From: Greg Kroah-Hartman Date: Mon, 7 Nov 2016 16:18:17 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.31~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9eee973f31f5ebaf7edb020821c0d3ac1edd8657;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-hda-adding-a-new-group-of-pin-cfg-into-alc295-pin-quirk-table.patch alsa-hda-allow-40-bit-dma-mask-for-nvidia-devices.patch alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch alsa-hda-merge-rirb_pre_delay-into-ctx_workaround-caps.patch alsa-hda-raise-azx_dcaps_rirb_delay-handling-into-top-drivers.patch alsa-usb-audio-add-quirk-for-syntek-stk1160.patch keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch libxfs-clean-up-_calc_dquots_per_chunk.patch mm-list_lru.c-avoid-error-path-null-pointer-deref.patch mm-memcontrol-do-not-recurse-in-direct-reclaim.patch --- diff --git a/queue-4.4/alsa-hda-adding-a-new-group-of-pin-cfg-into-alc295-pin-quirk-table.patch b/queue-4.4/alsa-hda-adding-a-new-group-of-pin-cfg-into-alc295-pin-quirk-table.patch new file mode 100644 index 00000000000..dcbbb58cce5 --- /dev/null +++ b/queue-4.4/alsa-hda-adding-a-new-group-of-pin-cfg-into-alc295-pin-quirk-table.patch @@ -0,0 +1,48 @@ +From f771d5bb71d4df9573d12386400540516672208b Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Tue, 18 Oct 2016 10:59:09 +0800 +Subject: ALSA: hda - Adding a new group of pin cfg into ALC295 pin quirk table + +From: Hui Wang + +commit f771d5bb71d4df9573d12386400540516672208b upstream. + +We have a new Dell laptop model which uses ALC295, the pin definition +is different from the existing ones in the pin quirk table, to fix the +headset mic detection and mic mute led's problem, we need to add the +new pin defintion into the pin quirk table. + +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5793,8 +5793,6 @@ static const struct hda_model_fixup alc2 + #define ALC295_STANDARD_PINS \ + {0x12, 0xb7a60130}, \ + {0x14, 0x90170110}, \ +- {0x17, 0x21014020}, \ +- {0x18, 0x21a19030}, \ + {0x21, 0x04211020} + + #define ALC298_STANDARD_PINS \ +@@ -6021,7 +6019,13 @@ static const struct snd_hda_pin_quirk al + ALC292_STANDARD_PINS, + {0x13, 0x90a60140}), + SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, +- ALC295_STANDARD_PINS), ++ ALC295_STANDARD_PINS, ++ {0x17, 0x21014020}, ++ {0x18, 0x21a19030}), ++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC295_STANDARD_PINS, ++ {0x17, 0x21014040}, ++ {0x18, 0x21a19050}), + SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC298_STANDARD_PINS, + {0x17, 0x90170110}), diff --git a/queue-4.4/alsa-hda-allow-40-bit-dma-mask-for-nvidia-devices.patch b/queue-4.4/alsa-hda-allow-40-bit-dma-mask-for-nvidia-devices.patch new file mode 100644 index 00000000000..e74bb9de11b --- /dev/null +++ b/queue-4.4/alsa-hda-allow-40-bit-dma-mask-for-nvidia-devices.patch @@ -0,0 +1,54 @@ +From 3ab7511eafdd5c4f40d2832f09554478dfbea170 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 17 Oct 2016 17:23:59 +0100 +Subject: ALSA: hda - allow 40 bit DMA mask for NVidia devices + +From: Ard Biesheuvel + +commit 3ab7511eafdd5c4f40d2832f09554478dfbea170 upstream. + +Commit 49d9e77e72cf ("ALSA: hda - Fix system panic when DMA > 40 bits +for Nvidia audio controllers") simply disabled any DMA exceeding 32 +bits for NVidia devices, even though they are capable of performing +DMA up to 40 bits. On some architectures (such as arm64), system memory +is not guaranteed to be 32-bit addressable by PCI devices, and so this +change prevents NVidia devices from working on platforms such as AMD +Seattle. + +Since the original commit already mentioned that up to 40 bits of DMA +is supported, and given that the code has been updated in the meantime +to support a 40 bit DMA mask on other devices, revert commit 49d9e77e72cf +and explicitly set the DMA mask to 40 bits for NVidia devices. + +Fixes: 49d9e77e72cf ('ALSA: hda - Fix system panic when DMA > 40 bits...') +Signed-off-by: Ard Biesheuvel +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -334,8 +334,7 @@ enum { + + /* quirks for Nvidia */ + #define AZX_DCAPS_PRESET_NVIDIA \ +- (AZX_DCAPS_NO_MSI | /*AZX_DCAPS_ALIGN_BUFSIZE |*/ \ +- AZX_DCAPS_NO_64BIT | AZX_DCAPS_CORBRP_SELF_CLEAR |\ ++ (AZX_DCAPS_NO_MSI | AZX_DCAPS_CORBRP_SELF_CLEAR |\ + AZX_DCAPS_SNOOP_TYPE(NVIDIA)) + + #define AZX_DCAPS_PRESET_CTHDA \ +@@ -1725,6 +1724,10 @@ static int azx_first_init(struct azx *ch + } + } + ++ /* NVidia hardware normally only supports up to 40 bits of DMA */ ++ if (chip->pci->vendor == PCI_VENDOR_ID_NVIDIA) ++ dma_bits = 40; ++ + /* disable 64bit DMA address on some devices */ + if (chip->driver_caps & AZX_DCAPS_NO_64BIT) { + dev_dbg(card->dev, "Disabling 64bit DMA\n"); diff --git a/queue-4.4/alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch b/queue-4.4/alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch new file mode 100644 index 00000000000..ad7a28f86b3 --- /dev/null +++ b/queue-4.4/alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch @@ -0,0 +1,43 @@ +From 6aecd8715802d23dc6a0859b50c62d2b0a99de3a Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 20 Oct 2016 14:03:33 +0800 +Subject: ALSA: hda - Fix headset mic detection problem for two Dell laptops + +From: Hui Wang + +commit 6aecd8715802d23dc6a0859b50c62d2b0a99de3a upstream. + +They uses the codec ALC255, and have the different pin cfg definition +from the ones in the existing pin quirk table. Now adding them into +the table to fix the problem. + +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5839,11 +5839,19 @@ static const struct snd_hda_pin_quirk al + {0x1b, 0x02011020}, + {0x21, 0x0221101f}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x14, 0x90170110}, ++ {0x1b, 0x01011020}, ++ {0x21, 0x0221101f}), ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x14, 0x90170130}, + {0x1b, 0x01014020}, + {0x21, 0x0221103f}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, + {0x14, 0x90170130}, ++ {0x1b, 0x01011020}, ++ {0x21, 0x0221103f}), ++ SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, ++ {0x14, 0x90170130}, + {0x1b, 0x02011020}, + {0x21, 0x0221103f}), + SND_HDA_PIN_QUIRK(0x10ec0255, 0x1028, "Dell", ALC255_FIXUP_DELL1_MIC_NO_PRESENCE, diff --git a/queue-4.4/alsa-hda-merge-rirb_pre_delay-into-ctx_workaround-caps.patch b/queue-4.4/alsa-hda-merge-rirb_pre_delay-into-ctx_workaround-caps.patch new file mode 100644 index 00000000000..efc62412fa5 --- /dev/null +++ b/queue-4.4/alsa-hda-merge-rirb_pre_delay-into-ctx_workaround-caps.patch @@ -0,0 +1,63 @@ +From ef85f299c74e6c5dd98ec0230183be33f4c2813d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 17 Dec 2015 08:12:37 +0100 +Subject: ALSA: hda - Merge RIRB_PRE_DELAY into CTX_WORKAROUND caps + +From: Takashi Iwai + +commit ef85f299c74e6c5dd98ec0230183be33f4c2813d upstream. + +AZX_DCAPS_RIRB_PRE_DELAY is always tied with AZX_DCAPS_CTX_WORKAROUND, +which is Creative's XFi specific. So, we can replace it and reduce +one more bit free for DCAPS. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 2 +- + sound/pci/hda/hda_controller.h | 2 +- + sound/pci/hda/hda_intel.c | 6 ++---- + 3 files changed, 4 insertions(+), 6 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -956,7 +956,7 @@ irqreturn_t azx_interrupt(int irq, void + status = azx_readb(chip, RIRBSTS); + if (status & RIRB_INT_MASK) { + if (status & RIRB_INT_RESPONSE) { +- if (chip->driver_caps & AZX_DCAPS_RIRB_PRE_DELAY) ++ if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND) + udelay(80); + snd_hdac_bus_update_rirb(bus); + } +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -33,7 +33,7 @@ + #define AZX_DCAPS_SNOOP_MASK (3 << 10) /* snoop type mask */ + #define AZX_DCAPS_SNOOP_OFF (1 << 12) /* snoop default off */ + #define AZX_DCAPS_RIRB_DELAY (1 << 13) /* Long delay in read loop */ +-#define AZX_DCAPS_RIRB_PRE_DELAY (1 << 14) /* Put a delay before read */ ++/* 14 unused */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ + #define AZX_DCAPS_POSFIX_VIA (1 << 17) /* Use VIACOMBO as default */ +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2406,14 +2406,12 @@ static const struct pci_device_id azx_id + .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8, + .class_mask = 0xffffff, + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | +- AZX_DCAPS_NO_64BIT | +- AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, ++ AZX_DCAPS_NO_64BIT | AZX_DCAPS_POSFIX_LPIB }, + #else + /* this entry seems still valid -- i.e. without emu20kx chip */ + { PCI_DEVICE(0x1102, 0x0009), + .driver_data = AZX_DRIVER_CTX | AZX_DCAPS_CTX_WORKAROUND | +- AZX_DCAPS_NO_64BIT | +- AZX_DCAPS_RIRB_PRE_DELAY | AZX_DCAPS_POSFIX_LPIB }, ++ AZX_DCAPS_NO_64BIT | AZX_DCAPS_POSFIX_LPIB }, + #endif + /* CM8888 */ + { PCI_DEVICE(0x13f6, 0x5011), diff --git a/queue-4.4/alsa-hda-raise-azx_dcaps_rirb_delay-handling-into-top-drivers.patch b/queue-4.4/alsa-hda-raise-azx_dcaps_rirb_delay-handling-into-top-drivers.patch new file mode 100644 index 00000000000..93f258fee52 --- /dev/null +++ b/queue-4.4/alsa-hda-raise-azx_dcaps_rirb_delay-handling-into-top-drivers.patch @@ -0,0 +1,94 @@ +From 7d9a180895ee8c301df7f9447429009795c56c21 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 17 Dec 2015 08:23:39 +0100 +Subject: ALSA: hda - Raise AZX_DCAPS_RIRB_DELAY handling into top drivers + +From: Takashi Iwai + +commit 7d9a180895ee8c301df7f9447429009795c56c21 upstream. + +AZX_DCAPS_RIRB_DELAY is dedicated only for Nvidia and its purpose is +just to set a flag in bus. So it's better to be set in the toplevel +driver, either hda_intel.c or hda_tegra.c, instead of the common +hda_controller.c. This also allows us to strip this flag from dcaps, +so save one more bit there. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_controller.c | 5 ----- + sound/pci/hda/hda_controller.h | 2 +- + sound/pci/hda/hda_intel.c | 7 ++++++- + sound/pci/hda/hda_tegra.c | 5 +++-- + 4 files changed, 10 insertions(+), 9 deletions(-) + +--- a/sound/pci/hda/hda_controller.c ++++ b/sound/pci/hda/hda_controller.c +@@ -1055,11 +1055,6 @@ int azx_bus_init(struct azx *chip, const + if (chip->driver_caps & AZX_DCAPS_CORBRP_SELF_CLEAR) + bus->core.corbrp_self_clear = true; + +- if (chip->driver_caps & AZX_DCAPS_RIRB_DELAY) { +- dev_dbg(chip->card->dev, "Enable delay in RIRB handling\n"); +- bus->needs_damn_long_delay = 1; +- } +- + if (chip->driver_caps & AZX_DCAPS_4K_BDLE_BOUNDARY) + bus->core.align_bdle_4k = true; + +--- a/sound/pci/hda/hda_controller.h ++++ b/sound/pci/hda/hda_controller.h +@@ -32,7 +32,7 @@ + #define AZX_DCAPS_NO_MSI (1 << 9) /* No MSI support */ + #define AZX_DCAPS_SNOOP_MASK (3 << 10) /* snoop type mask */ + #define AZX_DCAPS_SNOOP_OFF (1 << 12) /* snoop default off */ +-#define AZX_DCAPS_RIRB_DELAY (1 << 13) /* Long delay in read loop */ ++/* 13 unused */ + /* 14 unused */ + #define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */ + #define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */ +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -334,7 +334,7 @@ enum { + + /* quirks for Nvidia */ + #define AZX_DCAPS_PRESET_NVIDIA \ +- (AZX_DCAPS_RIRB_DELAY | AZX_DCAPS_NO_MSI | /*AZX_DCAPS_ALIGN_BUFSIZE |*/ \ ++ (AZX_DCAPS_NO_MSI | /*AZX_DCAPS_ALIGN_BUFSIZE |*/ \ + AZX_DCAPS_NO_64BIT | AZX_DCAPS_CORBRP_SELF_CLEAR |\ + AZX_DCAPS_SNOOP_TYPE(NVIDIA)) + +@@ -1637,6 +1637,11 @@ static int azx_create(struct snd_card *c + return err; + } + ++ if (chip->driver_type == AZX_DRIVER_NVIDIA) { ++ dev_dbg(chip->card->dev, "Enable delay in RIRB handling\n"); ++ chip->bus.needs_damn_long_delay = 1; ++ } ++ + err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops); + if (err < 0) { + dev_err(card->dev, "Error creating device [card]!\n"); +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -464,6 +464,8 @@ static int hda_tegra_create(struct snd_c + if (err < 0) + return err; + ++ chip->bus.needs_damn_long_delay = 1; ++ + err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops); + if (err < 0) { + dev_err(card->dev, "Error creating device\n"); +@@ -481,8 +483,7 @@ MODULE_DEVICE_TABLE(of, hda_tegra_match) + + static int hda_tegra_probe(struct platform_device *pdev) + { +- const unsigned int driver_flags = AZX_DCAPS_RIRB_DELAY | +- AZX_DCAPS_CORBRP_SELF_CLEAR; ++ const unsigned int driver_flags = AZX_DCAPS_CORBRP_SELF_CLEAR; + struct snd_card *card; + struct azx *chip; + struct hda_tegra *hda; diff --git a/queue-4.4/alsa-usb-audio-add-quirk-for-syntek-stk1160.patch b/queue-4.4/alsa-usb-audio-add-quirk-for-syntek-stk1160.patch new file mode 100644 index 00000000000..8839540b41a --- /dev/null +++ b/queue-4.4/alsa-usb-audio-add-quirk-for-syntek-stk1160.patch @@ -0,0 +1,48 @@ +From bdc3478f90cd4d2928197f36629d5cf93b64dbe9 Mon Sep 17 00:00:00 2001 +From: Marcel Hasler +Date: Thu, 27 Oct 2016 00:42:27 +0200 +Subject: ALSA: usb-audio: Add quirk for Syntek STK1160 + +From: Marcel Hasler + +commit bdc3478f90cd4d2928197f36629d5cf93b64dbe9 upstream. + +The stk1160 chip needs QUIRK_AUDIO_ALIGN_TRANSFER. This patch resolves +the issue reported on the mailing list +(http://marc.info/?l=linux-sound&m=139223599126215&w=2) and also fixes +bug 180071 (https://bugzilla.kernel.org/show_bug.cgi?id=180071). + +Signed-off-by: Marcel Hasler +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2907,6 +2907,23 @@ AU0828_DEVICE(0x2040, 0x7260, "Hauppauge + AU0828_DEVICE(0x2040, 0x7213, "Hauppauge", "HVR-950Q"), + AU0828_DEVICE(0x2040, 0x7270, "Hauppauge", "HVR-950Q"), + ++/* Syntek STK1160 */ ++{ ++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | ++ USB_DEVICE_ID_MATCH_INT_CLASS | ++ USB_DEVICE_ID_MATCH_INT_SUBCLASS, ++ .idVendor = 0x05e1, ++ .idProduct = 0x0408, ++ .bInterfaceClass = USB_CLASS_AUDIO, ++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL, ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "Syntek", ++ .product_name = "STK1160", ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_AUDIO_ALIGN_TRANSFER ++ } ++}, ++ + /* Digidesign Mbox */ + { + /* Thanks to Clemens Ladisch */ diff --git a/queue-4.4/keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch b/queue-4.4/keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch new file mode 100644 index 00000000000..de58a216e39 --- /dev/null +++ b/queue-4.4/keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch @@ -0,0 +1,74 @@ +From 03dab869b7b239c4e013ec82aea22e181e441cfc Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 26 Oct 2016 15:01:54 +0100 +Subject: KEYS: Fix short sprintf buffer in /proc/keys show function + +From: David Howells + +commit 03dab869b7b239c4e013ec82aea22e181e441cfc upstream. + +This fixes CVE-2016-7042. + +Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector +is turned on, this can cause a panic due to stack corruption. + +The problem is that xbuf[] is not big enough to hold a 64-bit timeout +rendered as weeks: + + (gdb) p 0xffffffffffffffffULL/(60*60*24*7) + $2 = 30500568904943 + +That's 14 chars plus NUL, not 11 chars plus NUL. + +Expand the buffer to 16 chars. + +I think the unpatched code apparently works if the stack-protector is not +enabled because on a 32-bit machine the buffer won't be overflowed and on a +64-bit machine there's a 64-bit aligned pointer at one side and an int that +isn't checked again on the other side. + +The panic incurred looks something like: + +Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe +CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 +Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f + ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6 + ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679 +Call Trace: + [] dump_stack+0x63/0x84 + [] panic+0xde/0x22a + [] ? proc_keys_show+0x3ce/0x3d0 + [] __stack_chk_fail+0x19/0x30 + [] proc_keys_show+0x3ce/0x3d0 + [] ? key_validate+0x50/0x50 + [] ? key_default_cmp+0x20/0x20 + [] seq_read+0x2cc/0x390 + [] proc_reg_read+0x42/0x70 + [] __vfs_read+0x37/0x150 + [] ? security_file_permission+0xa0/0xc0 + [] vfs_read+0x96/0x130 + [] SyS_read+0x55/0xc0 + [] entry_SYSCALL_64_fastpath+0x1a/0xa4 + +Reported-by: Ondrej Kozina +Signed-off-by: David Howells +Tested-by: Ondrej Kozina +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_fil + struct timespec now; + unsigned long timo; + key_ref_t key_ref, skey_ref; +- char xbuf[12]; ++ char xbuf[16]; + int rc; + + struct keyring_search_context ctx = { diff --git a/queue-4.4/libxfs-clean-up-_calc_dquots_per_chunk.patch b/queue-4.4/libxfs-clean-up-_calc_dquots_per_chunk.patch new file mode 100644 index 00000000000..6c8ee8a9513 --- /dev/null +++ b/queue-4.4/libxfs-clean-up-_calc_dquots_per_chunk.patch @@ -0,0 +1,35 @@ +From 58d789678546d46d7bbd809dd7dab417c0f23655 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 20 Oct 2016 15:46:18 +1100 +Subject: libxfs: clean up _calc_dquots_per_chunk + +From: Darrick J. Wong + +commit 58d789678546d46d7bbd809dd7dab417c0f23655 upstream. + +The function xfs_calc_dquots_per_chunk takes a parameter in units +of basic blocks. The kernel seems to get the units wrong, but +userspace got 'fixed' by commenting out the unnecessary conversion. +Fix both. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Eric Sandeen +Signed-off-by: Dave Chinner +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/libxfs/xfs_dquot_buf.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/xfs/libxfs/xfs_dquot_buf.c ++++ b/fs/xfs/libxfs/xfs_dquot_buf.c +@@ -191,8 +191,7 @@ xfs_dquot_buf_verify_crc( + if (mp->m_quotainfo) + ndquots = mp->m_quotainfo->qi_dqperchunk; + else +- ndquots = xfs_calc_dquots_per_chunk( +- XFS_BB_TO_FSB(mp, bp->b_length)); ++ ndquots = xfs_calc_dquots_per_chunk(bp->b_length); + + for (i = 0; i < ndquots; i++, d++) { + if (!xfs_verify_cksum((char *)d, sizeof(struct xfs_dqblk), diff --git a/queue-4.4/mm-list_lru.c-avoid-error-path-null-pointer-deref.patch b/queue-4.4/mm-list_lru.c-avoid-error-path-null-pointer-deref.patch new file mode 100644 index 00000000000..1d1f84f9b77 --- /dev/null +++ b/queue-4.4/mm-list_lru.c-avoid-error-path-null-pointer-deref.patch @@ -0,0 +1,44 @@ +From 1bc11d70b5db7c6bb1414b283d7f09b1fe1ac0d0 Mon Sep 17 00:00:00 2001 +From: Alexander Polakov +Date: Thu, 27 Oct 2016 17:46:27 -0700 +Subject: mm/list_lru.c: avoid error-path NULL pointer deref + +From: Alexander Polakov + +commit 1bc11d70b5db7c6bb1414b283d7f09b1fe1ac0d0 upstream. + +As described in https://bugzilla.kernel.org/show_bug.cgi?id=177821: + +After some analysis it seems to be that the problem is in alloc_super(). +In case list_lru_init_memcg() fails it goes into destroy_super(), which +calls list_lru_destroy(). + +And in list_lru_init() we see that in case memcg_init_list_lru() fails, +lru->node is freed, but not set NULL, which then leads list_lru_destroy() +to believe it is initialized and call memcg_destroy_list_lru(). +memcg_destroy_list_lru() in turn can access lru->node[i].memcg_lrus, +which is NULL. + +[akpm@linux-foundation.org: add comment] +Signed-off-by: Alexander Polakov +Acked-by: Vladimir Davydov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/list_lru.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -554,6 +554,8 @@ int __list_lru_init(struct list_lru *lru + err = memcg_init_list_lru(lru, memcg_aware); + if (err) { + kfree(lru->node); ++ /* Do this so a list_lru_destroy() doesn't crash: */ ++ lru->node = NULL; + goto out; + } + diff --git a/queue-4.4/mm-memcontrol-do-not-recurse-in-direct-reclaim.patch b/queue-4.4/mm-memcontrol-do-not-recurse-in-direct-reclaim.patch new file mode 100644 index 00000000000..47be38c4837 --- /dev/null +++ b/queue-4.4/mm-memcontrol-do-not-recurse-in-direct-reclaim.patch @@ -0,0 +1,103 @@ +From 89a2848381b5fcd9c4d9c0cd97680e3b28730e31 Mon Sep 17 00:00:00 2001 +From: Johannes Weiner +Date: Thu, 27 Oct 2016 17:46:56 -0700 +Subject: mm: memcontrol: do not recurse in direct reclaim + +From: Johannes Weiner + +commit 89a2848381b5fcd9c4d9c0cd97680e3b28730e31 upstream. + +On 4.0, we saw a stack corruption from a page fault entering direct +memory cgroup reclaim, calling into btrfs_releasepage(), which then +tried to allocate an extent and recursed back into a kmem charge ad +nauseam: + + [...] + btrfs_releasepage+0x2c/0x30 + try_to_release_page+0x32/0x50 + shrink_page_list+0x6da/0x7a0 + shrink_inactive_list+0x1e5/0x510 + shrink_lruvec+0x605/0x7f0 + shrink_zone+0xee/0x320 + do_try_to_free_pages+0x174/0x440 + try_to_free_mem_cgroup_pages+0xa7/0x130 + try_charge+0x17b/0x830 + memcg_charge_kmem+0x40/0x80 + new_slab+0x2d9/0x5a0 + __slab_alloc+0x2fd/0x44f + kmem_cache_alloc+0x193/0x1e0 + alloc_extent_state+0x21/0xc0 + __clear_extent_bit+0x2b5/0x400 + try_release_extent_mapping+0x1a3/0x220 + __btrfs_releasepage+0x31/0x70 + btrfs_releasepage+0x2c/0x30 + try_to_release_page+0x32/0x50 + shrink_page_list+0x6da/0x7a0 + shrink_inactive_list+0x1e5/0x510 + shrink_lruvec+0x605/0x7f0 + shrink_zone+0xee/0x320 + do_try_to_free_pages+0x174/0x440 + try_to_free_mem_cgroup_pages+0xa7/0x130 + try_charge+0x17b/0x830 + mem_cgroup_try_charge+0x65/0x1c0 + handle_mm_fault+0x117f/0x1510 + __do_page_fault+0x177/0x420 + do_page_fault+0xc/0x10 + page_fault+0x22/0x30 + +On later kernels, kmem charging is opt-in rather than opt-out, and that +particular kmem allocation in btrfs_releasepage() is no longer being +charged and won't recurse and overrun the stack anymore. + +But it's not impossible for an accounted allocation to happen from the +memcg direct reclaim context, and we needed to reproduce this crash many +times before we even got a useful stack trace out of it. + +Like other direct reclaimers, mark tasks in memcg reclaim PF_MEMALLOC to +avoid recursing into any other form of direct reclaim. Then let +recursive charges from PF_MEMALLOC contexts bypass the cgroup limit. + +Link: http://lkml.kernel.org/r/20161025141050.GA13019@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Michal Hocko +Cc: Vladimir Davydov +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memcontrol.c | 9 +++++++++ + mm/vmscan.c | 2 ++ + 2 files changed, 11 insertions(+) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2055,6 +2055,15 @@ retry: + current->flags & PF_EXITING)) + goto force; + ++ /* ++ * Prevent unbounded recursion when reclaim operations need to ++ * allocate memory. This might exceed the limits temporarily, ++ * but we prefer facilitating memory reclaim and getting back ++ * under the limit over triggering OOM kills in these cases. ++ */ ++ if (unlikely(current->flags & PF_MEMALLOC)) ++ goto force; ++ + if (unlikely(task_in_memcg_oom(current))) + goto nomem; + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2910,7 +2910,9 @@ unsigned long try_to_free_mem_cgroup_pag + sc.may_writepage, + sc.gfp_mask); + ++ current->flags |= PF_MEMALLOC; + nr_reclaimed = do_try_to_free_pages(zonelist, &sc); ++ current->flags &= ~PF_MEMALLOC; + + trace_mm_vmscan_memcg_reclaim_end(nr_reclaimed); + diff --git a/queue-4.4/series b/queue-4.4/series index d3b964e377f..e91d90c677a 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -3,3 +3,13 @@ i2c-xgene-avoid-dma_buffer-overrun.patch i2c-core-fix-null-pointer-dereference-under-race-condition.patch drm-dp-mst-clear-port-pdt-when-tearing-down-the-i2c-adapter.patch h8300-fix-syscall-restarting.patch +libxfs-clean-up-_calc_dquots_per_chunk.patch +mm-list_lru.c-avoid-error-path-null-pointer-deref.patch +mm-memcontrol-do-not-recurse-in-direct-reclaim.patch +keys-fix-short-sprintf-buffer-in-proc-keys-show-function.patch +alsa-usb-audio-add-quirk-for-syntek-stk1160.patch +alsa-hda-merge-rirb_pre_delay-into-ctx_workaround-caps.patch +alsa-hda-raise-azx_dcaps_rirb_delay-handling-into-top-drivers.patch +alsa-hda-allow-40-bit-dma-mask-for-nvidia-devices.patch +alsa-hda-adding-a-new-group-of-pin-cfg-into-alc295-pin-quirk-table.patch +alsa-hda-fix-headset-mic-detection-problem-for-two-dell-laptops.patch