--- /dev/null
+From 3d44a6fd0775e6215e836423e27f8eedf8c871ea Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 14 Nov 2019 16:01:18 +0100
+Subject: Bluetooth: btusb: fix PM leak in error case of setup
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 3d44a6fd0775e6215e836423e27f8eedf8c871ea upstream.
+
+If setup() fails a reference for runtime PM has already
+been taken. Proper use of the error handling in btusb_open()is needed.
+You cannot just return.
+
+Fixes: ace31982585a3 ("Bluetooth: btusb: Add setup callback for chip init on USB")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1069,7 +1069,7 @@ static int btusb_open(struct hci_dev *hd
+ if (data->setup_on_usb) {
+ err = data->setup_on_usb(hdev);
+ if (err < 0)
+- return err;
++ goto setup_fail;
+ }
+
+ data->intf->needs_remote_wakeup = 1;
+@@ -1101,6 +1101,7 @@ done:
+
+ failed:
+ clear_bit(BTUSB_INTR_RUNNING, &data->flags);
++setup_fail:
+ usb_autopm_put_interface(data->intf);
+ return err;
+ }
--- /dev/null
+From df66499a1fab340c167250a5743931dc50d5f0fa Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 19 Nov 2019 09:17:05 +0300
+Subject: Bluetooth: delete a stray unlock
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit df66499a1fab340c167250a5743931dc50d5f0fa upstream.
+
+We used to take a lock in amp_physical_cfm() but then we moved it to
+the caller function. Unfortunately the unlock on this error path was
+overlooked so it leads to a double unlock.
+
+Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_core.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4908,10 +4908,8 @@ void __l2cap_physical_cfm(struct l2cap_c
+ BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
+ chan, result, local_amp_id, remote_amp_id);
+
+- if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
+- l2cap_chan_unlock(chan);
++ if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
+ return;
+- }
+
+ if (chan->state != BT_CONNECTED) {
+ l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
--- /dev/null
+From d088337c38a5cd8f0230fbf2d514ff7672f9d0d3 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 21 Nov 2019 14:20:36 -0600
+Subject: Bluetooth: Fix memory leak in hci_connect_le_scan
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit d088337c38a5cd8f0230fbf2d514ff7672f9d0d3 upstream.
+
+In the implementation of hci_connect_le_scan() when conn is added via
+hci_conn_add(), if hci_explicit_conn_params_set() fails the allocated
+memory for conn is leaked. Use hci_conn_del() to release it.
+
+Fixes: f75113a26008 ("Bluetooth: add hci_connect_le_scan")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_conn.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1054,8 +1054,10 @@ struct hci_conn *hci_connect_le_scan(str
+ if (!conn)
+ return ERR_PTR(-ENOMEM);
+
+- if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0)
++ if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) {
++ hci_conn_del(conn);
+ return ERR_PTR(-EBUSY);
++ }
+
+ conn->state = BT_CONNECT;
+ set_bit(HCI_CONN_SCANNING, &conn->flags);
--- /dev/null
+From 6b2daec19094a90435abe67d16fb43b1a5527254 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Apr 2019 18:53:50 -0400
+Subject: fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6b2daec19094a90435abe67d16fb43b1a5527254 upstream.
+
+Unlike FICLONE, all of those take a pointer argument; they do need
+compat_ptr() applied to arg.
+
+Fixes: d79bdd52d8be ("vfs: wire up compat ioctl for CLONE/CLONE_RANGE")
+Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
+Fixes: ceac204e1da9 ("fs: make fiemap work from compat_ioctl")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/compat_ioctl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -1585,9 +1585,10 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned i
+ #endif
+
+ case FICLONE:
++ goto do_ioctl;
+ case FICLONERANGE:
+ case FIDEDUPERANGE:
+- goto do_ioctl;
++ goto found_handler;
+
+ case FIBMAP:
+ case FIGETBSZ:
--- /dev/null
+From 74a96b51a36de4d86660fbc56b05d86668162d6b Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 25 Oct 2019 15:33:39 +0200
+Subject: media: flexcop-usb: ensure -EIO is returned on error condition
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 74a96b51a36de4d86660fbc56b05d86668162d6b upstream.
+
+An earlier commit hard coded a return 0 to function flexcop_usb_i2c_req
+even though the an -EIO was intended to be returned in the case where
+ret != buflen. Fix this by replacing the return 0 with the return of
+ret to return the error return code.
+
+Addresses-Coverity: ("Unused value")
+
+Fixes: b430eaba0be5 ("[media] flexcop-usb: don't use stack for DMA")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/b2c2/flexcop-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/b2c2/flexcop-usb.c
++++ b/drivers/media/usb/b2c2/flexcop-usb.c
+@@ -295,7 +295,7 @@ static int flexcop_usb_i2c_req(struct fl
+
+ mutex_unlock(&fc_usb->data_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ /* actual bus specific access functions,
--- /dev/null
+From 2289adbfa559050d2a38bcd9caac1c18b800e928 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 9 Oct 2019 12:01:47 -0300
+Subject: media: usb: fix memory leak in af9005_identify_state
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 2289adbfa559050d2a38bcd9caac1c18b800e928 upstream.
+
+In af9005_identify_state when returning -EIO the allocated buffer should
+be released. Replace the "return -EIO" with assignment into ret and move
+deb_info() under a check.
+
+Fixes: af4e067e1dcf ("V4L/DVB (5625): Add support for the AF9005 demodulator from Afatech")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/af9005.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/af9005.c
++++ b/drivers/media/usb/dvb-usb/af9005.c
+@@ -990,8 +990,9 @@ static int af9005_identify_state(struct
+ else if (reply == 0x02)
+ *cold = 0;
+ else
+- return -EIO;
+- deb_info("Identify state cold = %d\n", *cold);
++ ret = -EIO;
++ if (!ret)
++ deb_info("Identify state cold = %d\n", *cold);
+
+ err:
+ kfree(buf);
--- /dev/null
+From 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan@gerhold.net>
+Date: Wed, 6 Nov 2019 18:31:24 +0100
+Subject: regulator: ab8500: Remove AB8505 USB regulator
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream.
+
+The USB regulator was removed for AB8500 in
+commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator").
+It was then added for AB8505 in
+commit 547f384f33db ("regulator: ab8500: add support for ab8505").
+
+However, there was never an entry added for it in
+ab8505_regulator_match. This causes all regulators after it
+to be initialized with the wrong device tree data, eventually
+leading to an out-of-bounds array read.
+
+Given that it is not used anywhere in the kernel, it seems
+likely that similar arguments against supporting it exist for
+AB8505 (it is controlled by hardware).
+
+Therefore, simply remove it like for AB8500 instead of adding
+an entry in ab8505_regulator_match.
+
+Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505")
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/ab8500.c | 17 -----------------
+ include/linux/regulator/ab8500.h | 1 -
+ 2 files changed, 18 deletions(-)
+
+--- a/drivers/regulator/ab8500.c
++++ b/drivers/regulator/ab8500.c
+@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info
+ .update_val_idle = 0x82,
+ .update_val_normal = 0x02,
+ },
+- [AB8505_LDO_USB] = {
+- .desc = {
+- .name = "LDO-USB",
+- .ops = &ab8500_regulator_mode_ops,
+- .type = REGULATOR_VOLTAGE,
+- .id = AB8505_LDO_USB,
+- .owner = THIS_MODULE,
+- .n_voltages = 1,
+- .volt_table = fixed_3300000_voltage,
+- },
+- .update_bank = 0x03,
+- .update_reg = 0x82,
+- .update_mask = 0x03,
+- .update_val = 0x01,
+- .update_val_idle = 0x03,
+- .update_val_normal = 0x01,
+- },
+ [AB8505_LDO_AUDIO] = {
+ .desc = {
+ .name = "LDO-AUDIO",
+--- a/include/linux/regulator/ab8500.h
++++ b/include/linux/regulator/ab8500.h
+@@ -38,7 +38,6 @@ enum ab8505_regulator_id {
+ AB8505_LDO_AUX6,
+ AB8505_LDO_INTCORE,
+ AB8505_LDO_ADC,
+- AB8505_LDO_USB,
+ AB8505_LDO_AUDIO,
+ AB8505_LDO_ANAMIC1,
+ AB8505_LDO_ANAMIC2,
pm-devfreq-check-null-governor-in-available_governors_show.patch
nfsd4-fix-up-replay_matches_cache.patch
xfs-don-t-check-for-ag-deadlock-for-realtime-files-in-bunmapi.patch
+bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch
+bluetooth-delete-a-stray-unlock.patch
+bluetooth-fix-memory-leak-in-hci_connect_le_scan.patch
+media-flexcop-usb-ensure-eio-is-returned-on-error-condition.patch
+regulator-ab8500-remove-ab8505-usb-regulator.patch
+media-usb-fix-memory-leak-in-af9005_identify_state.patch
+tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
+fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch
--- /dev/null
+From 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Wed, 27 Nov 2019 22:15:43 +0800
+Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops
+
+From: Leo Yan <leo.yan@linaro.org>
+
+commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream.
+
+As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug")
+has mentioned the uart driver might cause recursive locking between
+normal printing and the kernel debugging facilities (e.g. sysrq and
+oops). In the commit it gave out suggestion for fixing recursive
+locking issue: "The solution is to avoid locking in the sysrq case
+and trylock in the oops_in_progress case."
+
+This patch follows the suggestion (also used the exactly same code with
+other serial drivers, e.g. amba-pl011.c) to fix the recursive locking
+issue, this can avoid stuck caused by deadlock and print out log for
+sysrq and oops.
+
+Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/msm_serial.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -1579,6 +1579,7 @@ static void __msm_console_write(struct u
+ int num_newlines = 0;
+ bool replaced = false;
+ void __iomem *tf;
++ int locked = 1;
+
+ if (is_uartdm)
+ tf = port->membase + UARTDM_TF;
+@@ -1591,7 +1592,13 @@ static void __msm_console_write(struct u
+ num_newlines++;
+ count += num_newlines;
+
+- spin_lock(&port->lock);
++ if (port->sysrq)
++ locked = 0;
++ else if (oops_in_progress)
++ locked = spin_trylock(&port->lock);
++ else
++ spin_lock(&port->lock);
++
+ if (is_uartdm)
+ msm_reset_dm_count(port, count);
+
+@@ -1627,7 +1634,9 @@ static void __msm_console_write(struct u
+ iowrite32_rep(tf, buf, 1);
+ i += num_chars;
+ }
+- spin_unlock(&port->lock);
++
++ if (locked)
++ spin_unlock(&port->lock);
+ }
+
+ static void msm_console_write(struct console *co, const char *s,
projects / thirdparty / kernel / stable-queue.git / commitdiff
