq_client *client = file->private_data;
+ int written = 0, len;
+- int err = -EINVAL;
++ int err;
+ struct snd_seq_event event;
+
+ if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
+@@ -1014,11 +1014,15 @@ static ssize_t snd_seq_write(struct file
+
+ /* allocate the pool now if the pool is not allocated yet */
+ if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
+- if (snd_seq_pool_init(client->pool) < 0)
++ mutex_lock(&client->ioctl_mutex);
++ err = snd_seq_pool_init(client->pool);
++ mutex_unlock(&client->ioctl_mutex);
++ if (err < 0)
+ return -ENOMEM;
+ }
+
+ /* only process whole events */
++ err = -EINVAL;
+ while (count >= sizeof(struct snd_seq_event)) {
+ /* Read in the event header from the user */
+ len = sizeof(event);
--- /dev/null
+From 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 Mon Sep 17 00:00:00 2001
+From: Lassi Ylikojola <lassi.ylikojola@gmail.com>
+Date: Fri, 9 Feb 2018 16:51:36 +0200
+Subject: ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
+
+From: Lassi Ylikojola <lassi.ylikojola@gmail.com>
+
+commit 5e35dc0338d85ccebacf3f77eca1e5dea73155e8 upstream.
+
+Add quirk to ensure a sync endpoint is properly configured.
+This patch is a fix for same symptoms on Behringer UFX1204 as patch
+from Albertto Aquirre on Dec 8 2016 for Axe-Fx II.
+
+Signed-off-by: Lassi Ylikojola <lassi.ylikojola@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -357,6 +357,15 @@ static int set_sync_ep_implicit_fb_quirk
+
+ alts = &iface->altsetting[1];
+ goto add_sync_ep;
++ case USB_ID(0x1397, 0x0002):
++ ep = 0x81;
++ iface = usb_ifnum_to_if(dev, 1);
++
++ if (!iface || iface->num_altsetting == 0)
++ return -EINVAL;
++
++ alts = &iface->altsetting[1];
++ goto add_sync_ep;
+
+ }
+ if (attr == USB_ENDPOINT_SYNC_ASYNC &&
--- /dev/null
+From 447cae58cecd69392b74a4a42cd0ab9cabd816af Mon Sep 17 00:00:00 2001
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+Date: Mon, 29 Jan 2018 06:37:55 +0100
+Subject: ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
+
+From: Kirill Marinushkin <k.marinushkin@gmail.com>
+
+commit 447cae58cecd69392b74a4a42cd0ab9cabd816af upstream.
+
+The layout of the UAC2 Control request and response varies depending on
+the request type. With the current implementation, only the Layout 2
+Parameter Block (with the 2-byte sized RANGE attribute) is handled
+properly. For the Control requests with the 1-byte sized RANGE attribute
+(Bass Control, Mid Control, Tremble Control), the response is parsed
+incorrectly.
+
+This commit:
+* fixes the wLength field value in the request
+* fixes parsing the range values from the response
+
+Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
+Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -344,17 +344,20 @@ static int get_ctl_value_v2(struct usb_m
+ int validx, int *value_ret)
+ {
+ struct snd_usb_audio *chip = cval->head.mixer->chip;
+- unsigned char buf[4 + 3 * sizeof(__u32)]; /* enough space for one range */
++ /* enough space for one range */
++ unsigned char buf[sizeof(__u16) + 3 * sizeof(__u32)];
+ unsigned char *val;
+- int idx = 0, ret, size;
++ int idx = 0, ret, val_size, size;
+ __u8 bRequest;
+
++ val_size = uac2_ctl_value_size(cval->val_type);
++
+ if (request == UAC_GET_CUR) {
+ bRequest = UAC2_CS_CUR;
+- size = uac2_ctl_value_size(cval->val_type);
++ size = val_size;
+ } else {
+ bRequest = UAC2_CS_RANGE;
+- size = sizeof(buf);
++ size = sizeof(__u16) + 3 * val_size;
+ }
+
+ memset(buf, 0, sizeof(buf));
+@@ -387,16 +390,17 @@ error:
+ val = buf + sizeof(__u16);
+ break;
+ case UAC_GET_MAX:
+- val = buf + sizeof(__u16) * 2;
++ val = buf + sizeof(__u16) + val_size;
+ break;
+ case UAC_GET_RES:
+- val = buf + sizeof(__u16) * 3;
++ val = buf + sizeof(__u16) + val_size * 2;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+- *value_ret = convert_signed_value(cval, snd_usb_combine_bytes(val, sizeof(__u16)));
++ *value_ret = convert_signed_value(cval,
++ snd_usb_combine_bytes(val, val_size));
+
+ return 0;
+ }
--- /dev/null
+From e8f1bc1493855e32b7a2a019decc3c353d94daf6 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:53 -0700
+Subject: Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit e8f1bc1493855e32b7a2a019decc3c353d94daf6 upstream.
+
+This regression is introduced in
+commit 3d48d9810de4 ("btrfs: Handle uninitialised inode eviction").
+
+There are two problems,
+
+a) it is ->destroy_inode() that does the final free on inode, not
+ ->evict_inode(),
+b) clear_inode() must be called before ->evict_inode() returns.
+
+This could end up hitting BUG_ON(inode->i_state != (I_FREEING | I_CLEAR));
+in evict() because I_CLEAR is set in clear_inode().
+
+Fixes: commit 3d48d9810de4 ("btrfs: Handle uninitialised inode eviction")
+Cc: <stable@vger.kernel.org> # v4.7-rc6+
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -5229,7 +5229,7 @@ void btrfs_evict_inode(struct inode *ino
+ trace_btrfs_inode_evict(inode);
+
+ if (!root) {
+- kmem_cache_free(btrfs_inode_cachep, BTRFS_I(inode));
++ clear_inode(inode);
+ return;
+ }
+
--- /dev/null
+From 1846430c24d66e85cc58286b3319c82cd54debb2 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:51 -0700
+Subject: Btrfs: fix crash due to not cleaning up tree log block's dirty bits
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 1846430c24d66e85cc58286b3319c82cd54debb2 upstream.
+
+In cases that the whole fs flips into readonly status due to failures in
+critical sections, then log tree's blocks are still dirty, and this leads
+to a crash during umount time, the crash is about use-after-free,
+
+umount
+ -> close_ctree
+ -> stop workers
+ -> iput(btree_inode)
+ -> iput_final
+ -> write_inode_now
+ -> ...
+ -> queue job on stop'd workers
+
+cc: <stable@vger.kernel.org> v3.12+
+Fixes: 681ae50917df ("Btrfs: cleanup reserved space when freeing tree log on error")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -2463,6 +2463,9 @@ static noinline int walk_down_log_tree(s
+ next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(root_owner !=
+@@ -2542,6 +2545,9 @@ static noinline int walk_up_log_tree(str
+ next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
+@@ -2618,6 +2624,9 @@ static int walk_log_tree(struct btrfs_tr
+ clean_tree_block(trans, log->fs_info, next);
+ btrfs_wait_tree_block_writeback(next);
+ btrfs_tree_unlock(next);
++ } else {
++ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
++ clear_extent_buffer_dirty(next);
+ }
+
+ WARN_ON(log->root_key.objectid !=
--- /dev/null
+From e89166990f11c3f21e1649d760dd35f9e410321c Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:50 -0700
+Subject: Btrfs: fix deadlock in run_delalloc_nocow
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit e89166990f11c3f21e1649d760dd35f9e410321c upstream.
+
+@cur_offset is not set back to what it should be (@cow_start) if
+btrfs_next_leaf() returns something wrong, and the range [cow_start,
+cur_offset) remains locked forever.
+
+cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1320,8 +1320,11 @@ next_slot:
+ leaf = path->nodes[0];
+ if (path->slots[0] >= btrfs_header_nritems(leaf)) {
+ ret = btrfs_next_leaf(root, path);
+- if (ret < 0)
++ if (ret < 0) {
++ if (cow_start != (u64)-1)
++ cur_offset = cow_start;
+ goto error;
++ }
+ if (ret > 0)
+ break;
+ leaf = path->nodes[0];
--- /dev/null
+From 55237a5f2431a72435e3ed39e4306e973c0446b7 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:52 -0700
+Subject: Btrfs: fix extent state leak from tree log
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 55237a5f2431a72435e3ed39e4306e973c0446b7 upstream.
+
+It's possible that btrfs_sync_log() bails out after one of the two
+btrfs_write_marked_extents() which convert extent state's state bit into
+EXTENT_NEED_WAIT from EXTENT_DIRTY/EXTENT_NEW, however only EXTENT_DIRTY
+and EXTENT_NEW are searched by free_log_tree() so that those extent states
+with EXTENT_NEED_WAIT lead to memory leak.
+
+cc: <stable@vger.kernel.org>
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3013,13 +3013,14 @@ static void free_log_tree(struct btrfs_t
+
+ while (1) {
+ ret = find_first_extent_bit(&log->dirty_log_pages,
+- 0, &start, &end, EXTENT_DIRTY | EXTENT_NEW,
++ 0, &start, &end,
++ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT,
+ NULL);
+ if (ret)
+ break;
+
+ clear_extent_bits(&log->dirty_log_pages, start, end,
+- EXTENT_DIRTY | EXTENT_NEW);
++ EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT);
+ }
+
+ /*
--- /dev/null
+From 900c9981680067573671ecc5cbfa7c5770be3a40 Mon Sep 17 00:00:00 2001
+From: Liu Bo <bo.li.liu@oracle.com>
+Date: Thu, 25 Jan 2018 11:02:56 -0700
+Subject: Btrfs: fix unexpected -EEXIST when creating new inode
+
+From: Liu Bo <bo.li.liu@oracle.com>
+
+commit 900c9981680067573671ecc5cbfa7c5770be3a40 upstream.
+
+The highest objectid, which is assigned to new inode, is decided at
+the time of initializing fs roots. However, in cases where log replay
+gets processed, the btree which fs root owns might be changed, so we
+have to search it again for the highest objectid, otherwise creating
+new inode would end up with -EEXIST.
+
+cc: <stable@vger.kernel.org> v4.4-rc6+
+Fixes: f32e48e92596 ("Btrfs: Initialize btrfs_root->highest_objectid when loading tree root and subvolume roots")
+Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/tree-log.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -28,6 +28,7 @@
+ #include "hash.h"
+ #include "compression.h"
+ #include "qgroup.h"
++#include "inode-map.h"
+
+ /* magic values for the inode_only field in btrfs_log_inode:
+ *
+@@ -5661,6 +5662,23 @@ again:
+ path);
+ }
+
++ if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
++ struct btrfs_root *root = wc.replay_dest;
++
++ btrfs_release_path(path);
++
++ /*
++ * We have just replayed everything, and the highest
++ * objectid of fs roots probably has changed in case
++ * some inode_item's got replayed.
++ *
++ * root->objectid_mutex is not acquired as log replay
++ * could only happen during mount.
++ */
++ ret = btrfs_find_highest_objectid(root,
++ &root->highest_objectid);
++ }
++
+ key.offset = found_key.offset - 1;
+ wc.replay_dest->log_root = NULL;
+ free_extent_buffer(log->node);
--- /dev/null
+From ea56fb282368ea08c2a313af6b55cb597aec4db1 Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Fri, 9 Feb 2018 13:21:42 +0100
+Subject: mtd: nand: vf610: set correct ooblayout
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit ea56fb282368ea08c2a313af6b55cb597aec4db1 upstream.
+
+With commit 3cf32d180227 ("mtd: nand: vf610: switch to
+mtd_ooblayout_ops") the driver started to use the NAND cores
+default large page ooblayout. However, shortly after commit
+6a623e076944 ("mtd: nand: add ooblayout for old hamming layout")
+changed the default layout to the old hamming layout, which is
+not what vf610_nfc is using. Specify the default large page
+layout explicitly.
+
+Fixes: 6a623e076944 ("mtd: nand: add ooblayout for old hamming layout")
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/vf610_nfc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/vf610_nfc.c
++++ b/drivers/mtd/nand/vf610_nfc.c
+@@ -752,10 +752,8 @@ static int vf610_nfc_probe(struct platfo
+ if (mtd->oobsize > 64)
+ mtd->oobsize = 64;
+
+- /*
+- * mtd->ecclayout is not specified here because we're using the
+- * default large page ECC layout defined in NAND core.
+- */
++ /* Use default large page ECC layout defined in NAND core */
++ mtd_set_ooblayout(mtd, &nand_ooblayout_lp_ops);
+ if (chip->ecc.strength == 32) {
+ nfc->ecc_mode = ECC_60_BYTE;
+ chip->ecc.bytes = 60;
--- /dev/null
+From 7ac8ff95f48cbfa609a060fd6a1e361dd62feeb3 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 11 Feb 2018 18:10:28 -0500
+Subject: mvpp2: fix multicast address filter
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7ac8ff95f48cbfa609a060fd6a1e361dd62feeb3 upstream.
+
+IPv6 doesn't work on the MacchiatoBIN board. It is caused by broken
+multicast address filter in the mvpp2 driver.
+
+The driver loads doesn't load any multicast entries if "allmulti" is not
+set. This condition should be reversed.
+
+The condition !netdev_mc_empty(dev) is useless (because
+netdev_for_each_mc_addr is nop if the list is empty).
+
+This patch also fixes a possible overflow of the multicast list - if
+mvpp2_prs_mac_da_accept fails, we set the allmulti flag and retry.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/marvell/mvpp2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2.c
++++ b/drivers/net/ethernet/marvell/mvpp2.c
+@@ -5657,6 +5657,7 @@ static void mvpp2_set_rx_mode(struct net
+ int id = port->id;
+ bool allmulti = dev->flags & IFF_ALLMULTI;
+
++retry:
+ mvpp2_prs_mac_promisc_set(priv, id, dev->flags & IFF_PROMISC);
+ mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_ALL, allmulti);
+ mvpp2_prs_mac_multi_set(priv, id, MVPP2_PE_MAC_MC_IP6, allmulti);
+@@ -5664,9 +5665,13 @@ static void mvpp2_set_rx_mode(struct net
+ /* Remove all port->id's mcast enries */
+ mvpp2_prs_mcast_del_all(priv, id);
+
+- if (allmulti && !netdev_mc_empty(dev)) {
+- netdev_for_each_mc_addr(ha, dev)
+- mvpp2_prs_mac_da_accept(priv, id, ha->addr, true);
++ if (!allmulti) {
++ netdev_for_each_mc_addr(ha, dev) {
++ if (mvpp2_prs_mac_da_accept(priv, id, ha->addr, true)) {
++ allmulti = true;
++ goto retry;
++ }
++ }
+ }
+ }
+
--- /dev/null
+From c713fb071edc0efc01a955f65a006b0e1795d2eb Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 5 Feb 2018 12:38:11 -0600
+Subject: rtlwifi: rtl8821ae: Fix connection lost problem correctly
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit c713fb071edc0efc01a955f65a006b0e1795d2eb upstream.
+
+There has been a coding error in rtl8821ae since it was first introduced,
+namely that an 8-bit register was read using a 16-bit read in
+_rtl8821ae_dbi_read(). This error was fixed with commit 40b368af4b75
+("rtlwifi: Fix alignment issues"); however, this change led to
+instability in the connection. To restore stability, this change
+was reverted in commit b8b8b16352cd ("rtlwifi: rtl8821ae: Fix connection
+lost problem").
+
+Unfortunately, the unaligned access causes machine checks in ARM
+architecture, and we were finally forced to find the actual cause of the
+problem on x86 platforms. Following a suggestion from Pkshih
+<pkshih@realtek.com>, it was found that increasing the ASPM L1
+latency from 0 to 7 fixed the instability. This parameter was varied to
+see if a smaller value would work; however, it appears that 7 is the
+safest value. A new symbol is defined for this quantity, thus it can be
+easily changed if necessary.
+
+Fixes: b8b8b16352cd ("rtlwifi: rtl8821ae: Fix connection lost problem")
+Cc: Stable <stable@vger.kernel.org> # 4.14+
+Fix-suggested-by: Pkshih <pkshih@realtek.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Tested-by: James Cameron <quozl@laptop.org> # x86_64 OLPC NL3
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 5 +++--
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 1 +
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1128,7 +1128,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl
+ }
+ if (0 == tmp) {
+ read_addr = REG_DBI_RDATA + addr % 4;
+- ret = rtl_read_word(rtlpriv, read_addr);
++ ret = rtl_read_byte(rtlpriv, read_addr);
+ }
+ return ret;
+ }
+@@ -1170,7 +1170,8 @@ static void _rtl8821ae_enable_aspm_back_
+ }
+
+ tmp = _rtl8821ae_dbi_read(rtlpriv, 0x70f);
+- _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7));
++ _rtl8821ae_dbi_write(rtlpriv, 0x70f, tmp | BIT(7) |
++ ASPM_L1_LATENCY << 3);
+
+ tmp = _rtl8821ae_dbi_read(rtlpriv, 0x719);
+ _rtl8821ae_dbi_write(rtlpriv, 0x719, tmp | BIT(3) | BIT(4));
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -99,6 +99,7 @@
+ #define RTL_USB_MAX_RX_COUNT 100
+ #define QBSS_LOAD_SIZE 5
+ #define MAX_WMMELE_LENGTH 64
++#define ASPM_L1_LATENCY 7
+
+ #define TOTAL_CAM_ENTRY 32
+
pci-keystone-fix-interrupt-controller-node-lookup.patch
video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch
console-dummy-leave-.con_font_get-set-to-null.patch
+rtlwifi-rtl8821ae-fix-connection-lost-problem-correctly.patch
+target-iscsi-avoid-null-dereference-in-chap-auth-error-path.patch
+btrfs-fix-deadlock-in-run_delalloc_nocow.patch
+btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch
+btrfs-fix-extent-state-leak-from-tree-log.patch
+btrfs-fix-btrfs_evict_inode-to-handle-abnormal-inodes-correctly.patch
+btrfs-fix-unexpected-eexist-when-creating-new-inode.patch
+9p-trans_virtio-discard-zero-length-reply.patch
+mtd-nand-vf610-set-correct-ooblayout.patch
+alsa-hda-fix-headset-mic-detection-problem-for-two-dell-machines.patch
+alsa-usb-audio-fix-uac2-get_ctl-request-with-a-range-attribute.patch
+alsa-hda-realtek-enable-thinkpad-dock-device-for-alc298-platform.patch
+alsa-hda-realtek-pci-quirk-for-fujitsu-u7x7.patch
+alsa-usb-audio-add-implicit-fb-quirk-for-behringer-ufx1204.patch
+alsa-seq-fix-racy-pool-initializations.patch
+mvpp2-fix-multicast-address-filter.patch
powerpc-fix-build-errors-in-stable-tree.patch
ib-qib-fix-comparison-error-with-qperf-compare-swap-test.patch
ib-mlx4-fix-incorrectly-releasing-steerable-ud-qps-when-have-only-eth-ports.patch
--- /dev/null
+From ce512d79d0466a604793addb6b769d12ee326822 Mon Sep 17 00:00:00 2001
+From: David Disseldorp <ddiss@suse.de>
+Date: Wed, 13 Dec 2017 18:22:30 +0100
+Subject: target/iscsi: avoid NULL dereference in CHAP auth error path
+
+From: David Disseldorp <ddiss@suse.de>
+
+commit ce512d79d0466a604793addb6b769d12ee326822 upstream.
+
+If chap_server_compute_md5() fails early, e.g. via CHAP_N mismatch, then
+crypto_free_shash() is called with a NULL pointer which gets
+dereferenced in crypto_shash_tfm().
+
+Fixes: 69110e3cedbb ("iscsi-target: Use shash and ahash")
+Suggested-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Cc: stable@vger.kernel.org # 4.6+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_auth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/iscsi/iscsi_target_auth.c
++++ b/drivers/target/iscsi/iscsi_target_auth.c
+@@ -413,7 +413,8 @@ static int chap_server_compute_md5(
+ auth_ret = 0;
+ out:
+ kzfree(desc);
+- crypto_free_shash(tfm);
++ if (tfm)
++ crypto_free_shash(tfm);
+ kfree(challenge);
+ kfree(challenge_binhex);
+ return auth_ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
