From: Greg Kroah-Hartman Date: Tue, 7 Jan 2020 16:46:42 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.14.163~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=787b46a62700fb33102e75e6d543113a147103a9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch bluetooth-delete-a-stray-unlock.patch bluetooth-fix-memory-leak-in-hci_connect_le_scan.patch dt-bindings-clock-renesas-rcar-usb2-clock-sel-fix-typo-in-example.patch fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch media-flexcop-usb-ensure-eio-is-returned-on-error-condition.patch media-usb-fix-memory-leak-in-af9005_identify_state.patch regulator-ab8500-remove-ab8505-usb-regulator.patch tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch --- diff --git a/queue-4.14/bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch b/queue-4.14/bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch new file mode 100644 index 00000000000..e8527d55217 --- /dev/null +++ b/queue-4.14/bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch @@ -0,0 +1,41 @@ +From 3d44a6fd0775e6215e836423e27f8eedf8c871ea Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 14 Nov 2019 16:01:18 +0100 +Subject: Bluetooth: btusb: fix PM leak in error case of setup + +From: Oliver Neukum + +commit 3d44a6fd0775e6215e836423e27f8eedf8c871ea upstream. + +If setup() fails a reference for runtime PM has already +been taken. Proper use of the error handling in btusb_open()is needed. +You cannot just return. + +Fixes: ace31982585a3 ("Bluetooth: btusb: Add setup callback for chip init on USB") +Signed-off-by: Oliver Neukum +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -1123,7 +1123,7 @@ static int btusb_open(struct hci_dev *hd + if (data->setup_on_usb) { + err = data->setup_on_usb(hdev); + if (err < 0) +- return err; ++ goto setup_fail; + } + + data->intf->needs_remote_wakeup = 1; +@@ -1155,6 +1155,7 @@ done: + + failed: + clear_bit(BTUSB_INTR_RUNNING, &data->flags); ++setup_fail: + usb_autopm_put_interface(data->intf); + return err; + } diff --git a/queue-4.14/bluetooth-delete-a-stray-unlock.patch b/queue-4.14/bluetooth-delete-a-stray-unlock.patch new file mode 100644 index 00000000000..3d8ec4e465a --- /dev/null +++ b/queue-4.14/bluetooth-delete-a-stray-unlock.patch @@ -0,0 +1,36 @@ +From df66499a1fab340c167250a5743931dc50d5f0fa Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 19 Nov 2019 09:17:05 +0300 +Subject: Bluetooth: delete a stray unlock + +From: Dan Carpenter + +commit df66499a1fab340c167250a5743931dc50d5f0fa upstream. + +We used to take a lock in amp_physical_cfm() but then we moved it to +the caller function. Unfortunately the unlock on this error path was +overlooked so it leads to a double unlock. + +Fixes: a514b17fab51 ("Bluetooth: Refactor locking in amp_physical_cfm") +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap_core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4918,10 +4918,8 @@ void __l2cap_physical_cfm(struct l2cap_c + BT_DBG("chan %p, result %d, local_amp_id %d, remote_amp_id %d", + chan, result, local_amp_id, remote_amp_id); + +- if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) { +- l2cap_chan_unlock(chan); ++ if (chan->state == BT_DISCONN || chan->state == BT_CLOSED) + return; +- } + + if (chan->state != BT_CONNECTED) { + l2cap_do_create(chan, result, local_amp_id, remote_amp_id); diff --git a/queue-4.14/bluetooth-fix-memory-leak-in-hci_connect_le_scan.patch b/queue-4.14/bluetooth-fix-memory-leak-in-hci_connect_le_scan.patch new file mode 100644 index 00000000000..984abd970a6 --- /dev/null +++ b/queue-4.14/bluetooth-fix-memory-leak-in-hci_connect_le_scan.patch @@ -0,0 +1,36 @@ +From d088337c38a5cd8f0230fbf2d514ff7672f9d0d3 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 21 Nov 2019 14:20:36 -0600 +Subject: Bluetooth: Fix memory leak in hci_connect_le_scan + +From: Navid Emamdoost + +commit d088337c38a5cd8f0230fbf2d514ff7672f9d0d3 upstream. + +In the implementation of hci_connect_le_scan() when conn is added via +hci_conn_add(), if hci_explicit_conn_params_set() fails the allocated +memory for conn is leaked. Use hci_conn_del() to release it. + +Fixes: f75113a26008 ("Bluetooth: add hci_connect_le_scan") +Signed-off-by: Navid Emamdoost +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_conn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/hci_conn.c ++++ b/net/bluetooth/hci_conn.c +@@ -1054,8 +1054,10 @@ struct hci_conn *hci_connect_le_scan(str + if (!conn) + return ERR_PTR(-ENOMEM); + +- if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) ++ if (hci_explicit_conn_params_set(hdev, dst, dst_type) < 0) { ++ hci_conn_del(conn); + return ERR_PTR(-EBUSY); ++ } + + conn->state = BT_CONNECT; + set_bit(HCI_CONN_SCANNING, &conn->flags); diff --git a/queue-4.14/dt-bindings-clock-renesas-rcar-usb2-clock-sel-fix-typo-in-example.patch b/queue-4.14/dt-bindings-clock-renesas-rcar-usb2-clock-sel-fix-typo-in-example.patch new file mode 100644 index 00000000000..8fcbdb31bbf --- /dev/null +++ b/queue-4.14/dt-bindings-clock-renesas-rcar-usb2-clock-sel-fix-typo-in-example.patch @@ -0,0 +1,35 @@ +From 830dbce7c76ea529decac7d23b808c1e7da3d891 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 16 Oct 2019 16:56:50 +0200 +Subject: dt-bindings: clock: renesas: rcar-usb2-clock-sel: Fix typo in example + +From: Geert Uytterhoeven + +commit 830dbce7c76ea529decac7d23b808c1e7da3d891 upstream. + +The documented compatible value for R-Car H3 is +"renesas,r8a7795-rcar-usb2-clock-sel", not +"renesas,r8a77950-rcar-usb2-clock-sel". + +Fixes: 311accb64570db45 ("clk: renesas: rcar-usb2-clock-sel: Add R-Car USB 2.0 clock selector PHY") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Yoshihiro Shimoda +Acked-by: Rob Herring +Link: https://lore.kernel.org/r/20191016145650.30003-1-geert+renesas@glider.be +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/clock/renesas,rcar-usb2-clock-sel.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/clock/renesas,rcar-usb2-clock-sel.txt ++++ b/Documentation/devicetree/bindings/clock/renesas,rcar-usb2-clock-sel.txt +@@ -46,7 +46,7 @@ Required properties: + Example (R-Car H3): + + usb2_clksel: clock-controller@e6590630 { +- compatible = "renesas,r8a77950-rcar-usb2-clock-sel", ++ compatible = "renesas,r8a7795-rcar-usb2-clock-sel", + "renesas,rcar-gen3-usb2-clock-sel"; + reg = <0 0xe6590630 0 0x02>; + clocks = <&cpg CPG_MOD 703>, <&usb_extal>, <&usb_xtal>; diff --git a/queue-4.14/fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch b/queue-4.14/fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch new file mode 100644 index 00000000000..ff4ca255729 --- /dev/null +++ b/queue-4.14/fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch @@ -0,0 +1,37 @@ +From 6b2daec19094a90435abe67d16fb43b1a5527254 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Apr 2019 18:53:50 -0400 +Subject: fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP + +From: Al Viro + +commit 6b2daec19094a90435abe67d16fb43b1a5527254 upstream. + +Unlike FICLONE, all of those take a pointer argument; they do need +compat_ptr() applied to arg. + +Fixes: d79bdd52d8be ("vfs: wire up compat ioctl for CLONE/CLONE_RANGE") +Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs") +Fixes: ceac204e1da9 ("fs: make fiemap work from compat_ioctl") +Signed-off-by: Al Viro +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + fs/compat_ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/compat_ioctl.c ++++ b/fs/compat_ioctl.c +@@ -1577,9 +1577,10 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned i + #endif + + case FICLONE: ++ goto do_ioctl; + case FICLONERANGE: + case FIDEDUPERANGE: +- goto do_ioctl; ++ goto found_handler; + + case FIBMAP: + case FIGETBSZ: diff --git a/queue-4.14/media-flexcop-usb-ensure-eio-is-returned-on-error-condition.patch b/queue-4.14/media-flexcop-usb-ensure-eio-is-returned-on-error-condition.patch new file mode 100644 index 00000000000..7d2a06610c5 --- /dev/null +++ b/queue-4.14/media-flexcop-usb-ensure-eio-is-returned-on-error-condition.patch @@ -0,0 +1,37 @@ +From 74a96b51a36de4d86660fbc56b05d86668162d6b Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 25 Oct 2019 15:33:39 +0200 +Subject: media: flexcop-usb: ensure -EIO is returned on error condition + +From: Colin Ian King + +commit 74a96b51a36de4d86660fbc56b05d86668162d6b upstream. + +An earlier commit hard coded a return 0 to function flexcop_usb_i2c_req +even though the an -EIO was intended to be returned in the case where +ret != buflen. Fix this by replacing the return 0 with the return of +ret to return the error return code. + +Addresses-Coverity: ("Unused value") + +Fixes: b430eaba0be5 ("[media] flexcop-usb: don't use stack for DMA") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/b2c2/flexcop-usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/b2c2/flexcop-usb.c ++++ b/drivers/media/usb/b2c2/flexcop-usb.c +@@ -294,7 +294,7 @@ static int flexcop_usb_i2c_req(struct fl + + mutex_unlock(&fc_usb->data_mutex); + +- return 0; ++ return ret; + } + + /* actual bus specific access functions, diff --git a/queue-4.14/media-usb-fix-memory-leak-in-af9005_identify_state.patch b/queue-4.14/media-usb-fix-memory-leak-in-af9005_identify_state.patch new file mode 100644 index 00000000000..06af2ee2959 --- /dev/null +++ b/queue-4.14/media-usb-fix-memory-leak-in-af9005_identify_state.patch @@ -0,0 +1,37 @@ +From 2289adbfa559050d2a38bcd9caac1c18b800e928 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Wed, 9 Oct 2019 12:01:47 -0300 +Subject: media: usb: fix memory leak in af9005_identify_state + +From: Navid Emamdoost + +commit 2289adbfa559050d2a38bcd9caac1c18b800e928 upstream. + +In af9005_identify_state when returning -EIO the allocated buffer should +be released. Replace the "return -EIO" with assignment into ret and move +deb_info() under a check. + +Fixes: af4e067e1dcf ("V4L/DVB (5625): Add support for the AF9005 demodulator from Afatech") +Signed-off-by: Navid Emamdoost +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/af9005.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -985,8 +985,9 @@ static int af9005_identify_state(struct + else if (reply == 0x02) + *cold = 0; + else +- return -EIO; +- deb_info("Identify state cold = %d\n", *cold); ++ ret = -EIO; ++ if (!ret) ++ deb_info("Identify state cold = %d\n", *cold); + + err: + kfree(buf); diff --git a/queue-4.14/regulator-ab8500-remove-ab8505-usb-regulator.patch b/queue-4.14/regulator-ab8500-remove-ab8505-usb-regulator.patch new file mode 100644 index 00000000000..18450dd6082 --- /dev/null +++ b/queue-4.14/regulator-ab8500-remove-ab8505-usb-regulator.patch @@ -0,0 +1,75 @@ +From 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Wed, 6 Nov 2019 18:31:24 +0100 +Subject: regulator: ab8500: Remove AB8505 USB regulator + +From: Stephan Gerhold + +commit 99c4f70df3a6446c56ca817c2d0f9c12d85d4e7c upstream. + +The USB regulator was removed for AB8500 in +commit 41a06aa738ad ("regulator: ab8500: Remove USB regulator"). +It was then added for AB8505 in +commit 547f384f33db ("regulator: ab8500: add support for ab8505"). + +However, there was never an entry added for it in +ab8505_regulator_match. This causes all regulators after it +to be initialized with the wrong device tree data, eventually +leading to an out-of-bounds array read. + +Given that it is not used anywhere in the kernel, it seems +likely that similar arguments against supporting it exist for +AB8505 (it is controlled by hardware). + +Therefore, simply remove it like for AB8500 instead of adding +an entry in ab8505_regulator_match. + +Fixes: 547f384f33db ("regulator: ab8500: add support for ab8505") +Cc: Linus Walleij +Signed-off-by: Stephan Gerhold +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20191106173125.14496-1-stephan@gerhold.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/ab8500.c | 17 ----------------- + include/linux/regulator/ab8500.h | 1 - + 2 files changed, 18 deletions(-) + +--- a/drivers/regulator/ab8500.c ++++ b/drivers/regulator/ab8500.c +@@ -1099,23 +1099,6 @@ static struct ab8500_regulator_info + .update_val_idle = 0x82, + .update_val_normal = 0x02, + }, +- [AB8505_LDO_USB] = { +- .desc = { +- .name = "LDO-USB", +- .ops = &ab8500_regulator_mode_ops, +- .type = REGULATOR_VOLTAGE, +- .id = AB8505_LDO_USB, +- .owner = THIS_MODULE, +- .n_voltages = 1, +- .volt_table = fixed_3300000_voltage, +- }, +- .update_bank = 0x03, +- .update_reg = 0x82, +- .update_mask = 0x03, +- .update_val = 0x01, +- .update_val_idle = 0x03, +- .update_val_normal = 0x01, +- }, + [AB8505_LDO_AUDIO] = { + .desc = { + .name = "LDO-AUDIO", +--- a/include/linux/regulator/ab8500.h ++++ b/include/linux/regulator/ab8500.h +@@ -38,7 +38,6 @@ enum ab8505_regulator_id { + AB8505_LDO_AUX6, + AB8505_LDO_INTCORE, + AB8505_LDO_ADC, +- AB8505_LDO_USB, + AB8505_LDO_AUDIO, + AB8505_LDO_ANAMIC1, + AB8505_LDO_ANAMIC2, diff --git a/queue-4.14/series b/queue-4.14/series index 4415515684c..36054260554 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -48,3 +48,12 @@ nfsd4-fix-up-replay_matches_cache.patch scsi-qla2xxx-drop-superfluous-init_work-of-del_work.patch xfs-don-t-check-for-ag-deadlock-for-realtime-files-in-bunmapi.patch platform-x86-pmc_atom-add-siemens-connect-x300-to-critclk_systems-dmi-table.patch +bluetooth-btusb-fix-pm-leak-in-error-case-of-setup.patch +bluetooth-delete-a-stray-unlock.patch +bluetooth-fix-memory-leak-in-hci_connect_le_scan.patch +media-flexcop-usb-ensure-eio-is-returned-on-error-condition.patch +regulator-ab8500-remove-ab8505-usb-regulator.patch +media-usb-fix-memory-leak-in-af9005_identify_state.patch +dt-bindings-clock-renesas-rcar-usb2-clock-sel-fix-typo-in-example.patch +tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch +fix-compat-handling-of-ficlonerange-fideduperange-and-fs_ioc_fiemap.patch diff --git a/queue-4.14/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch b/queue-4.14/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch new file mode 100644 index 00000000000..0ccb51f9d43 --- /dev/null +++ b/queue-4.14/tty-serial-msm_serial-fix-lockup-for-sysrq-and-oops.patch @@ -0,0 +1,68 @@ +From 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e Mon Sep 17 00:00:00 2001 +From: Leo Yan +Date: Wed, 27 Nov 2019 22:15:43 +0800 +Subject: tty: serial: msm_serial: Fix lockup for sysrq and oops + +From: Leo Yan + +commit 0e4f7f920a5c6bfe5e851e989f27b35a0cc7fb7e upstream. + +As the commit 677fe555cbfb ("serial: imx: Fix recursive locking bug") +has mentioned the uart driver might cause recursive locking between +normal printing and the kernel debugging facilities (e.g. sysrq and +oops). In the commit it gave out suggestion for fixing recursive +locking issue: "The solution is to avoid locking in the sysrq case +and trylock in the oops_in_progress case." + +This patch follows the suggestion (also used the exactly same code with +other serial drivers, e.g. amba-pl011.c) to fix the recursive locking +issue, this can avoid stuck caused by deadlock and print out log for +sysrq and oops. + +Fixes: 04896a77a97b ("msm_serial: serial driver for MSM7K onboard serial peripheral.") +Signed-off-by: Leo Yan +Reviewed-by: Jeffrey Hugo +Link: https://lore.kernel.org/r/20191127141544.4277-2-leo.yan@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1588,6 +1588,7 @@ static void __msm_console_write(struct u + int num_newlines = 0; + bool replaced = false; + void __iomem *tf; ++ int locked = 1; + + if (is_uartdm) + tf = port->membase + UARTDM_TF; +@@ -1600,7 +1601,13 @@ static void __msm_console_write(struct u + num_newlines++; + count += num_newlines; + +- spin_lock(&port->lock); ++ if (port->sysrq) ++ locked = 0; ++ else if (oops_in_progress) ++ locked = spin_trylock(&port->lock); ++ else ++ spin_lock(&port->lock); ++ + if (is_uartdm) + msm_reset_dm_count(port, count); + +@@ -1636,7 +1643,9 @@ static void __msm_console_write(struct u + iowrite32_rep(tf, buf, 1); + i += num_chars; + } +- spin_unlock(&port->lock); ++ ++ if (locked) ++ spin_unlock(&port->lock); + } + + static void msm_console_write(struct console *co, const char *s,