Add some requested fixes

3 files changed, 73 insertions, 0 deletions

diff --git a/queue-3.16/media-poseidon-depend-on-pm_runtime.patch b/queue-3.16/media-poseidon-depend-on-pm_runtime.patch
new file mode 100644
index 00000000..a6f807e0
--- /dev/null
+++ b/queue-3.16/media-poseidon-depend-on-pm_runtime.patch
@@ -0,0 +1,24 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 19 Sep 2019 19:16:06 +0100
+Subject: media: poseidon: Depend on PM_RUNTIME
+
+This is a stable-only patch as the driver has been removed upstream.
+
+Commit c2b71462d294 "USB: core: Fix bug caused by duplicate interface
+PM usage counter" switched USB to using only the standard runtime PM
+mechanism.  In my backport I changed poseidon to read the runtime PM
+counter, but that means it now needs to depend on PM_RUNTIME.
+
+Reported-by: Thomas Bork <tom@eisfair.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+--- a/drivers/media/usb/tlg2300/Kconfig
++++ b/drivers/media/usb/tlg2300/Kconfig
+@@ -7,6 +7,7 @@ config VIDEO_TLG2300
+ 	select VIDEOBUF_VMALLOC
+ 	select SND_PCM
+ 	select VIDEOBUF_DVB
++	depends on PM_RUNTIME
+ 
+ 	---help---
+ 	  This is a video4linux driver for Telegent tlg2300 based TV cards.
diff --git a/queue-3.16/series b/queue-3.16/series
index 1e6bfee3..9d600fa9 100644
--- a/queue-3.16/series
+++ b/queue-3.16/series
@@ -128,3 +128,5 @@ bluetooth-hci_ldisc-fix-null-pointer-derefence-in-case-of-early.patch
 bluetooth-hci_ldisc-postpone-hci_uart_proto_ready-bit-set-in.patch
 ath6kl-add-some-bounds-checking.patch
 kvm-coalesced_mmio-add-bounds-checking.patch
+media-poseidon-depend-on-pm_runtime.patch
+staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch
diff --git a/queue-3.16/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch b/queue-3.16/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch
new file mode 100644
index 00000000..a871d6fa
--- /dev/null
+++ b/queue-3.16/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch
@@ -0,0 +1,47 @@
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 12 Jul 2019 15:02:37 +0100
+MIME-Version: 1.0
+Subject: staging: comedi: dt282x: fix a null  pointer deref on interrupt
+Content-Transfer-Encoding: 8bit
+
+commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
+
+The interrupt handler `dt282x_interrupt()` causes a null pointer
+dereference for those supported boards that have no analog output
+support.  For these boards, `dev->write_subdev` will be `NULL` and
+therefore the `s_ao` subdevice pointer variable will be `NULL`.  In that
+case, the following call near the end of the interrupt handler results
+in a null pointer dereference:
+
+	cfc_handle_events(dev, s_ao);
+
+[ Upstream equivalent:
+	comedi_handle_events(dev, s_ao);
+  -- IA ]
+
+Fix it by only calling the above function if `s_ao` is valid.
+
+(There are other uses of `s_ao` by the interrupt handler that may or may
+not be reached depending on values of hardware registers.  Trust that
+they are reliable for now.)
+
+Fixes: f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()")
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ drivers/staging/comedi/drivers/dt282x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/dt282x.c
++++ b/drivers/staging/comedi/drivers/dt282x.c
+@@ -483,7 +483,8 @@ static irqreturn_t dt282x_interrupt(int
+ 	}
+ #endif
+ 	cfc_handle_events(dev, s);
+-	cfc_handle_events(dev, s_ao);
++	if (s_ao)
++		cfc_handle_events(dev, s_ao);
+ 
+ 	return IRQ_RETVAL(handled);
+ }