--- /dev/null
+From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001
+From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+Date: Thu, 28 Nov 2019 15:58:29 +0530
+Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data()
+
+From: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+
+commit 627ead724eff33673597216f5020b72118827de4 upstream.
+
+kmemleak reported backtrace:
+ [<bbee0454>] kmem_cache_alloc_trace+0x128/0x260
+ [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0
+ [<1180f4fc>] i2c_register_adapter+0x186/0x400
+ [<6083baf7>] i2c_add_adapter+0x4e/0x70
+ [<a3ddf966>] intel_gmbus_setup+0x1a2/0x2c0 [i915]
+ [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915]
+ [<81911d4b>] i915_pci_probe+0x48/0x160 [i915]
+ [<4b159af1>] pci_device_probe+0xdc/0x160
+ [<b3c64704>] really_probe+0x1ee/0x450
+ [<bc029f5a>] driver_probe_device+0x142/0x1b0
+ [<d8829d20>] device_driver_attach+0x49/0x50
+ [<de71f045>] __driver_attach+0xc9/0x150
+ [<df33ac83>] bus_for_each_dev+0x56/0xa0
+ [<80089bba>] driver_attach+0x19/0x20
+ [<cc73f583>] bus_add_driver+0x177/0x220
+ [<7b29d8c7>] driver_register+0x56/0xf0
+
+In i2c_acpi_remove_space_handler(), a leak occurs whenever the
+"data" parameter is initialized to 0 before being passed to
+acpi_bus_get_private_data().
+
+This is because the NULL pointer check in acpi_bus_get_private_data()
+(condition->if(!*data)) returns EINVAL and, in consequence, memory is
+never freed in i2c_acpi_remove_space_handler().
+
+Fix the NULL pointer check in acpi_bus_get_private_data() to follow
+the analogous check in acpi_get_data_full().
+
+Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
+[ rjw: Subject & changelog ]
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/bus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -154,7 +154,7 @@ int acpi_bus_get_private_data(acpi_handl
+ {
+ acpi_status status;
+
+- if (!*data)
++ if (!data)
+ return -EINVAL;
+
+ status = acpi_get_data(handle, acpi_bus_private_data_handler, data);
--- /dev/null
+From 833a426cc471b6088011b3d67f1dc4e147614647 Mon Sep 17 00:00:00 2001
+From: Francesco Ruggeri <fruggeri@arista.com>
+Date: Tue, 19 Nov 2019 21:47:27 -0800
+Subject: ACPI: OSL: only free map once in osl.c
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream.
+
+acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock
+before freeing the map. This creates a race condition the can result
+in the map being freed more than once.
+A panic can be caused by running
+
+for ((i=0; i<10; i++))
+do
+ for ((j=0; j<100000; j++))
+ do
+ cat /sys/firmware/acpi/tables/data/BERT >/dev/null
+ done &
+done
+
+This patch makes sure that only the process that drops the reference
+to 0 does the freeing.
+
+Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c")
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/osl.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/drivers/acpi/osl.c
++++ b/drivers/acpi/osl.c
+@@ -424,24 +424,27 @@ acpi_os_map_memory(acpi_physical_address
+ }
+ EXPORT_SYMBOL_GPL(acpi_os_map_memory);
+
+-static void acpi_os_drop_map_ref(struct acpi_ioremap *map)
++/* Must be called with mutex_lock(&acpi_ioremap_lock) */
++static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map)
+ {
+- if (!--map->refcount)
++ unsigned long refcount = --map->refcount;
++
++ if (!refcount)
+ list_del_rcu(&map->list);
++ return refcount;
+ }
+
+ static void acpi_os_map_cleanup(struct acpi_ioremap *map)
+ {
+- if (!map->refcount) {
+- synchronize_rcu_expedited();
+- acpi_unmap(map->phys, map->virt);
+- kfree(map);
+- }
++ synchronize_rcu_expedited();
++ acpi_unmap(map->phys, map->virt);
++ kfree(map);
+ }
+
+ void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size)
+ {
+ struct acpi_ioremap *map;
++ unsigned long refcount;
+
+ if (!acpi_gbl_permanent_mmap) {
+ __acpi_unmap_table(virt, size);
+@@ -455,10 +458,11 @@ void __ref acpi_os_unmap_iomem(void __io
+ WARN(true, PREFIX "%s: bad address %p\n", __func__, virt);
+ return;
+ }
+- acpi_os_drop_map_ref(map);
++ refcount = acpi_os_drop_map_ref(map);
+ mutex_unlock(&acpi_ioremap_lock);
+
+- acpi_os_map_cleanup(map);
++ if (!refcount)
++ acpi_os_map_cleanup(map);
+ }
+ EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem);
+
+@@ -499,6 +503,7 @@ void acpi_os_unmap_generic_address(struc
+ {
+ u64 addr;
+ struct acpi_ioremap *map;
++ unsigned long refcount;
+
+ if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY)
+ return;
+@@ -514,10 +519,11 @@ void acpi_os_unmap_generic_address(struc
+ mutex_unlock(&acpi_ioremap_lock);
+ return;
+ }
+- acpi_os_drop_map_ref(map);
++ refcount = acpi_os_drop_map_ref(map);
+ mutex_unlock(&acpi_ioremap_lock);
+
+- acpi_os_map_cleanup(map);
++ if (!refcount)
++ acpi_os_map_cleanup(map);
+ }
+ EXPORT_SYMBOL(acpi_os_unmap_generic_address);
+
--- /dev/null
+From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 4 Dec 2019 02:54:27 +0100
+Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream.
+
+Certain ACPI-enumerated devices represented as platform devices in
+Linux, like fans, require special low-level power management handling
+implemented by their drivers that is not in agreement with the ACPI
+PM domain behavior. That leads to problems with managing ACPI fans
+during system-wide suspend and resume.
+
+For this reason, make acpi_dev_pm_attach() skip the affected devices
+by adding a list of device IDs to avoid to it and putting the IDs of
+the affected devices into that list.
+
+Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems)
+Reported-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Todd Brandt <todd.e.brandt@linux.intel.com>
+Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/device_pm.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/device_pm.c
++++ b/drivers/acpi/device_pm.c
+@@ -1094,9 +1094,19 @@ static void acpi_dev_pm_detach(struct de
+ */
+ int acpi_dev_pm_attach(struct device *dev, bool power_on)
+ {
++ /*
++ * Skip devices whose ACPI companions match the device IDs below,
++ * because they require special power management handling incompatible
++ * with the generic ACPI PM domain.
++ */
++ static const struct acpi_device_id special_pm_ids[] = {
++ {"PNP0C0B", }, /* Generic ACPI fan */
++ {"INT3404", }, /* Fan */
++ {}
++ };
+ struct acpi_device *adev = ACPI_COMPANION(dev);
+
+- if (!adev)
++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids))
+ return -ENODEV;
+
+ if (dev->pm_domain)
--- /dev/null
+From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Mon, 30 Sep 2019 23:31:47 +0300
+Subject: ar5523: check NULL before memcpy() in ar5523_cmd()
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 315cee426f87658a6799815845788fde965ddaad upstream.
+
+memcpy() call with "idata == NULL && ilen == 0" results in undefined
+behavior in ar5523_cmd(). For example, NULL is passed in callchain
+"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
+adds ilen check before memcpy() call in ar5523_cmd() to prevent an
+undefined behavior.
+
+Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ar5523/ar5523.c
++++ b/drivers/net/wireless/ath/ar5523/ar5523.c
+@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar,
+
+ if (flags & AR5523_CMD_FLAG_MAGIC)
+ hdr->magic = cpu_to_be32(1 << 24);
+- memcpy(hdr + 1, idata, ilen);
++ if (ilen)
++ memcpy(hdr + 1, idata, ilen);
+
+ cmd->odata = odata;
+ cmd->olen = olen;
--- /dev/null
+From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001
+From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+Date: Tue, 12 Nov 2019 14:02:36 +0100
+Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report
+
+From: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+
+commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream.
+
+Check for existance of jack before tracing.
+NULL pointer dereference has been reported by KASAN while unloading
+machine driver (snd_soc_cnl_rt274).
+
+Signed-off-by: Pawel Harlozinski <pawel.harlozinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/soc-jack.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/sound/soc/soc-jack.c
++++ b/sound/soc/soc-jack.c
+@@ -80,10 +80,9 @@ void snd_soc_jack_report(struct snd_soc_
+ unsigned int sync = 0;
+ int enable;
+
+- trace_snd_soc_jack_report(jack, mask, status);
+-
+ if (!jack)
+ return;
++ trace_snd_soc_jack_report(jack, mask, status);
+
+ dapm = &jack->card->dapm;
+
--- /dev/null
+From 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Sat, 2 Nov 2019 16:02:15 +0800
+Subject: blk-mq: avoid sysfs buffer overflow with too many CPU cores
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream.
+
+It is reported that sysfs buffer overflow can be triggered if the system
+has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of
+hctx via /sys/block/$DEV/mq/$N/cpu_list.
+
+Use snprintf to avoid the potential buffer overflow.
+
+This version doesn't change the attribute format, and simply stops
+showing CPU numbers if the buffer is going to overflow.
+
+Cc: stable@vger.kernel.org
+Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-mq-sysfs.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -231,20 +231,25 @@ static ssize_t blk_mq_hw_sysfs_active_sh
+
+ static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page)
+ {
++ const size_t size = PAGE_SIZE - 1;
+ unsigned int i, first = 1;
+- ssize_t ret = 0;
++ int ret = 0, pos = 0;
+
+ for_each_cpu(i, hctx->cpumask) {
+ if (first)
+- ret += sprintf(ret + page, "%u", i);
++ ret = snprintf(pos + page, size - pos, "%u", i);
+ else
+- ret += sprintf(ret + page, ", %u", i);
++ ret = snprintf(pos + page, size - pos, ", %u", i);
++
++ if (ret >= size - pos)
++ break;
+
+ first = 0;
++ pos += ret;
+ }
+
+- ret += sprintf(ret + page, "\n");
+- return ret;
++ ret = snprintf(pos + page, size - pos, "\n");
++ return pos + ret;
+ }
+
+ static struct blk_mq_ctx_sysfs_entry blk_mq_sysfs_dispatched = {
--- /dev/null
+From a713af394cf382a30dd28a1015cbe572f1b9ca75 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <cyphar@cyphar.com>
+Date: Thu, 17 Oct 2019 02:50:01 +1100
+Subject: cgroup: pids: use atomic64_t for pids->limit
+
+From: Aleksa Sarai <cyphar@cyphar.com>
+
+commit a713af394cf382a30dd28a1015cbe572f1b9ca75 upstream.
+
+Because pids->limit can be changed concurrently (but we don't want to
+take a lock because it would be needlessly expensive), use atomic64_ts
+instead.
+
+Fixes: commit 49b786ea146f ("cgroup: implement the PIDs subsystem")
+Cc: stable@vger.kernel.org # v4.3+
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup_pids.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/cgroup_pids.c
++++ b/kernel/cgroup_pids.c
+@@ -48,7 +48,7 @@ struct pids_cgroup {
+ * %PIDS_MAX = (%PID_MAX_LIMIT + 1).
+ */
+ atomic64_t counter;
+- int64_t limit;
++ atomic64_t limit;
+ };
+
+ static struct pids_cgroup *css_pids(struct cgroup_subsys_state *css)
+@@ -70,8 +70,8 @@ pids_css_alloc(struct cgroup_subsys_stat
+ if (!pids)
+ return ERR_PTR(-ENOMEM);
+
+- pids->limit = PIDS_MAX;
+ atomic64_set(&pids->counter, 0);
++ atomic64_set(&pids->limit, PIDS_MAX);
+ return &pids->css;
+ }
+
+@@ -142,13 +142,14 @@ static int pids_try_charge(struct pids_c
+
+ for (p = pids; parent_pids(p); p = parent_pids(p)) {
+ int64_t new = atomic64_add_return(num, &p->counter);
++ int64_t limit = atomic64_read(&p->limit);
+
+ /*
+ * Since new is capped to the maximum number of pid_t, if
+ * p->limit is %PIDS_MAX then we know that this test will never
+ * fail.
+ */
+- if (new > p->limit)
++ if (new > limit)
+ goto revert;
+ }
+
+@@ -262,7 +263,7 @@ set_limit:
+ * Limit updates don't need to be mutex'd, since it isn't
+ * critical that any racing fork()s follow the new limit.
+ */
+- pids->limit = limit;
++ atomic64_set(&pids->limit, limit);
+ return nbytes;
+ }
+
+@@ -270,7 +271,7 @@ static int pids_max_show(struct seq_file
+ {
+ struct cgroup_subsys_state *css = seq_css(sf);
+ struct pids_cgroup *pids = css_pids(css);
+- int64_t limit = pids->limit;
++ int64_t limit = atomic64_read(&pids->limit);
+
+ if (limit >= PIDS_MAX)
+ seq_printf(sf, "%s\n", PIDS_MAX_STR);
--- /dev/null
+From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+Date: Wed, 23 Oct 2019 09:57:14 +0800
+Subject: cpuidle: Do not unset the driver if it is there already
+
+From: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+
+commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream.
+
+Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has
+a driver different from drv already and, if so, return -EBUSY before
+updating any cpuidle_drivers per-CPU pointers.
+
+Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support")
+Cc: 3.11+ <stable@vger.kernel.org> # 3.11+
+Signed-off-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
+[ rjw: Subject & changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpuidle/driver.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/cpuidle/driver.c
++++ b/drivers/cpuidle/driver.c
+@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive
+ * __cpuidle_set_driver - set per CPU driver variables for the given driver.
+ * @drv: a valid pointer to a struct cpuidle_driver
+ *
+- * For each CPU in the driver's cpumask, unset the registered driver per CPU
+- * to @drv.
+- *
+- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already.
++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver
++ * different from drv already.
+ */
+ static inline int __cpuidle_set_driver(struct cpuidle_driver *drv)
+ {
+ int cpu;
+
+ for_each_cpu(cpu, drv->cpumask) {
++ struct cpuidle_driver *old_drv;
+
+- if (__cpuidle_get_cpu_driver(cpu)) {
+- __cpuidle_unset_driver(drv);
++ old_drv = __cpuidle_get_cpu_driver(cpu);
++ if (old_drv && old_drv != drv)
+ return -EBUSY;
+- }
++ }
+
++ for_each_cpu(cpu, drv->cpumask)
+ per_cpu(cpuidle_drivers, cpu) = drv;
+- }
+
+ return 0;
+ }
--- /dev/null
+From 11609a7e21f8cea42630350aa57662928fa4dc63 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 10:13:31 -0300
+Subject: media: bdisp: fix memleak on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 11609a7e21f8cea42630350aa57662928fa4dc63 upstream.
+
+If a process is interrupted while accessing the video device and the
+device lock is contended, release() could return early and fail to free
+related resources.
+
+Note that the return value of the v4l2 release file operation is
+ignored.
+
+Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework")
+Cc: stable <stable@vger.kernel.org> # 4.2
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+@@ -652,8 +652,7 @@ static int bdisp_release(struct file *fi
+
+ dev_dbg(bdisp->dev, "%s\n", __func__);
+
+- if (mutex_lock_interruptible(&bdisp->lock))
+- return -ERESTARTSYS;
++ mutex_lock(&bdisp->lock);
+
+ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
+
--- /dev/null
+From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 10:13:32 -0300
+Subject: media: radio: wl1273: fix interrupt masking on release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1091eb830627625dcf79958d99353c2391f41708 upstream.
+
+If a process is interrupted while accessing the radio device and the
+core lock is contended, release() could return early and fail to update
+the interrupt mask.
+
+Note that the return value of the v4l2 release file operation is
+ignored.
+
+Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.38
+Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/radio/radio-wl1273.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/radio/radio-wl1273.c
++++ b/drivers/media/radio/radio-wl1273.c
+@@ -1149,8 +1149,7 @@ static int wl1273_fm_fops_release(struct
+ if (radio->rds_users > 0) {
+ radio->rds_users--;
+ if (radio->rds_users == 0) {
+- if (mutex_lock_interruptible(&core->lock))
+- return -EINTR;
++ mutex_lock(&core->lock);
+
+ radio->irq_flags &= ~WL1273_RDS_EVENT;
+
--- /dev/null
+From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 5 Aug 2019 18:27:10 +0200
+Subject: pinctrl: samsung: Fix device node refcount leaks in init code
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream.
+
+Several functions use for_each_child_of_node() loop with a break to find
+a matching child node. Although each iteration of
+for_each_child_of_node puts the previous node, but early exit from loop
+misses it. This leads to leak of device node.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -286,6 +286,7 @@ static int samsung_dt_node_to_map(struct
+ &reserved_maps, num_maps);
+ if (ret < 0) {
+ samsung_dt_free_map(pctldev, *map, *num_maps);
++ of_node_put(np);
+ return ret;
+ }
+ }
+@@ -753,8 +754,10 @@ static struct samsung_pmx_func *samsung_
+ if (!of_get_child_count(cfg_np)) {
+ ret = samsung_pinctrl_create_function(dev, drvdata,
+ cfg_np, func);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(cfg_np);
+ return ERR_PTR(ret);
++ }
+ if (ret > 0) {
+ ++func;
+ ++func_cnt;
+@@ -765,8 +768,11 @@ static struct samsung_pmx_func *samsung_
+ for_each_child_of_node(cfg_np, func_np) {
+ ret = samsung_pinctrl_create_function(dev, drvdata,
+ func_np, func);
+- if (ret < 0)
++ if (ret < 0) {
++ of_node_put(func_np);
++ of_node_put(cfg_np);
+ return ERR_PTR(ret);
++ }
+ if (ret > 0) {
+ ++func;
+ ++func_cnt;
--- /dev/null
+From 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 5 Aug 2019 18:27:08 +0200
+Subject: pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream.
+
+In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a
+break to find a matching child node. Although each iteration of
+for_each_child_of_node puts the previous node, but early exit from loop
+misses it. This leads to leak of device node.
+
+Cc: <stable@vger.kernel.org>
+Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
++++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c
+@@ -495,8 +495,10 @@ static int s3c24xx_eint_init(struct sams
+ return -ENODEV;
+
+ eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL);
+- if (!eint_data)
++ if (!eint_data) {
++ of_node_put(eint_np);
+ return -ENOMEM;
++ }
+
+ eint_data->drvdata = d;
+
+@@ -508,12 +510,14 @@ static int s3c24xx_eint_init(struct sams
+ irq = irq_of_parse_and_map(eint_np, i);
+ if (!irq) {
+ dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i);
++ of_node_put(eint_np);
+ return -ENXIO;
+ }
+
+ eint_data->parents[i] = irq;
+ irq_set_chained_handler_and_data(irq, handlers[i], eint_data);
+ }
++ of_node_put(eint_np);
+
+ bank = d->pin_banks;
+ for (i = 0; i < d->nr_banks; ++i, ++bank) {
lib-raid6-fix-awk-build-warnings.patch
workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch
workqueue-fix-pwq-ref-leak-in-rescuer_thread.patch
+asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch
+blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch
+cgroup-pids-use-atomic64_t-for-pids-limit.patch
+ar5523-check-null-before-memcpy-in-ar5523_cmd.patch
+media-bdisp-fix-memleak-on-release.patch
+media-radio-wl1273-fix-interrupt-masking-on-release.patch
+cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch
+acpi-osl-only-free-map-once-in-osl.c.patch
+acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch
+acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch
+pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch
+pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
