4.4-stable patches

added patches:
	block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
	revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch
	rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch

diff --git a/queue-4.4/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch b/queue-4.4/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
new file mode 100644 (file)
index 0000000..e23333b
--- /dev/null
+++ b/queue-4.4/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
@@ -0,0 +1,58 @@
+From 5f478e4ea5c5560b4e40eb136991a09f9389f331 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 8 Feb 2017 15:19:07 -0500
+Subject: block: fix double-free in the failure path of cgwb_bdi_init()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 5f478e4ea5c5560b4e40eb136991a09f9389f331 upstream.
+
+When !CONFIG_CGROUP_WRITEBACK, bdi has single bdi_writeback_congested
+at bdi->wb_congested.  cgwb_bdi_init() allocates it with kzalloc() and
+doesn't do further initialization.  This usually works fine as the
+reference count gets bumped to 1 by wb_init() and the put from
+wb_exit() releases it.
+
+However, when wb_init() fails, it puts the wb base ref automatically
+freeing the wb and the explicit kfree() in cgwb_bdi_init() error path
+ends up trying to free the same pointer the second time causing a
+double-free.
+
+Fix it by explicitly initilizing the refcnt to 1 and putting the base
+ref from cgwb_bdi_destroy().
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: a13f35e87140 ("writeback: don't embed root bdi_writeback_congested in bdi_writeback")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/backing-dev.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_
+       if (!bdi->wb_congested)
+               return -ENOMEM;
+ 
++      atomic_set(&bdi->wb_congested->refcnt, 1);
++
+       err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL);
+       if (err) {
+-              kfree(bdi->wb_congested);
++              wb_congested_put(bdi->wb_congested);
+               return err;
+       }
+       return 0;
+ }
+ 
+-static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { }
++static void cgwb_bdi_destroy(struct backing_dev_info *bdi)
++{
++      wb_congested_put(bdi->wb_congested);
++}
+ 
+ #endif        /* CONFIG_CGROUP_WRITEBACK */
+ 

diff --git a/queue-4.4/revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch b/queue-4.4/revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch
new file mode 100644 (file)
index 0000000..32aed15
--- /dev/null
+++ b/queue-4.4/revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch
@@ -0,0 +1,37 @@
+From 1bc7da87c7410c6990c3251589e3854e64c55af2 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Fri, 29 Jan 2016 16:47:24 +0800
+Subject: Revert "usb: chipidea: imx: enable CI_HDRC_SET_NON_ZERO_TTHA"
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit 1bc7da87c7410c6990c3251589e3854e64c55af2 upstream.
+
+This reverts commit e765bfb73ff7.
+
+In the most of cases, we only use one transaction per frame and the
+frame rate may be high, If the platforms want to support multiple
+transactions but less frame rate cases like [1] and [2], it can set
+"non-zero-ttctrl-ttha" at dts.
+
+[1] http://www.spinics.net/lists/linux-usb/msg123125.html
+[2] http://www.spinics.net/lists/linux-usb/msg118679.html
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Cc: Martin Fuzzey <mfuzzey@parkeon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/ci_hdrc_imx.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
+@@ -244,7 +244,6 @@ static int ci_hdrc_imx_probe(struct plat
+       struct ci_hdrc_platform_data pdata = {
+               .name           = dev_name(&pdev->dev),
+               .capoffset      = DEF_CAPOFFSET,
+-              .flags          = CI_HDRC_SET_NON_ZERO_TTHA,
+       };
+       int ret;
+       const struct of_device_id *of_id;

diff --git a/queue-4.4/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch b/queue-4.4/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
new file mode 100644 (file)
index 0000000..9333ad2
--- /dev/null
+++ b/queue-4.4/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
@@ -0,0 +1,56 @@
+From 575ddce0507789bf9830d089557d2199d2f91865 Mon Sep 17 00:00:00 2001
+From: Michael Schenk <michael.schenk@albis-elcon.com>
+Date: Thu, 26 Jan 2017 11:25:04 -0600
+Subject: rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
+
+From: Michael Schenk <michael.schenk@albis-elcon.com>
+
+commit 575ddce0507789bf9830d089557d2199d2f91865 upstream.
+
+In the function rtl_usb_start we pre-allocate a certain number of urbs
+for RX path but they will not be freed when calling rtl_usb_stop. This
+results in leaking urbs when doing ifconfig up and down. Eventually,
+the system has no available urbs.
+
+Signed-off-by: Michael Schenk <michael.schenk@albis-elcon.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c |   18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -834,12 +834,30 @@ static void rtl_usb_stop(struct ieee8021
+       struct rtl_priv *rtlpriv = rtl_priv(hw);
+       struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
+       struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
++      struct urb *urb;
+ 
+       /* should after adapter start and interrupt enable. */
+       set_hal_stop(rtlhal);
+       cancel_work_sync(&rtlpriv->works.fill_h2c_cmd);
+       /* Enable software */
+       SET_USB_STOP(rtlusb);
++
++      /* free pre-allocated URBs from rtl_usb_start() */
++      usb_kill_anchored_urbs(&rtlusb->rx_submitted);
++
++      tasklet_kill(&rtlusb->rx_work_tasklet);
++      cancel_work_sync(&rtlpriv->works.lps_change_work);
++
++      flush_workqueue(rtlpriv->works.rtl_wq);
++
++      skb_queue_purge(&rtlusb->rx_queue);
++
++      while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
++              usb_free_coherent(urb->dev, urb->transfer_buffer_length,
++                              urb->transfer_buffer, urb->transfer_dma);
++              usb_free_urb(urb);
++      }
++
+       rtlpriv->cfg->ops->hw_disable(hw);
+ }
+ 

diff --git a/queue-4.4/series b/queue-4.4/series
index 196c9d041c4d8114d47788170bc6f384892f383c..32a8116be675e3f5baab29afc6e37d6dcb8c9e94 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -20,3 +20,6 @@ usb-serial-opticon-fix-cts-retrieval-at-open.patch
 usb-serial-ark3116-fix-register-accessor-error-handling.patch
 x86-platform-goldfish-prevent-unconditional-loading.patch
 goldfish-sanitize-the-broken-interrupt-handler.patch
+block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
+rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
+revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch