From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Jan 2020 16:46:04 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.14.163~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3d37d12af125e56f43f7f2f3e36397dd16fe27d0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch
	bluetooth-delete-a-stray-unlock.patch
	regulator-ab8500-remove-ab8505-usb-regulator.patch
	tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
---

diff --git a/queue-4.4/bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch b/queue-4.4/bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch
new file mode 100644
index 00000000000..e767e818f84
--- /dev/null
+++ b/queue-4.4/bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch
@@ -0,0 +1,41 @@
+From 3d44a6fd0775e6215e836423e27f8eedf8c871ea Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 14 Nov 2019 16:01:18 +0100
+Subject: Bluetooth: btusb: fix PM leak in error case of setup
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 3d44a6fd0775e6215e836423e27f8eedf8c871ea upstream.
+
+If setup() fails a reference for runtime PM has already
+been taken. Proper use of the error handling in btusb_open()is needed.
+You cannot just return.
+
+Fixes: ace31982585a3 ("Bluetooth: btusb: Add setup callback for chip init on USB")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1056,7 +1056,7 @@ static int btusb_open(struct hci_dev *hd
+ 	if (data->setup_on_usb) {
+ 		err = data->setup_on_usb(hdev);
+ 		if (err < 0)
+-			return err;
++			goto setup_fail;
+ 	}
+ 
+ 	err = usb_autopm_get_interface(data->intf);
+@@ -1092,6 +1092,7 @@ done:
+ 
+ failed:
+ 	clear_bit(BTUSB_INTR_RUNNING, &data->flags);
++setup_fail:
+ 	usb_autopm_put_interface(data->intf);
+ 	return err;
+ }
diff --git a/queue-4.4/bluetooth-delete-a-stray-unlock.patch b/queue-4.4/bluetooth-delete-a-stray-unlock.patch
new file mode 100644
index 00000000000..e89ba2db7ae
--- /dev/null
+++ b/queue-4.4/bluetooth-delete-a-stray-unlock.patch
@@ -0,0 +1,36 @@
+From df66499a1fab340c167250a5743931dc50d5f0fa Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 19 Nov 2019 09:17:05 +0300
+Subject: Bluetooth: delete a stray unlock
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit df66499a1fab340c167250a5743931dc50d5f0fa upstream.
+
+We used to take a lock in amp_physical_cfm() but then we moved it to
+the caller function.  Unfortunately the unlock on this error path was
+overlooked so it leads to a double unlock.
+
+Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/l2cap_core.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4897,10 +4897,8 @@ void __l2cap_physical_cfm(struct l2cap_c
+ 	BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d",
+ 	       chan, result, local_amp_id, remote_amp_id);
+ 
+-	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) {
+-		l2cap_chan_unlock(chan);
++	if (chan->state == BT_DISCONN || chan->state == BT_CLOSED)
+ 		return;
+-	}
+ 
+ 	if (chan->state != BT_CONNECTED) {
+ 		l2cap_do_create(chan, result, local_amp_id, remote_amp_id);
diff --git a/queue-4.4/regulator-ab8500-remove-ab8505-usb-regulator.patch b/queue-4.4/regulator-ab8500-remove-ab8505-usb-regulator.patch
new file mode 100644
index 00000000000..18450dd6082
--- /dev/null
+++ b/queue-4.4/regulator-ab8500-remove-ab8505-usb-regulator.patch
@@ -0,0 +1,75 @@
+From 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan@gerhold.net>
+Date: Wed, 6 Nov 2019 18:31:24 +0100
+Subject: regulator: ab8500: Remove AB8505 USB regulator
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream.
+
+The USB regulator was removed for AB8500 in
+commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator").
+It was then added for AB8505 in
+commit 547f384f33db ("regulator: ab8500: add support for ab8505").
+
+However, there was never an entry added for it in
+ab8505_regulator_match. This causes all regulators after it
+to be initialized with the wrong device tree data, eventually
+leading to an out-of-bounds array read.
+
+Given that it is not used anywhere in the kernel, it seems
+likely that similar arguments against supporting it exist for
+AB8505 (it is controlled by hardware).
+
+Therefore, simply remove it like for AB8500 instead of adding
+an entry in ab8505_regulator_match.
+
+Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505")
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/ab8500.c       |   17 -----------------
+ include/linux/regulator/ab8500.h |    1 -
+ 2 files changed, 18 deletions(-)
+
+--- a/drivers/regulator/ab8500.c
++++ b/drivers/regulator/ab8500.c
+@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info
+ 		.update_val_idle	= 0x82,
+ 		.update_val_normal	= 0x02,
+ 	},
+-	[AB8505_LDO_USB] = {
+-		.desc = {
+-			.name           = "LDO-USB",
+-			.ops            = &ab8500_regulator_mode_ops,
+-			.type           = REGULATOR_VOLTAGE,
+-			.id             = AB8505_LDO_USB,
+-			.owner          = THIS_MODULE,
+-			.n_voltages     = 1,
+-			.volt_table	= fixed_3300000_voltage,
+-		},
+-		.update_bank            = 0x03,
+-		.update_reg             = 0x82,
+-		.update_mask            = 0x03,
+-		.update_val		= 0x01,
+-		.update_val_idle	= 0x03,
+-		.update_val_normal	= 0x01,
+-	},
+ 	[AB8505_LDO_AUDIO] = {
+ 		.desc = {
+ 			.name		= "LDO-AUDIO",
+--- a/include/linux/regulator/ab8500.h
++++ b/include/linux/regulator/ab8500.h
+@@ -38,7 +38,6 @@ enum ab8505_regulator_id {
+ 	AB8505_LDO_AUX6,
+ 	AB8505_LDO_INTCORE,
+ 	AB8505_LDO_ADC,
+-	AB8505_LDO_USB,
+ 	AB8505_LDO_AUDIO,
+ 	AB8505_LDO_ANAMIC1,
+ 	AB8505_LDO_ANAMIC2,
diff --git a/queue-4.4/series b/queue-4.4/series
index 19b2bbb92d6..554ef49719f 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -20,3 +20,7 @@ compat_ioctl-block-handle-persistent-reservations.patch
 gpiolib-fix-up-emulated-open-drain-outputs.patch
 alsa-cs4236-fix-error-return-comparison-of-an-unsigned-integer.patch
 ftrace-avoid-potential-division-by-zero-in-function-profiler.patch
+bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch
+bluetooth-delete-a-stray-unlock.patch
+regulator-ab8500-remove-ab8505-usb-regulator.patch
+tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
diff --git a/queue-4.4/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch b/queue-4.4/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
new file mode 100644
index 00000000000..3bff29b7e17
--- /dev/null
+++ b/queue-4.4/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch
@@ -0,0 +1,68 @@
+From 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Wed, 27 Nov 2019 22:15:43 +0800
+Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops
+
+From: Leo Yan <leo.yan@linaro.org>
+
+commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream.
+
+As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug")
+has mentioned the uart driver might cause recursive locking between
+normal printing and the kernel debugging facilities (e.g. sysrq and
+oops).  In the commit it gave out suggestion for fixing recursive
+locking issue: "The solution is to avoid locking in the sysrq case
+and trylock in the oops_in_progress case."
+
+This patch follows the suggestion (also used the exactly same code with
+other serial drivers, e.g. amba-pl011.c) to fix the recursive locking
+issue, this can avoid stuck caused by deadlock and print out log for
+sysrq and oops.
+
+Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Reviewed-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
+Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/msm_serial.c |   13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/msm_serial.c
++++ b/drivers/tty/serial/msm_serial.c
+@@ -1381,6 +1381,7 @@ static void __msm_console_write(struct u
+ 	int num_newlines = 0;
+ 	bool replaced = false;
+ 	void __iomem *tf;
++	int locked = 1;
+ 
+ 	if (is_uartdm)
+ 		tf = port->membase + UARTDM_TF;
+@@ -1393,7 +1394,13 @@ static void __msm_console_write(struct u
+ 			num_newlines++;
+ 	count += num_newlines;
+ 
+-	spin_lock(&port->lock);
++	if (port->sysrq)
++		locked = 0;
++	else if (oops_in_progress)
++		locked = spin_trylock(&port->lock);
++	else
++		spin_lock(&port->lock);
++
+ 	if (is_uartdm)
+ 		msm_reset_dm_count(port, count);
+ 
+@@ -1429,7 +1436,9 @@ static void __msm_console_write(struct u
+ 		iowrite32_rep(tf, buf, 1);
+ 		i += num_chars;
+ 	}
+-	spin_unlock(&port->lock);
++
++	if (locked)
++		spin_unlock(&port->lock);
+ }
+ 
+ static void msm_console_write(struct console *co, const char *s,