From: Greg Kroah-Hartman Date: Sun, 15 Dec 2019 13:38:23 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v5.4.4~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=69f8f8fdd87b49772226d0075d3a917d2ed40b61;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch acpi-osl-only-free-map-once-in-osl.c.patch acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch ar5523-check-null-before-memcpy-in-ar5523_cmd.patch asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch cgroup-pids-use-atomic64_t-for-pids-limit.patch cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch media-bdisp-fix-memleak-on-release.patch media-radio-wl1273-fix-interrupt-masking-on-release.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch --- diff --git a/queue-4.4/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch b/queue-4.4/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch new file mode 100644 index 00000000000..43e91f244db --- /dev/null +++ b/queue-4.4/acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch @@ -0,0 +1,59 @@ +From 627ead724eff33673597216f5020b72118827de4 Mon Sep 17 00:00:00 2001 +From: Vamshi K Sthambamkadi +Date: Thu, 28 Nov 2019 15:58:29 +0530 +Subject: ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() + +From: Vamshi K Sthambamkadi + +commit 627ead724eff33673597216f5020b72118827de4 upstream. + +kmemleak reported backtrace: + [] kmem_cache_alloc_trace+0x128/0x260 + [<6677f215>] i2c_acpi_install_space_handler+0x4b/0xe0 + [<1180f4fc>] i2c_register_adapter+0x186/0x400 + [<6083baf7>] i2c_add_adapter+0x4e/0x70 + [] intel_gmbus_setup+0x1a2/0x2c0 [i915] + [<84cb69ae>] i915_driver_probe+0x8d8/0x13a0 [i915] + [<81911d4b>] i915_pci_probe+0x48/0x160 [i915] + [<4b159af1>] pci_device_probe+0xdc/0x160 + [] really_probe+0x1ee/0x450 + [] driver_probe_device+0x142/0x1b0 + [] device_driver_attach+0x49/0x50 + [] __driver_attach+0xc9/0x150 + [] bus_for_each_dev+0x56/0xa0 + [<80089bba>] driver_attach+0x19/0x20 + [] bus_add_driver+0x177/0x220 + [<7b29d8c7>] driver_register+0x56/0xf0 + +In i2c_acpi_remove_space_handler(), a leak occurs whenever the +"data" parameter is initialized to 0 before being passed to +acpi_bus_get_private_data(). + +This is because the NULL pointer check in acpi_bus_get_private_data() +(condition->if(!*data)) returns EINVAL and, in consequence, memory is +never freed in i2c_acpi_remove_space_handler(). + +Fix the NULL pointer check in acpi_bus_get_private_data() to follow +the analogous check in acpi_get_data_full(). + +Signed-off-by: Vamshi K Sthambamkadi +[ rjw: Subject & changelog ] +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -154,7 +154,7 @@ int acpi_bus_get_private_data(acpi_handl + { + acpi_status status; + +- if (!*data) ++ if (!data) + return -EINVAL; + + status = acpi_get_data(handle, acpi_bus_private_data_handler, data); diff --git a/queue-4.4/acpi-osl-only-free-map-once-in-osl.c.patch b/queue-4.4/acpi-osl-only-free-map-once-in-osl.c.patch new file mode 100644 index 00000000000..0fabc14a10b --- /dev/null +++ b/queue-4.4/acpi-osl-only-free-map-once-in-osl.c.patch @@ -0,0 +1,109 @@ +From 833a426cc471b6088011b3d67f1dc4e147614647 Mon Sep 17 00:00:00 2001 +From: Francesco Ruggeri +Date: Tue, 19 Nov 2019 21:47:27 -0800 +Subject: ACPI: OSL: only free map once in osl.c + +From: Francesco Ruggeri + +commit 833a426cc471b6088011b3d67f1dc4e147614647 upstream. + +acpi_os_map_cleanup checks map->refcount outside of acpi_ioremap_lock +before freeing the map. This creates a race condition the can result +in the map being freed more than once. +A panic can be caused by running + +for ((i=0; i<10; i++)) +do + for ((j=0; j<100000; j++)) + do + cat /sys/firmware/acpi/tables/data/BERT >/dev/null + done & +done + +This patch makes sure that only the process that drops the reference +to 0 does the freeing. + +Fixes: b7c1fadd6c2e ("ACPI: Do not use krefs under a mutex in osl.c") +Signed-off-by: Francesco Ruggeri +Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/osl.c | 28 +++++++++++++++++----------- + 1 file changed, 17 insertions(+), 11 deletions(-) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -424,24 +424,27 @@ acpi_os_map_memory(acpi_physical_address + } + EXPORT_SYMBOL_GPL(acpi_os_map_memory); + +-static void acpi_os_drop_map_ref(struct acpi_ioremap *map) ++/* Must be called with mutex_lock(&acpi_ioremap_lock) */ ++static unsigned long acpi_os_drop_map_ref(struct acpi_ioremap *map) + { +- if (!--map->refcount) ++ unsigned long refcount = --map->refcount; ++ ++ if (!refcount) + list_del_rcu(&map->list); ++ return refcount; + } + + static void acpi_os_map_cleanup(struct acpi_ioremap *map) + { +- if (!map->refcount) { +- synchronize_rcu_expedited(); +- acpi_unmap(map->phys, map->virt); +- kfree(map); +- } ++ synchronize_rcu_expedited(); ++ acpi_unmap(map->phys, map->virt); ++ kfree(map); + } + + void __ref acpi_os_unmap_iomem(void __iomem *virt, acpi_size size) + { + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (!acpi_gbl_permanent_mmap) { + __acpi_unmap_table(virt, size); +@@ -455,10 +458,11 @@ void __ref acpi_os_unmap_iomem(void __io + WARN(true, PREFIX "%s: bad address %p\n", __func__, virt); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL_GPL(acpi_os_unmap_iomem); + +@@ -499,6 +503,7 @@ void acpi_os_unmap_generic_address(struc + { + u64 addr; + struct acpi_ioremap *map; ++ unsigned long refcount; + + if (gas->space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY) + return; +@@ -514,10 +519,11 @@ void acpi_os_unmap_generic_address(struc + mutex_unlock(&acpi_ioremap_lock); + return; + } +- acpi_os_drop_map_ref(map); ++ refcount = acpi_os_drop_map_ref(map); + mutex_unlock(&acpi_ioremap_lock); + +- acpi_os_map_cleanup(map); ++ if (!refcount) ++ acpi_os_map_cleanup(map); + } + EXPORT_SYMBOL(acpi_os_unmap_generic_address); + diff --git a/queue-4.4/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch b/queue-4.4/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch new file mode 100644 index 00000000000..97927894f4b --- /dev/null +++ b/queue-4.4/acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch @@ -0,0 +1,53 @@ +From b9ea0bae260f6aae546db224daa6ac1bd9d94b91 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Wed, 4 Dec 2019 02:54:27 +0100 +Subject: ACPI: PM: Avoid attaching ACPI PM domain to certain devices + +From: Rafael J. Wysocki + +commit b9ea0bae260f6aae546db224daa6ac1bd9d94b91 upstream. + +Certain ACPI-enumerated devices represented as platform devices in +Linux, like fans, require special low-level power management handling +implemented by their drivers that is not in agreement with the ACPI +PM domain behavior. That leads to problems with managing ACPI fans +during system-wide suspend and resume. + +For this reason, make acpi_dev_pm_attach() skip the affected devices +by adding a list of device IDs to avoid to it and putting the IDs of +the affected devices into that list. + +Fixes: e5cc8ef31267 (ACPI / PM: Provide ACPI PM callback routines for subsystems) +Reported-by: Zhang Rui +Tested-by: Todd Brandt +Cc: 3.10+ # 3.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/device_pm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/device_pm.c ++++ b/drivers/acpi/device_pm.c +@@ -1094,9 +1094,19 @@ static void acpi_dev_pm_detach(struct de + */ + int acpi_dev_pm_attach(struct device *dev, bool power_on) + { ++ /* ++ * Skip devices whose ACPI companions match the device IDs below, ++ * because they require special power management handling incompatible ++ * with the generic ACPI PM domain. ++ */ ++ static const struct acpi_device_id special_pm_ids[] = { ++ {"PNP0C0B", }, /* Generic ACPI fan */ ++ {"INT3404", }, /* Fan */ ++ {} ++ }; + struct acpi_device *adev = ACPI_COMPANION(dev); + +- if (!adev) ++ if (!adev || !acpi_match_device_ids(adev, special_pm_ids)) + return -ENODEV; + + if (dev->pm_domain) diff --git a/queue-4.4/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch b/queue-4.4/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch new file mode 100644 index 00000000000..f6bdacaf136 --- /dev/null +++ b/queue-4.4/ar5523-check-null-before-memcpy-in-ar5523_cmd.patch @@ -0,0 +1,40 @@ +From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 +From: Denis Efremov +Date: Mon, 30 Sep 2019 23:31:47 +0300 +Subject: ar5523: check NULL before memcpy() in ar5523_cmd() + +From: Denis Efremov + +commit 315cee426f87658a6799815845788fde965ddaad upstream. + +memcpy() call with "idata == NULL && ilen == 0" results in undefined +behavior in ar5523_cmd(). For example, NULL is passed in callchain +"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch +adds ilen check before memcpy() call in ar5523_cmd() to prevent an +undefined behavior. + +Cc: Pontus Fuchs +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: David Laight +Cc: stable@vger.kernel.org +Signed-off-by: Denis Efremov +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, + + if (flags & AR5523_CMD_FLAG_MAGIC) + hdr->magic = cpu_to_be32(1 << 24); +- memcpy(hdr + 1, idata, ilen); ++ if (ilen) ++ memcpy(hdr + 1, idata, ilen); + + cmd->odata = odata; + cmd->olen = olen; diff --git a/queue-4.4/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch b/queue-4.4/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch new file mode 100644 index 00000000000..9f1ba7d39b8 --- /dev/null +++ b/queue-4.4/asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch @@ -0,0 +1,37 @@ +From 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f Mon Sep 17 00:00:00 2001 +From: Pawel Harlozinski +Date: Tue, 12 Nov 2019 14:02:36 +0100 +Subject: ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report + +From: Pawel Harlozinski + +commit 8f157d4ff039e03e2ed4cb602eeed2fd4687a58f upstream. + +Check for existance of jack before tracing. +NULL pointer dereference has been reported by KASAN while unloading +machine driver (snd_soc_cnl_rt274). + +Signed-off-by: Pawel Harlozinski +Link: https://lore.kernel.org/r/20191112130237.10141-1-pawel.harlozinski@linux.intel.com +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-jack.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -80,10 +80,9 @@ void snd_soc_jack_report(struct snd_soc_ + unsigned int sync = 0; + int enable; + +- trace_snd_soc_jack_report(jack, mask, status); +- + if (!jack) + return; ++ trace_snd_soc_jack_report(jack, mask, status); + + dapm = &jack->card->dapm; + diff --git a/queue-4.4/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch b/queue-4.4/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch new file mode 100644 index 00000000000..ea5d9d91838 --- /dev/null +++ b/queue-4.4/blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch @@ -0,0 +1,61 @@ +From 8962842ca5abdcf98e22ab3b2b45a103f0408b95 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sat, 2 Nov 2019 16:02:15 +0800 +Subject: blk-mq: avoid sysfs buffer overflow with too many CPU cores + +From: Ming Lei + +commit 8962842ca5abdcf98e22ab3b2b45a103f0408b95 upstream. + +It is reported that sysfs buffer overflow can be triggered if the system +has too many CPU cores(>841 on 4K PAGE_SIZE) when showing CPUs of +hctx via /sys/block/$DEV/mq/$N/cpu_list. + +Use snprintf to avoid the potential buffer overflow. + +This version doesn't change the attribute format, and simply stops +showing CPU numbers if the buffer is going to overflow. + +Cc: stable@vger.kernel.org +Fixes: 676141e48af7("blk-mq: don't dump CPU -> hw queue map on driver load") +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq-sysfs.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -231,20 +231,25 @@ static ssize_t blk_mq_hw_sysfs_active_sh + + static ssize_t blk_mq_hw_sysfs_cpus_show(struct blk_mq_hw_ctx *hctx, char *page) + { ++ const size_t size = PAGE_SIZE - 1; + unsigned int i, first = 1; +- ssize_t ret = 0; ++ int ret = 0, pos = 0; + + for_each_cpu(i, hctx->cpumask) { + if (first) +- ret += sprintf(ret + page, "%u", i); ++ ret = snprintf(pos + page, size - pos, "%u", i); + else +- ret += sprintf(ret + page, ", %u", i); ++ ret = snprintf(pos + page, size - pos, ", %u", i); ++ ++ if (ret >= size - pos) ++ break; + + first = 0; ++ pos += ret; + } + +- ret += sprintf(ret + page, "\n"); +- return ret; ++ ret = snprintf(pos + page, size - pos, "\n"); ++ return pos + ret; + } + + static struct blk_mq_ctx_sysfs_entry blk_mq_sysfs_dispatched = { diff --git a/queue-4.4/cgroup-pids-use-atomic64_t-for-pids-limit.patch b/queue-4.4/cgroup-pids-use-atomic64_t-for-pids-limit.patch new file mode 100644 index 00000000000..ca62582a2b7 --- /dev/null +++ b/queue-4.4/cgroup-pids-use-atomic64_t-for-pids-limit.patch @@ -0,0 +1,78 @@ +From a713af394cf382a30dd28a1015cbe572f1b9ca75 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 17 Oct 2019 02:50:01 +1100 +Subject: cgroup: pids: use atomic64_t for pids->limit + +From: Aleksa Sarai + +commit a713af394cf382a30dd28a1015cbe572f1b9ca75 upstream. + +Because pids->limit can be changed concurrently (but we don't want to +take a lock because it would be needlessly expensive), use atomic64_ts +instead. + +Fixes: commit 49b786ea146f ("cgroup: implement the PIDs subsystem") +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Aleksa Sarai +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup_pids.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/cgroup_pids.c ++++ b/kernel/cgroup_pids.c +@@ -48,7 +48,7 @@ struct pids_cgroup { + * %PIDS_MAX = (%PID_MAX_LIMIT + 1). + */ + atomic64_t counter; +- int64_t limit; ++ atomic64_t limit; + }; + + static struct pids_cgroup *css_pids(struct cgroup_subsys_state *css) +@@ -70,8 +70,8 @@ pids_css_alloc(struct cgroup_subsys_stat + if (!pids) + return ERR_PTR(-ENOMEM); + +- pids->limit = PIDS_MAX; + atomic64_set(&pids->counter, 0); ++ atomic64_set(&pids->limit, PIDS_MAX); + return &pids->css; + } + +@@ -142,13 +142,14 @@ static int pids_try_charge(struct pids_c + + for (p = pids; parent_pids(p); p = parent_pids(p)) { + int64_t new = atomic64_add_return(num, &p->counter); ++ int64_t limit = atomic64_read(&p->limit); + + /* + * Since new is capped to the maximum number of pid_t, if + * p->limit is %PIDS_MAX then we know that this test will never + * fail. + */ +- if (new > p->limit) ++ if (new > limit) + goto revert; + } + +@@ -262,7 +263,7 @@ set_limit: + * Limit updates don't need to be mutex'd, since it isn't + * critical that any racing fork()s follow the new limit. + */ +- pids->limit = limit; ++ atomic64_set(&pids->limit, limit); + return nbytes; + } + +@@ -270,7 +271,7 @@ static int pids_max_show(struct seq_file + { + struct cgroup_subsys_state *css = seq_css(sf); + struct pids_cgroup *pids = css_pids(css); +- int64_t limit = pids->limit; ++ int64_t limit = atomic64_read(&pids->limit); + + if (limit >= PIDS_MAX) + seq_printf(sf, "%s\n", PIDS_MAX_STR); diff --git a/queue-4.4/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch b/queue-4.4/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch new file mode 100644 index 00000000000..3fc653f90a7 --- /dev/null +++ b/queue-4.4/cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch @@ -0,0 +1,58 @@ +From 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 Mon Sep 17 00:00:00 2001 +From: Zhenzhong Duan +Date: Wed, 23 Oct 2019 09:57:14 +0800 +Subject: cpuidle: Do not unset the driver if it is there already + +From: Zhenzhong Duan + +commit 918c1fe9fbbe46fcf56837ff21f0ef96424e8b29 upstream. + +Fix __cpuidle_set_driver() to check if any of the CPUs in the mask has +a driver different from drv already and, if so, return -EBUSY before +updating any cpuidle_drivers per-CPU pointers. + +Fixes: 82467a5a885d ("cpuidle: simplify multiple driver support") +Cc: 3.11+ # 3.11+ +Signed-off-by: Zhenzhong Duan +[ rjw: Subject & changelog ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/driver.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/cpuidle/driver.c ++++ b/drivers/cpuidle/driver.c +@@ -60,24 +60,23 @@ static inline void __cpuidle_unset_drive + * __cpuidle_set_driver - set per CPU driver variables for the given driver. + * @drv: a valid pointer to a struct cpuidle_driver + * +- * For each CPU in the driver's cpumask, unset the registered driver per CPU +- * to @drv. +- * +- * Returns 0 on success, -EBUSY if the CPUs have driver(s) already. ++ * Returns 0 on success, -EBUSY if any CPU in the cpumask have a driver ++ * different from drv already. + */ + static inline int __cpuidle_set_driver(struct cpuidle_driver *drv) + { + int cpu; + + for_each_cpu(cpu, drv->cpumask) { ++ struct cpuidle_driver *old_drv; + +- if (__cpuidle_get_cpu_driver(cpu)) { +- __cpuidle_unset_driver(drv); ++ old_drv = __cpuidle_get_cpu_driver(cpu); ++ if (old_drv && old_drv != drv) + return -EBUSY; +- } ++ } + ++ for_each_cpu(cpu, drv->cpumask) + per_cpu(cpuidle_drivers, cpu) = drv; +- } + + return 0; + } diff --git a/queue-4.4/media-bdisp-fix-memleak-on-release.patch b/queue-4.4/media-bdisp-fix-memleak-on-release.patch new file mode 100644 index 00000000000..8d2497a7d16 --- /dev/null +++ b/queue-4.4/media-bdisp-fix-memleak-on-release.patch @@ -0,0 +1,40 @@ +From 11609a7e21f8cea42630350aa57662928fa4dc63 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 10:13:31 -0300 +Subject: media: bdisp: fix memleak on release + +From: Johan Hovold + +commit 11609a7e21f8cea42630350aa57662928fa4dc63 upstream. + +If a process is interrupted while accessing the video device and the +device lock is contended, release() could return early and fail to free +related resources. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework") +Cc: stable # 4.2 +Signed-off-by: Johan Hovold +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -652,8 +652,7 @@ static int bdisp_release(struct file *fi + + dev_dbg(bdisp->dev, "%s\n", __func__); + +- if (mutex_lock_interruptible(&bdisp->lock)) +- return -ERESTARTSYS; ++ mutex_lock(&bdisp->lock); + + v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); + diff --git a/queue-4.4/media-radio-wl1273-fix-interrupt-masking-on-release.patch b/queue-4.4/media-radio-wl1273-fix-interrupt-masking-on-release.patch new file mode 100644 index 00000000000..e79ba6f2712 --- /dev/null +++ b/queue-4.4/media-radio-wl1273-fix-interrupt-masking-on-release.patch @@ -0,0 +1,40 @@ +From 1091eb830627625dcf79958d99353c2391f41708 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 10 Oct 2019 10:13:32 -0300 +Subject: media: radio: wl1273: fix interrupt masking on release + +From: Johan Hovold + +commit 1091eb830627625dcf79958d99353c2391f41708 upstream. + +If a process is interrupted while accessing the radio device and the +core lock is contended, release() could return early and fail to update +the interrupt mask. + +Note that the return value of the v4l2 release file operation is +ignored. + +Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") +Cc: stable # 2.6.38 +Cc: Matti Aaltonen +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/radio/radio-wl1273.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/radio/radio-wl1273.c ++++ b/drivers/media/radio/radio-wl1273.c +@@ -1149,8 +1149,7 @@ static int wl1273_fm_fops_release(struct + if (radio->rds_users > 0) { + radio->rds_users--; + if (radio->rds_users == 0) { +- if (mutex_lock_interruptible(&core->lock)) +- return -EINTR; ++ mutex_lock(&core->lock); + + radio->irq_flags &= ~WL1273_RDS_EVENT; + diff --git a/queue-4.4/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch b/queue-4.4/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch new file mode 100644 index 00000000000..a2273e815e6 --- /dev/null +++ b/queue-4.4/pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch @@ -0,0 +1,58 @@ +From a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:10 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in init code + +From: Krzysztof Kozlowski + +commit a322b3377f4bac32aa25fb1acb9e7afbbbbd0137 upstream. + +Several functions use for_each_child_of_node() loop with a break to find +a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple pinmux/pinconf nodes") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -286,6 +286,7 @@ static int samsung_dt_node_to_map(struct + &reserved_maps, num_maps); + if (ret < 0) { + samsung_dt_free_map(pctldev, *map, *num_maps); ++ of_node_put(np); + return ret; + } + } +@@ -753,8 +754,10 @@ static struct samsung_pmx_func *samsung_ + if (!of_get_child_count(cfg_np)) { + ret = samsung_pinctrl_create_function(dev, drvdata, + cfg_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; +@@ -765,8 +768,11 @@ static struct samsung_pmx_func *samsung_ + for_each_child_of_node(cfg_np, func_np) { + ret = samsung_pinctrl_create_function(dev, drvdata, + func_np, func); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(func_np); ++ of_node_put(cfg_np); + return ERR_PTR(ret); ++ } + if (ret > 0) { + ++func; + ++func_cnt; diff --git a/queue-4.4/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch b/queue-4.4/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch new file mode 100644 index 00000000000..92004ad88eb --- /dev/null +++ b/queue-4.4/pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch @@ -0,0 +1,52 @@ +From 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 5 Aug 2019 18:27:08 +0200 +Subject: pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init + +From: Krzysztof Kozlowski + +commit 6fbbcb050802d6ea109f387e961b1dbcc3a80c96 upstream. + +In s3c24xx_eint_init() the for_each_child_of_node() loop is used with a +break to find a matching child node. Although each iteration of +for_each_child_of_node puts the previous node, but early exit from loop +misses it. This leads to leak of device node. + +Cc: +Fixes: af99a7507469 ("pinctrl: Add pinctrl-s3c24xx driver") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c +@@ -495,8 +495,10 @@ static int s3c24xx_eint_init(struct sams + return -ENODEV; + + eint_data = devm_kzalloc(dev, sizeof(*eint_data), GFP_KERNEL); +- if (!eint_data) ++ if (!eint_data) { ++ of_node_put(eint_np); + return -ENOMEM; ++ } + + eint_data->drvdata = d; + +@@ -508,12 +510,14 @@ static int s3c24xx_eint_init(struct sams + irq = irq_of_parse_and_map(eint_np, i); + if (!irq) { + dev_err(dev, "failed to get wakeup EINT IRQ %d\n", i); ++ of_node_put(eint_np); + return -ENXIO; + } + + eint_data->parents[i] = irq; + irq_set_chained_handler_and_data(irq, handlers[i], eint_data); + } ++ of_node_put(eint_np); + + bank = d->pin_banks; + for (i = 0; i < d->nr_banks; ++i, ++bank) { diff --git a/queue-4.4/series b/queue-4.4/series index a21a0d67fd7..c32545cfd4e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -104,3 +104,15 @@ rtlwifi-rtl8192de-fix-missing-enable-interrupt-flag.patch lib-raid6-fix-awk-build-warnings.patch workqueue-fix-spurious-sanity-check-failures-in-destroy_workqueue.patch workqueue-fix-pwq-ref-leak-in-rescuer_thread.patch +asoc-jack-fix-null-pointer-dereference-in-snd_soc_jack_report.patch +blk-mq-avoid-sysfs-buffer-overflow-with-too-many-cpu-cores.patch +cgroup-pids-use-atomic64_t-for-pids-limit.patch +ar5523-check-null-before-memcpy-in-ar5523_cmd.patch +media-bdisp-fix-memleak-on-release.patch +media-radio-wl1273-fix-interrupt-masking-on-release.patch +cpuidle-do-not-unset-the-driver-if-it-is-there-already.patch +acpi-osl-only-free-map-once-in-osl.c.patch +acpi-bus-fix-null-pointer-check-in-acpi_bus_get_private_data.patch +acpi-pm-avoid-attaching-acpi-pm-domain-to-certain-devices.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-s3c24xx-wakeup-controller-init.patch +pinctrl-samsung-fix-device-node-refcount-leaks-in-init-code.patch