From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Feb 2017 08:11:29 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.52~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc94ba5297e0ee8153809e83e7ab580772fc9b00;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
	revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch
	rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
---

diff --git a/queue-4.4/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch b/queue-4.4/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
new file mode 100644
index 00000000000..e23333b3ec3
--- /dev/null
+++ b/queue-4.4/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
@@ -0,0 +1,58 @@
+From 5f478e4ea5c5560b4e40eb136991a09f9389f331 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 8 Feb 2017 15:19:07 -0500
+Subject: block: fix double-free in the failure path of cgwb_bdi_init()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 5f478e4ea5c5560b4e40eb136991a09f9389f331 upstream.
+
+When !CONFIG_CGROUP_WRITEBACK, bdi has single bdi_writeback_congested
+at bdi->wb_congested.  cgwb_bdi_init() allocates it with kzalloc() and
+doesn't do further initialization.  This usually works fine as the
+reference count gets bumped to 1 by wb_init() and the put from
+wb_exit() releases it.
+
+However, when wb_init() fails, it puts the wb base ref automatically
+freeing the wb and the explicit kfree() in cgwb_bdi_init() error path
+ends up trying to free the same pointer the second time causing a
+double-free.
+
+Fix it by explicitly initilizing the refcnt to 1 and putting the base
+ref from cgwb_bdi_destroy().
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: a13f35e87140 ("writeback: don't embed root bdi_writeback_congested in bdi_writeback")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/backing-dev.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -757,15 +757,20 @@ static int cgwb_bdi_init(struct backing_
+ 	if (!bdi->wb_congested)
+ 		return -ENOMEM;
+ 
++	atomic_set(&bdi->wb_congested->refcnt, 1);
++
+ 	err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL);
+ 	if (err) {
+-		kfree(bdi->wb_congested);
++		wb_congested_put(bdi->wb_congested);
+ 		return err;
+ 	}
+ 	return 0;
+ }
+ 
+-static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { }
++static void cgwb_bdi_destroy(struct backing_dev_info *bdi)
++{
++	wb_congested_put(bdi->wb_congested);
++}
+ 
+ #endif	/* CONFIG_CGROUP_WRITEBACK */
+ 
diff --git a/queue-4.4/revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch b/queue-4.4/revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch
new file mode 100644
index 00000000000..32aed15062c
--- /dev/null
+++ b/queue-4.4/revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch
@@ -0,0 +1,37 @@
+From 1bc7da87c7410c6990c3251589e3854e64c55af2 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Fri, 29 Jan 2016 16:47:24 +0800
+Subject: Revert "usb: chipidea: imx: enable CI_HDRC_SET_NON_ZERO_TTHA"
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit 1bc7da87c7410c6990c3251589e3854e64c55af2 upstream.
+
+This reverts commit e765bfb73ff7.
+
+In the most of cases, we only use one transaction per frame and the
+frame rate may be high, If the platforms want to support multiple
+transactions but less frame rate cases like [1] and [2], it can set
+"non-zero-ttctrl-ttha" at dts.
+
+[1] http://www.spinics.net/lists/linux-usb/msg123125.html
+[2] http://www.spinics.net/lists/linux-usb/msg118679.html
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Cc: Martin Fuzzey <mfuzzey@parkeon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/ci_hdrc_imx.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
+@@ -244,7 +244,6 @@ static int ci_hdrc_imx_probe(struct plat
+ 	struct ci_hdrc_platform_data pdata = {
+ 		.name		= dev_name(&pdev->dev),
+ 		.capoffset	= DEF_CAPOFFSET,
+-		.flags		= CI_HDRC_SET_NON_ZERO_TTHA,
+ 	};
+ 	int ret;
+ 	const struct of_device_id *of_id;
diff --git a/queue-4.4/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch b/queue-4.4/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
new file mode 100644
index 00000000000..9333ad25bd2
--- /dev/null
+++ b/queue-4.4/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
@@ -0,0 +1,56 @@
+From 575ddce0507789bf9830d089557d2199d2f91865 Mon Sep 17 00:00:00 2001
+From: Michael Schenk <michael.schenk@albis-elcon.com>
+Date: Thu, 26 Jan 2017 11:25:04 -0600
+Subject: rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
+
+From: Michael Schenk <michael.schenk@albis-elcon.com>
+
+commit 575ddce0507789bf9830d089557d2199d2f91865 upstream.
+
+In the function rtl_usb_start we pre-allocate a certain number of urbs
+for RX path but they will not be freed when calling rtl_usb_stop. This
+results in leaking urbs when doing ifconfig up and down. Eventually,
+the system has no available urbs.
+
+Signed-off-by: Michael Schenk <michael.schenk@albis-elcon.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c |   18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -834,12 +834,30 @@ static void rtl_usb_stop(struct ieee8021
+ 	struct rtl_priv *rtlpriv = rtl_priv(hw);
+ 	struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
+ 	struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
++	struct urb *urb;
+ 
+ 	/* should after adapter start and interrupt enable. */
+ 	set_hal_stop(rtlhal);
+ 	cancel_work_sync(&rtlpriv->works.fill_h2c_cmd);
+ 	/* Enable software */
+ 	SET_USB_STOP(rtlusb);
++
++	/* free pre-allocated URBs from rtl_usb_start() */
++	usb_kill_anchored_urbs(&rtlusb->rx_submitted);
++
++	tasklet_kill(&rtlusb->rx_work_tasklet);
++	cancel_work_sync(&rtlpriv->works.lps_change_work);
++
++	flush_workqueue(rtlpriv->works.rtl_wq);
++
++	skb_queue_purge(&rtlusb->rx_queue);
++
++	while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
++		usb_free_coherent(urb->dev, urb->transfer_buffer_length,
++				urb->transfer_buffer, urb->transfer_dma);
++		usb_free_urb(urb);
++	}
++
+ 	rtlpriv->cfg->ops->hw_disable(hw);
+ }
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index 196c9d041c4..32a8116be67 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -20,3 +20,6 @@ usb-serial-opticon-fix-cts-retrieval-at-open.patch
 usb-serial-ark3116-fix-register-accessor-error-handling.patch
 x86-platform-goldfish-prevent-unconditional-loading.patch
 goldfish-sanitize-the-broken-interrupt-handler.patch
+block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
+rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
+revert-usb-chipidea-imx-enable-ci_hdrc_set_non_zero_ttha.patch