--- /dev/null
+From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001
+From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+Date: Thu, 28 Nov 2019 15:58:29 +0530
+Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
+
+From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+
+commit 627ead724eff33673597216f5020b72118827de4 upstream.
+
+kmemleak reported backtrace:
+ [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260
+ [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0
+ [<1180f4fc>] i2c_register_adapter+0x186/0x400
+ [<6083baf7>] i2c_add_adapter+0x4e/0x70
+ [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915]
+ [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915]
+ [<81911d4b>] i915_pci_probe+0x48/0x160 [i915]
+ [<4b159af1>] pci_device_probe+0xdc/0x160
+ [<b3c64704>] really_probe+0x1ee/0x450
+ [<bc029f5a>] driver_probe_device+0x142/0x1b0
+ [<d8829d20>] device_driver_attach+0x49/0x50
+ [<de71f045>] __driver_attach+0xc9/0x150
+ [<df33ac83>] bus_for_each_dev+0x56/0xa0
+ [<80089bba>] driver_attach+0x19/0x20
+ [<cc73f583>] bus_add_driver+0x177/0x220
+ [<7b29d8c7>] driver_register+0x56/0xf0
+
+In i2c_acpi_remove_space_handler(), a leak occurs whenever the
+"data" parameter is initialized to 0 before being passed to
+acpi_bus_get_private_data().
+
+This is because the NULL pointer check in acpi_bus_get_private_data()
+(condition->if(!*data)) returns EINVAL and, in consequence, memory is
+never freed in i2c_acpi_remove_space_handler().
+
+Fix the NULL pointer check in acpi_bus_get_private_data() to follow
+the analogous check in acpi_get_data_full().
+
+Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+[ rjw: Subject & changelog ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -158,7 +158,7 @@ int acpi_bus_get_private_data(acpi_handl
+ {
+ acpi_status status;
+
+- if (!*data)
++ if (!data)
+ return -EINVAL;
+
+ status = acpi_get_data(handle, acpi_bus_private_data_handler, data);
--- /dev/null
+From 833a426cc471b6088011b3d67f1dc4e147614647 Mon Sep 17 00:00:00 2001
+From: Francesco Ruggeri <fruggeri@arista.com>
+Date: Tue, 19 Nov 2019 21:47:27 -0800
+Subject: ACPI: OSL: only free map once in osl.c
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream.
+
+acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock
+before freeing the map. This creates a race condition the can result
+in the map being freed more than once.
+A panic can be caused by running
+
+for ((i=0; i<10; i++))
+do
+ for ((j=0; j<100000; j++))
+ do
+ cat /sys/firmware/acpi/tables/data/BERT >/dev/null
+ done &
+done
+
+This patch makes sure that only the process that drops the reference
+to 0 does the freeing.
+
+Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c")
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/osl.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -375,19 +375,21 @@ void *__ref acpi_os_map_memory(acpi_phys
+ }
+ EXPORT_SYMBOL_GPL(acpi_os_map_memory);
+
+-static void acpi_os_drop_map_ref(struct acpi_ioremap *map)
++/* Must be called with mutex_lock(&acpi_ioremap_lock) */
++static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map)
+ {
+- if (!--map->refcount)
++ unsigned long refcount = --map->refcount;
++
++ if (!refcount)
+ list_del_rcu(&map->list);
++ return refcount;
+ }
+
+ static void acpi_os_map_cleanup(struct acpi_ioremap *map)
+ {
+- if (!map->refcount) {
+- synchronize_rcu_expedited();
+- acpi_unmap(map->phys, map->virt);
+- kfree(map);
+- }
++ synchronize_rcu_expedited();
++ acpi_unmap(map->phys, map->virt);
++ kfree(map);
+ }
+
+ /**
+@@ -407,6 +409,7 @@ static void acpi_os_map_cleanup(struct a
+ void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size)
+ {
+ struct acpi_ioremap *map;
++ unsigned long refcount;
+
+ if (!acpi_gbl_permanent_mmap) {
+ __acpi_unmap_table(virt, size);
+@@ -420,10 +423,11 @@ void __ref acpi_os_unmap_iomem(void __io
+ WARN(true, PREFIX "%s: bad address %p\n", __func__, virt);
+ return;
+ }
+- acpi_os_drop_map_ref(map);
++ refcount = acpi_os_drop_map_ref(map);
+ mutex_unlock(&acpi_ioremap_lock);
+
+- acpi_os_map_cleanup(map);
++ if (!refcount)
++ acpi_os_map_cleanup(map);
+ }
+ EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem);
+
+@@ -464,6 +468,7 @@ void acpi_os_unmap_generic_address(struc
+ {
+ u64 addr;
+ struct acpi_ioremap *map;
++ unsigned long refcount;
+
+ if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY)
+ return;
+@@ -479,10 +484,11 @@ void acpi_os_unmap_generic_address(struc
+ mutex_unlock(&acpi_ioremap_lock);
+ return;
+ }
+- acpi_os_drop_map_ref(map);
++ refcount = acpi_os_drop_map_ref(map);
+ mutex_unlock(&acpi_ioremap_lock);
+
+- acpi_os_map_cleanup(map);
++ if (!refcount)
++ acpi_os_map_cleanup(map);
+ }
+ EXPORT_SYMBOL(acpi_os_unmap_generic_address);
+
--- /dev/null
+From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 4 Dec 2019 02:54:27 +0100
+Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream.
+
+Certain ACPI-enumerated devices represented as platform devices in
+Linux, like fans, require special low-level power management handling
+implemented by their drivers that is not in agreement with the ACPI
+PM domain behavior. That leads to problems with managing ACPI fans
+during system-wide suspend and resume.
+
+For this reason, make acpi_dev_pm_attach() skip the affected devices
+by adding a list of device IDs to avoid to it and putting the IDs of
+the affected devices into that list.
+
+Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems)
+Reported-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com>
+Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/device_pm.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -1096,9 +1096,19 @@ static void acpi_dev_pm_detach(struct de
+ */
+ int acpi_dev_pm_attach(struct device *dev, bool power_on)
+ {
++ /*
++ * Skip devices whose ACPI companions match the device IDs below,
++ * because they require special power management handling incompatible
++ * with the generic ACPI PM domain.
++ */
++ static const struct acpi_device_id special_pm_ids[] = {
++ {"PNP0C0B", }, /* Generic ACPI fan */
++ {"INT3404", }, /* Fan */
++ {}
++ };
+ struct acpi_device *adev = ACPI_COMPANION(dev);
+
+- if (!adev)
++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids))
+ return -ENODEV;
+
+ if (dev->pm_domain)
--- /dev/null
+From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Mon, 30 Sep 2019 23:31:47 +0300
+Subject: ar5523: check NULL before memcpy() in ar5523_cmd()
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 315cee426f87658a6799815845788fde965ddaad upstream.
+
+memcpy() call with "idata == NULL && ilen == 0" results in undefined
+behavior in ar5523_cmd(). For example, NULL is passed in callchain
+"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
+adds ilen check before memcpy() call in ar5523_cmd() to prevent an
+undefined behavior.
+
+Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ar5523/ar5523.c
++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
+@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar,
+
+ if (flags & AR5523_CMD_FLAG_MAGIC)
+ hdr->magic = cpu_to_be32(1 << 24);
+- memcpy(hdr + 1, idata, ilen);
++ if (ilen)
++ memcpy(hdr + 1, idata, ilen);
+
+ cmd->odata = odata;
+ cmd->olen = olen;
--- /dev/null
+From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001
+From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+Date: Tue, 12 Nov 2019 14:02:36 +0100
+Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
+
+From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+
+commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream.
+
+Check for existance of jack before tracing.
+NULL pointer dereference has been reported by KASAN while unloading
+machine driver (snd_soc_cnl_rt274).
+
+Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-jack.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/soc/soc-jack.c
++++ b/sound/soc/soc-jack.c
+@@ -80,10 +80,9 @@ void snd_soc_jack_report(struct snd_soc_
+ unsigned int sync = 0;
+ int enable;
+
+- trace_snd_soc_jack_report(jack, mask, status);
+-
+ if (!jack)
+ return;
++ trace_snd_soc_jack_report(jack, mask, status);
+
+ dapm = &jack->card->dapm;
+
--- /dev/null
+From 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Sat, 2 Nov 2019 16:02:15 +0800
+Subject: blk-mq: avoid sysfs buffer overflow with too many CPU cores
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream.
+
+It is reported that sysfs buffer overflow can be triggered if the system
+has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of
+hctx via /sys/block/$DEV/mq/$N/cpu_list.
+
+Use snprintf to avoid the potential buffer overflow.
+
+This version doesn't change the attribute format, and simply stops
+showing CPU numbers if the buffer is going to overflow.
+
+Cc: stable@vger.kernel.org
+Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -243,20 +243,25 @@ static ssize_t blk_mq_hw_sysfs_active_sh
+
+ static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page)
+ {
++ const size_t size = PAGE_SIZE - 1;
+ unsigned int i, first = 1;
+- ssize_t ret = 0;
++ int ret = 0, pos = 0;
+
+ for_each_cpu(i, hctx->cpumask) {
+ if (first)
+- ret += sprintf(ret + page, "%u", i);
++ ret = snprintf(pos + page, size - pos, "%u", i);
+ else
+- ret += sprintf(ret + page, ", %u", i);
++ ret = snprintf(pos + page, size - pos, ", %u", i);
++
++ if (ret >= size - pos)
++ break;
+
+ first = 0;
++ pos += ret;
+ }
+
+- ret += sprintf(ret + page, "\n");
+- return ret;
++ ret = snprintf(pos + page, size - pos, "\n");
++ return pos + ret;
+ }
+
+ static struct blk_mq_ctx_sysfs_entry blk_mq_sysfs_dispatched = {
--- /dev/null
+From a713af394cf382a30dd28a1015cbe572f1b9ca75 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 17 Oct 2019 02:50:01 +1100
+Subject: cgroup: pids: use atomic64_t for pids->limit
+
+From: Aleksa Sarai <cyphar@cyphar.com>
+
+commit a713af394cf382a30dd28a1015cbe572f1b9ca75 upstream.
+
+Because pids->limit can be changed concurrently (but we don't want to
+take a lock because it would be needlessly expensive), use atomic64_ts
+instead.
+
+Fixes: commit 49b786ea146f ("cgroup: implement the PIDs subsystem")
+Cc: stable@vger.kernel.org # v4.3+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup_pids.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/cgroup_pids.c
++++ b/kernel/cgroup_pids.c
+@@ -48,7 +48,7 @@ struct pids_cgroup {
+ * %PIDS_MAX = (%PID_MAX_LIMIT + 1).
+ */
+ atomic64_t counter;
+- int64_t limit;
++ atomic64_t limit;
+
+ /* Handle for "pids.events" */
+ struct cgroup_file events_file;
+@@ -76,8 +76,8 @@ pids_css_alloc(struct cgroup_subsys_stat
+ if (!pids)
+ return ERR_PTR(-ENOMEM);
+
+- pids->limit = PIDS_MAX;
+ atomic64_set(&pids->counter, 0);
++ atomic64_set(&pids->limit, PIDS_MAX);
+ atomic64_set(&pids->events_limit, 0);
+ return &pids->css;
+ }
+@@ -149,13 +149,14 @@ static int pids_try_charge(struct pids_c
+
+ for (p = pids; parent_pids(p); p = parent_pids(p)) {
+ int64_t new = atomic64_add_return(num, &p->counter);
++ int64_t limit = atomic64_read(&p->limit);
+
+ /*
+ * Since new is capped to the maximum number of pid_t, if
+ * p->limit is %PIDS_MAX then we know that this test will never
+ * fail.
+ */
+- if (new > p->limit)
++ if (new > limit)
+ goto revert;
+ }
+
+@@ -280,7 +281,7 @@ set_limit:
+ * Limit updates don't need to be mutex'd, since it isn't
+ * critical that any racing fork()s follow the new limit.
+ */
+- pids->limit = limit;
++ atomic64_set(&pids->limit, limit);
+ return nbytes;
+ }
+
+@@ -288,7 +289,7 @@ static int pids_max_show(struct seq_file
+ {
+ struct cgroup_subsys_state *css = seq_css(sf);
+ struct pids_cgroup *pids = css_pids(css);
+- int64_t limit = pids->limit;
++ int64_t limit = atomic64_read(&pids->limit);
+
+ if (limit >= PIDS_MAX)
+ seq_printf(sf, "%s\n", PIDS_MAX_STR);
--- /dev/null
+From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Wed, 23 Oct 2019 09:57:14 +0800
+Subject: cpuidle: Do not unset the driver if it is there already
+
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+
+commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream.
+
+Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has
+a driver different from drv already and, if so, return -EBUSY before
+updating any cpuidle_drivers per-CPU pointers.
+
+Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support")
+Cc: 3.11+ <stable@vger.kernel.org> # 3.11+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+[ rjw: Subject & changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/driver.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/cpuidle/driver.c
++++ b/drivers/cpuidle/driver.c
+@@ -61,24 +61,23 @@ static inline void __cpuidle_unset_drive
+ * __cpuidle_set_driver - set per CPU driver variables for the given driver.
+ * @drv: a valid pointer to a struct cpuidle_driver
+ *
+- * For each CPU in the driver's cpumask, unset the registered driver per CPU
+- * to @drv.
+- *
+- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already.
++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver
++ * different from drv already.
+ */
+ static inline int __cpuidle_set_driver(struct cpuidle_driver *drv)
+ {
+ int cpu;
+
+ for_each_cpu(cpu, drv->cpumask) {
++ struct cpuidle_driver *old_drv;
+
+- if (__cpuidle_get_cpu_driver(cpu)) {
+- __cpuidle_unset_driver(drv);
++ old_drv = __cpuidle_get_cpu_driver(cpu);
++ if (old_drv && old_drv != drv)
+ return -EBUSY;
+- }
++ }
+
++ for_each_cpu(cpu, drv->cpumask)
+ per_cpu(cpuidle_drivers, cpu) = drv;
+- }
+
+ return 0;
+ }
--- /dev/null
+From 11609a7e21f8cea42630350aa57662928fa4dc63 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 10:13:31 -0300
+Subject: media: bdisp: fix memleak on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 11609a7e21f8cea42630350aa57662928fa4dc63 upstream.
+
+If a process is interrupted while accessing the video device and the
+device lock is contended, release() could return early and fail to free
+related resources.
+
+Note that the return value of the v4l2 release file operation is
+ignored.
+
+Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework")
+Cc: stable <stable@vger.kernel.org> # 4.2
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+@@ -651,8 +651,7 @@ static int bdisp_release(struct file *fi
+
+ dev_dbg(bdisp->dev, "%s\n", __func__);
+
+- if (mutex_lock_interruptible(&bdisp->lock))
+- return -ERESTARTSYS;
++ mutex_lock(&bdisp->lock);
+
+ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
+
--- /dev/null
+From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 10:13:32 -0300
+Subject: media: radio: wl1273: fix interrupt masking on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1091eb830627625dcf79958d99353c2391f41708 upstream.
+
+If a process is interrupted while accessing the radio device and the
+core lock is contended, release() could return early and fail to update
+the interrupt mask.
+
+Note that the return value of the v4l2 release file operation is
+ignored.
+
+Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.38
+Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/radio-wl1273.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/radio/radio-wl1273.c
++++ b/drivers/media/radio/radio-wl1273.c
+@@ -1149,8 +1149,7 @@ static int wl1273_fm_fops_release(struct
+ if (radio->rds_users > 0) {
+ radio->rds_users--;
+ if (radio->rds_users == 0) {
+- if (mutex_lock_interruptible(&core->lock))
+- return -EINTR;
++ mutex_lock(&core->lock);
+
+ radio->irq_flags &= ~WL1273_RDS_EVENT;
+
--- /dev/null
+From f6498b922e57aecbe3b7fa30a308d9d586c0c369 Mon Sep 17 00:00:00 2001
+From: "H. Nikolaus Schaller" <hns@goldelico.com>
+Date: Thu, 7 Nov 2019 11:30:37 +0100
+Subject: mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+commit f6498b922e57aecbe3b7fa30a308d9d586c0c369 upstream.
+
+Pandora_wl1251_init_card was used to do special pdata based
+setup of the sdio mmc interface. This does no longer work with
+v4.7 and later. A fix requires a device tree based mmc3 setup.
+
+Therefore we move the special setup to omap_hsmmc.c instead
+of calling some pdata supplied init_card function.
+
+The new code checks for a DT child node compatible to wl1251
+so it will not affect other MMC3 use cases.
+
+Generally, this code was and still is a hack and should be
+moved to mmc core to e.g. read such properties from optional
+DT child nodes.
+
+Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel")
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Cc: <stable@vger.kernel.org> # v4.7+
+[Ulf: Fixed up some checkpatch complaints]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/omap_hsmmc.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1700,6 +1700,36 @@ static void omap_hsmmc_init_card(struct
+
+ if (mmc_pdata(host)->init_card)
+ mmc_pdata(host)->init_card(card);
++ else if (card->type == MMC_TYPE_SDIO ||
++ card->type == MMC_TYPE_SD_COMBO) {
++ struct device_node *np = mmc_dev(mmc)->of_node;
++
++ /*
++ * REVISIT: should be moved to sdio core and made more
++ * general e.g. by expanding the DT bindings of child nodes
++ * to provide a mechanism to provide this information:
++ * Documentation/devicetree/bindings/mmc/mmc-card.txt
++ */
++
++ np = of_get_compatible_child(np, "ti,wl1251");
++ if (np) {
++ /*
++ * We have TI wl1251 attached to MMC3. Pass this
++ * information to the SDIO core because it can't be
++ * probed by normal methods.
++ */
++
++ dev_info(host->dev, "found wl1251\n");
++ card->quirks |= MMC_QUIRK_NONSTD_SDIO;
++ card->cccr.wide_bus = 1;
++ card->cis.vendor = 0x104c;
++ card->cis.device = 0x9066;
++ card->cis.blksize = 512;
++ card->cis.max_dtr = 24000000;
++ card->ocr = 0x80;
++ of_node_put(np);
++ }
++ }
+ }
+
+ static void omap_hsmmc_enable_sdio_irq(struct mmc_host *mmc, int enable)
--- /dev/null
+From af8490eb2b33684e26a0a927a9d93ae43cd08890 Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Thu, 7 Nov 2019 10:02:44 +0800
+Subject: perf tests: Fix out of bounds memory access
+
+From: Leo Yan <leo.yan@linaro.org>
+
+commit af8490eb2b33684e26a0a927a9d93ae43cd08890 upstream.
+
+The test case 'Read backward ring buffer' failed on 32-bit architectures
+which were found by LKFT perf testing. The test failed on arm32 x15
+device, qemu_arm32, qemu_i386, and found intermittent failure on i386;
+the failure log is as below:
+
+ 50: Read backward ring buffer :
+ --- start ---
+ test child forked, pid 510
+ Using CPUID GenuineIntel-6-9E-9
+ mmap size 1052672B
+ mmap size 8192B
+ Finished reading overwrite ring buffer: rewind
+ free(): invalid next size (fast)
+ test child interrupted
+ ---- end ----
+ Read backward ring buffer: FAILED!
+
+The log hints there have issue for memory usage, thus free() reports
+error 'invalid next size' and directly exit for the case. Finally, this
+issue is root caused as out of bounds memory access for the data array
+'evsel->id'.
+
+The backward ring buffer test invokes do_test() twice. 'evsel->id' is
+allocated at the first call with the flow:
+
+ test__backward_ring_buffer()
+ `-> do_test()
+ `-> evlist__mmap()
+ `-> evlist__mmap_ex()
+ `-> perf_evsel__alloc_id()
+
+So 'evsel->id' is allocated with one item, and it will be used in
+function perf_evlist__id_add():
+
+ evsel->id[0] = id
+ evsel->ids = 1
+
+At the second call for do_test(), it skips to initialize 'evsel->id'
+and reuses the array which is allocated in the first call. But
+'evsel->ids' contains the stale value. Thus:
+
+ evsel->id[1] = id -> out of bound access
+ evsel->ids = 2
+
+To fix this issue, we will use evlist__open() and evlist__close() pair
+functions to prepare and cleanup context for evlist; so 'evsel->id' and
+'evsel->ids' can be initialized properly when invoke do_test() and avoid
+the out of bounds memory access.
+
+Fixes: ee74701ed8ad ("perf tests: Add test to check backward ring buffer")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Reviewed-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Naresh Kamboju <naresh.kamboju@linaro.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Cc: stable@vger.kernel.org # v4.10+
+Link: http://lore.kernel.org/lkml/20191107020244.2427-1-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/tests/backward-ring-buffer.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/tools/perf/tests/backward-ring-buffer.c
++++ b/tools/perf/tests/backward-ring-buffer.c
+@@ -140,6 +140,15 @@ int test__backward_ring_buffer(int subte
+ goto out_delete_evlist;
+ }
+
++ evlist__close(evlist);
++
++ err = evlist__open(evlist);
++ if (err < 0) {
++ pr_debug("perf_evlist__open: %s\n",
++ str_error_r(errno, sbuf, sizeof(sbuf)));
++ goto out_delete_evlist;
++ }
++
+ err = do_test(evlist, 1, &sample_count, &comm_count);
+ if (err != TEST_OK)
+ goto out_delete_evlist;
--- /dev/null
+From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 5 Aug 2019 18:27:10 +0200
+Subject: pinctrl: samsung: Fix device node refcount leaks in init code
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream.
+
+Several functions use for_each_child_of_node() loop with a break to find
+a matching child node. Although each iteration of
+for_each_child_of_node puts the previous node, but early exit from loop
+misses it. This leads to leak of device node.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -281,6 +281,7 @@ static int samsung_dt_node_to_map(struct
+ &reserved_maps, num_maps);
+ if (ret < 0) {
+ samsung_dt_free_map(pctldev, *map, *num_maps);
++ of_node_put(np);
+ return ret;
+ }
+ }
+@@ -770,8 +771,10 @@ static struct samsung_pmx_func *samsung_
+ if (!of_get_child_count(cfg_np)) {
+ ret = samsung_pinctrl_create_function(dev, drvdata,
+ cfg_np, func);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(cfg_np);
+ return ERR_PTR(ret);
++ }
+ if (ret > 0) {
+ ++func;
+ ++func_cnt;
+@@ -782,8 +785,11 @@ static struct samsung_pmx_func *samsung_
+ for_each_child_of_node(cfg_np, func_np) {
+ ret = samsung_pinctrl_create_function(dev, drvdata,
+ func_np, func);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(func_np);
++ of_node_put(cfg_np);
+ return ERR_PTR(ret);
++ }
+ if (ret > 0) {
+ ++func;
+ ++func_cnt;
--- /dev/null
+From 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 5 Aug 2019 18:27:08 +0200
+Subject: pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream.
+
+In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a
+break to find a matching child node. Although each iteration of
+for_each_child_of_node puts the previous node, but early exit from loop
+misses it. This leads to leak of device node.
+
+Cc: <stable@vger.kernel.org>
+Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
++++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
+@@ -495,8 +495,10 @@ static int s3c24xx_eint_init(struct sams
+ return -ENODEV;
+
+ eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL);
+- if (!eint_data)
++ if (!eint_data) {
++ of_node_put(eint_np);
+ return -ENOMEM;
++ }
+
+ eint_data->drvdata = d;
+
+@@ -508,12 +510,14 @@ static int s3c24xx_eint_init(struct sams
+ irq = irq_of_parse_and_map(eint_np, i);
+ if (!irq) {
+ dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i);
++ of_node_put(eint_np);
+ return -ENXIO;
+ }
+
+ eint_data->parents[i] = irq;
+ irq_set_chained_handler_and_data(irq, handlers[i], eint_data);
+ }
++ of_node_put(eint_np);
+
+ bank = d->pin_banks;
+ for (i = 0; i < d->nr_banks; ++i, ++bank) {
--- /dev/null
+From 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 Mon Sep 17 00:00:00 2001
+From: Leonard Crestez <leonard.crestez@nxp.com>
+Date: Tue, 24 Sep 2019 10:52:23 +0300
+Subject: PM / devfreq: Lock devfreq in trans_stat_show
+
+From: Leonard Crestez <leonard.crestez@nxp.com>
+
+commit 2abb0d5268ae7b5ddf82099b1f8d5aa8414637d4 upstream.
+
+There is no locking in this sysfs show function so stats printing can
+race with a devfreq_update_status called as part of freq switching or
+with initialization.
+
+Also add an assert in devfreq_update_status to make it clear that lock
+must be held by caller.
+
+Fixes: 39688ce6facd ("PM / devfreq: account suspend/resume for stats")
+Cc: stable@vger.kernel.org
+Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/devfreq/devfreq.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -135,6 +135,7 @@ int devfreq_update_status(struct devfreq
+ int lev, prev_lev, ret = 0;
+ unsigned long cur_time;
+
++ lockdep_assert_held(&devfreq->lock);
+ cur_time = jiffies;
+
+ /* Immediately exit if previous_freq is not initialized yet. */
+@@ -1170,12 +1171,17 @@ static ssize_t trans_stat_show(struct de
+ int i, j;
+ unsigned int max_state = devfreq->profile->max_state;
+
+- if (!devfreq->stop_polling &&
+- devfreq_update_status(devfreq, devfreq->previous_freq))
+- return 0;
+ if (max_state == 0)
+ return sprintf(buf, "Not Supported.\n");
+
++ mutex_lock(&devfreq->lock);
++ if (!devfreq->stop_polling &&
++ devfreq_update_status(devfreq, devfreq->previous_freq)) {
++ mutex_unlock(&devfreq->lock);
++ return 0;
++ }
++ mutex_unlock(&devfreq->lock);
++
+ len = sprintf(buf, " From : To\n");
+ len += sprintf(buf + len, " :");
+ for (i = 0; i < max_state; i++)
--- /dev/null
+From 998174042da229e2cf5841f574aba4a743e69650 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 8 Nov 2019 21:34:30 +0100
+Subject: ppdev: fix PPGETTIME/PPSETTIME ioctls
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 998174042da229e2cf5841f574aba4a743e69650 upstream.
+
+Going through the uses of timeval in the user space API,
+I noticed two bugs in ppdev that were introduced in the y2038
+conversion:
+
+* The range check was accidentally moved from ppsettime to
+ ppgettime
+
+* On sparc64, the microseconds are in the other half of the
+ 64-bit word.
+
+Fix both, and mark the fix for stable backports.
+
+Cc: stable@vger.kernel.org
+Fixes: 3b9ab374a1e6 ("ppdev: convert to y2038 safe")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20191108203435.112759-8-arnd@arndb.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ppdev.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/char/ppdev.c
++++ b/drivers/char/ppdev.c
+@@ -624,20 +624,27 @@ static int pp_do_ioctl(struct file *file
+ if (copy_from_user(time32, argp, sizeof(time32)))
+ return -EFAULT;
+
++ if ((time32[0] < 0) || (time32[1] < 0))
++ return -EINVAL;
++
+ return pp_set_timeout(pp->pdev, time32[0], time32[1]);
+
+ case PPSETTIME64:
+ if (copy_from_user(time64, argp, sizeof(time64)))
+ return -EFAULT;
+
++ if ((time64[0] < 0) || (time64[1] < 0))
++ return -EINVAL;
++
++ if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall())
++ time64[1] >>= 32;
++
+ return pp_set_timeout(pp->pdev, time64[0], time64[1]);
+
+ case PPGETTIME32:
+ jiffies_to_timespec64(pp->pdev->timeout, &ts);
+ time32[0] = ts.tv_sec;
+ time32[1] = ts.tv_nsec / NSEC_PER_USEC;
+- if ((time32[0] < 0) || (time32[1] < 0))
+- return -EINVAL;
+
+ if (copy_to_user(argp, time32, sizeof(time32)))
+ return -EFAULT;
+@@ -648,8 +655,9 @@ static int pp_do_ioctl(struct file *file
+ jiffies_to_timespec64(pp->pdev->timeout, &ts);
+ time64[0] = ts.tv_sec;
+ time64[1] = ts.tv_nsec / NSEC_PER_USEC;
+- if ((time64[0] < 0) || (time64[1] < 0))
+- return -EINVAL;
++
++ if (IS_ENABLED(CONFIG_SPARC64) && !in_compat_syscall())
++ time64[1] <<= 32;
+
+ if (copy_to_user(argp, time64, sizeof(time64)))
+ return -EFAULT;
alsa-hda-fix-pending-unsol-events-at-shutdown.patch
workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch
workqueue-fix-pwq-ref-leak-in-rescuer_thread.patch
+asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch
+blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch
+cgroup-pids-use-atomic64_t-for-pids-limit.patch
+ar5523-check-null-before-memcpy-in-ar5523_cmd.patch
+media-bdisp-fix-memleak-on-release.patch
+media-radio-wl1273-fix-interrupt-masking-on-release.patch
+cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch
+perf-tests-fix-out-of-bounds-memory-access.patch
+pm-devfreq-lock-devfreq-in-trans_stat_show.patch
+acpi-osl-only-free-map-once-in-osl.c.patch
+acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch
+acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
+pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch
+pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch
+mmc-host-omap_hsmmc-add-code-for-special-init-of-wl1251-to-get-rid-of-pandora_wl1251_init_card.patch
+ppdev-fix-ppgettime-ppsettime-ioctls.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
