From bed6665b248f95b022ad6d42d4868337db06ebb8 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Feb 2017 09:10:54 +0100
Subject: [PATCH] 4.10-stable patches

added patches:
	acpica-linuxize-restore-and-fix-intel-compiler-build.patch
	block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
	rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
---
 ...restore-and-fix-intel-compiler-build.patch | 141 ++++++++++++++++++
 ...in-the-failure-path-of-cgwb_bdi_init.patch |  58 +++++++
 ...-leaking-when-doing-ifconfig-up-down.patch |  56 +++++++
 queue-4.10/series                             |   3 +
 4 files changed, 258 insertions(+)
 create mode 100644 queue-4.10/acpica-linuxize-restore-and-fix-intel-compiler-build.patch
 create mode 100644 queue-4.10/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
 create mode 100644 queue-4.10/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch

diff --git a/queue-4.10/acpica-linuxize-restore-and-fix-intel-compiler-build.patch b/queue-4.10/acpica-linuxize-restore-and-fix-intel-compiler-build.patch
new file mode 100644
index 00000000000..15bd9245fc4
--- /dev/null
+++ b/queue-4.10/acpica-linuxize-restore-and-fix-intel-compiler-build.patch
@@ -0,0 +1,141 @@
+From ffab9188e444854882dbc291500d576d6bad7b7b Mon Sep 17 00:00:00 2001
+From: Lv Zheng <lv.zheng@intel.com>
+Date: Wed, 8 Feb 2017 11:00:01 +0800
+Subject: ACPICA: Linuxize: Restore and fix Intel compiler build
+
+From: Lv Zheng <lv.zheng@intel.com>
+
+commit ffab9188e444854882dbc291500d576d6bad7b7b upstream.
+
+ACPICA commit b59347d0b8b676cb555fe8da5cad08fcd4eeb0d3
+
+The following commit cleans up compiler specific inclusions:
+
+  Commit: 9fa1cebdbfff3db8953cebca8ee327d75edefc40
+  Subject: ACPICA: OSL: Cleanup the inclusion order of the compiler-specific headers
+
+But breaks one thing due to the following old issue:
+
+ Buidling Linux kernel with Intel compiler originally depends on acgcc.h
+ not acintel.h.
+
+So after making Intel compiler build working in ACPICA upstream by
+correctly using acintel.h, it becomes unable to build Linux kernel using
+Intel compiler as there is no acintel.h in the kernel source tree.
+
+This patch releases acintel.h to Linux kernel and fixes its inclusion in
+acenv.h.
+
+Fixes: 9fa1cebdbfff (ACPICA: OSL: Cleanup the inclusion order of the compiler-specific headers)
+Link: https://github.com/acpica/acpica/commit/b59347d0
+Tested-by: Stepan M Mishura <stepan.m.mishura@intel.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/acpi/platform/acenv.h   |    2 
+ include/acpi/platform/acintel.h |   87 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 88 insertions(+), 1 deletion(-)
+
+--- a/include/acpi/platform/acenv.h
++++ b/include/acpi/platform/acenv.h
+@@ -177,7 +177,7 @@
+ #include "acmsvc.h"
+ 
+ #elif defined(__INTEL_COMPILER)
+-#include "acintel.h"
++#include <acpi/platform/acintel.h>
+ 
+ #endif
+ 
+--- /dev/null
++++ b/include/acpi/platform/acintel.h
+@@ -0,0 +1,87 @@
++/******************************************************************************
++ *
++ * Name: acintel.h - VC specific defines, etc.
++ *
++ *****************************************************************************/
++
++/*
++ * Copyright (C) 2000 - 2017, Intel Corp.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions, and the following disclaimer,
++ *    without modification.
++ * 2. Redistributions in binary form must reproduce at minimum a disclaimer
++ *    substantially similar to the "NO WARRANTY" disclaimer below
++ *    ("Disclaimer") and any redistribution must be conditioned upon
++ *    including a substantially similar Disclaimer requirement for further
++ *    binary redistribution.
++ * 3. Neither the names of the above-listed copyright holders nor the names
++ *    of any contributors may be used to endorse or promote products derived
++ *    from this software without specific prior written permission.
++ *
++ * Alternatively, this software may be distributed under the terms of the
++ * GNU General Public License ("GPL") version 2 as published by the Free
++ * Software Foundation.
++ *
++ * NO WARRANTY
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR
++ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
++ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGES.
++ */
++
++#ifndef __ACINTEL_H__
++#define __ACINTEL_H__
++
++/*
++ * Use compiler specific <stdarg.h> is a good practice for even when
++ * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined.
++ */
++#include <stdarg.h>
++
++/* Configuration specific to Intel 64-bit C compiler */
++
++#define COMPILER_DEPENDENT_INT64    __int64
++#define COMPILER_DEPENDENT_UINT64   unsigned __int64
++#define ACPI_INLINE                 __inline
++
++/*
++ * Calling conventions:
++ *
++ * ACPI_SYSTEM_XFACE        - Interfaces to host OS (handlers, threads)
++ * ACPI_EXTERNAL_XFACE      - External ACPI interfaces
++ * ACPI_INTERNAL_XFACE      - Internal ACPI interfaces
++ * ACPI_INTERNAL_VAR_XFACE  - Internal variable-parameter list interfaces
++ */
++#define ACPI_SYSTEM_XFACE
++#define ACPI_EXTERNAL_XFACE
++#define ACPI_INTERNAL_XFACE
++#define ACPI_INTERNAL_VAR_XFACE
++
++/* remark 981 - operands evaluated in no particular order */
++#pragma warning(disable:981)
++
++/* warn C4100: unreferenced formal parameter */
++#pragma warning(disable:4100)
++
++/* warn C4127: conditional expression is constant */
++#pragma warning(disable:4127)
++
++/* warn C4706: assignment within conditional expression */
++#pragma warning(disable:4706)
++
++/* warn C4214: bit field types other than int */
++#pragma warning(disable:4214)
++
++#endif				/* __ACINTEL_H__ */
diff --git a/queue-4.10/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch b/queue-4.10/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
new file mode 100644
index 00000000000..d08f1ff447e
--- /dev/null
+++ b/queue-4.10/block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
@@ -0,0 +1,58 @@
+From 5f478e4ea5c5560b4e40eb136991a09f9389f331 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 8 Feb 2017 15:19:07 -0500
+Subject: block: fix double-free in the failure path of cgwb_bdi_init()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 5f478e4ea5c5560b4e40eb136991a09f9389f331 upstream.
+
+When !CONFIG_CGROUP_WRITEBACK, bdi has single bdi_writeback_congested
+at bdi->wb_congested.  cgwb_bdi_init() allocates it with kzalloc() and
+doesn't do further initialization.  This usually works fine as the
+reference count gets bumped to 1 by wb_init() and the put from
+wb_exit() releases it.
+
+However, when wb_init() fails, it puts the wb base ref automatically
+freeing the wb and the explicit kfree() in cgwb_bdi_init() error path
+ends up trying to free the same pointer the second time causing a
+double-free.
+
+Fix it by explicitly initilizing the refcnt to 1 and putting the base
+ref from cgwb_bdi_destroy().
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Fixes: a13f35e87140 ("writeback: don't embed root bdi_writeback_congested in bdi_writeback")
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/backing-dev.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/mm/backing-dev.c
++++ b/mm/backing-dev.c
+@@ -758,15 +758,20 @@ static int cgwb_bdi_init(struct backing_
+ 	if (!bdi->wb_congested)
+ 		return -ENOMEM;
+ 
++	atomic_set(&bdi->wb_congested->refcnt, 1);
++
+ 	err = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL);
+ 	if (err) {
+-		kfree(bdi->wb_congested);
++		wb_congested_put(bdi->wb_congested);
+ 		return err;
+ 	}
+ 	return 0;
+ }
+ 
+-static void cgwb_bdi_destroy(struct backing_dev_info *bdi) { }
++static void cgwb_bdi_destroy(struct backing_dev_info *bdi)
++{
++	wb_congested_put(bdi->wb_congested);
++}
+ 
+ #endif	/* CONFIG_CGROUP_WRITEBACK */
+ 
diff --git a/queue-4.10/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch b/queue-4.10/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
new file mode 100644
index 00000000000..5d1b2057eef
--- /dev/null
+++ b/queue-4.10/rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
@@ -0,0 +1,56 @@
+From 575ddce0507789bf9830d089557d2199d2f91865 Mon Sep 17 00:00:00 2001
+From: Michael Schenk <michael.schenk@albis-elcon.com>
+Date: Thu, 26 Jan 2017 11:25:04 -0600
+Subject: rtlwifi: rtl_usb: Fix for URB leaking when doing ifconfig up/down
+
+From: Michael Schenk <michael.schenk@albis-elcon.com>
+
+commit 575ddce0507789bf9830d089557d2199d2f91865 upstream.
+
+In the function rtl_usb_start we pre-allocate a certain number of urbs
+for RX path but they will not be freed when calling rtl_usb_stop. This
+results in leaking urbs when doing ifconfig up and down. Eventually,
+the system has no available urbs.
+
+Signed-off-by: Michael Schenk <michael.schenk@albis-elcon.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c |   18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -827,12 +827,30 @@ static void rtl_usb_stop(struct ieee8021
+ 	struct rtl_priv *rtlpriv = rtl_priv(hw);
+ 	struct rtl_hal *rtlhal = rtl_hal(rtl_priv(hw));
+ 	struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
++	struct urb *urb;
+ 
+ 	/* should after adapter start and interrupt enable. */
+ 	set_hal_stop(rtlhal);
+ 	cancel_work_sync(&rtlpriv->works.fill_h2c_cmd);
+ 	/* Enable software */
+ 	SET_USB_STOP(rtlusb);
++
++	/* free pre-allocated URBs from rtl_usb_start() */
++	usb_kill_anchored_urbs(&rtlusb->rx_submitted);
++
++	tasklet_kill(&rtlusb->rx_work_tasklet);
++	cancel_work_sync(&rtlpriv->works.lps_change_work);
++
++	flush_workqueue(rtlpriv->works.rtl_wq);
++
++	skb_queue_purge(&rtlusb->rx_queue);
++
++	while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
++		usb_free_coherent(urb->dev, urb->transfer_buffer_length,
++				urb->transfer_buffer, urb->transfer_dma);
++		usb_free_urb(urb);
++	}
++
+ 	rtlpriv->cfg->ops->hw_disable(hw);
+ }
+ 
diff --git a/queue-4.10/series b/queue-4.10/series
index 16936001682..a0345de7316 100644
--- a/queue-4.10/series
+++ b/queue-4.10/series
@@ -15,3 +15,6 @@ usb-serial-console-fix-uninitialised-spinlock.patch
 x86-platform-goldfish-prevent-unconditional-loading.patch
 goldfish-sanitize-the-broken-interrupt-handler.patch
 netfilter-nf_ct_helper-warn-when-not-applying-default-helper-assignment.patch
+acpica-linuxize-restore-and-fix-intel-compiler-build.patch
+block-fix-double-free-in-the-failure-path-of-cgwb_bdi_init.patch
+rtlwifi-rtl_usb-fix-for-urb-leaking-when-doing-ifconfig-up-down.patch
-- 
2.47.3