5.10-stable patches

added patches:
	bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch

diff --git a/queue-5.10/bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch b/queue-5.10/bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch
new file mode 100644 (file)
index 0000000..0e20d2c
--- /dev/null
+++ b/queue-5.10/bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch
@@ -0,0 +1,65 @@
+From 5c3b5796866f85354a5ce76a28f8ffba0dcefc7e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 22 Nov 2020 13:17:25 +0100
+Subject: Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 5c3b5796866f85354a5ce76a28f8ffba0dcefc7e upstream.
+
+There have been multiple revisions of the patch fix the h5->rx_skb
+leak. Accidentally the first revision (which is buggy) and v5 have
+both been merged:
+
+v1 commit 70f259a3f427 ("Bluetooth: hci_h5: close serdev device and free
+hu in h5_close");
+v5 commit 855af2d74c87 ("Bluetooth: hci_h5: fix memory leak in h5_close")
+
+The correct v5 makes changes slightly higher up in the h5_close()
+function, which allowed both versions to get merged without conflict.
+
+The changes from v1 unconditionally frees the h5 data struct, this
+is wrong because in the serdev enumeration case the memory is
+allocated in h5_serdev_probe() like this:
+
+        h5 = devm_kzalloc(dev, sizeof(*h5), GFP_KERNEL);
+
+So its lifetime is tied to the lifetime of the driver being bound
+to the serdev and it is automatically freed when the driver gets
+unbound. In the serdev case the same h5 struct is re-used over
+h5_close() and h5_open() calls and thus MUST not be free-ed in
+h5_close().
+
+The serdev_device_close() added to h5_close() is incorrect in the
+same way, serdev_device_close() is called on driver unbound too and
+also MUST no be called from h5_close().
+
+This reverts the changes made by merging v1 of the patch, so that
+just the changes of the correct v5 remain.
+
+Cc: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_h5.c |    8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -251,12 +251,8 @@ static int h5_close(struct hci_uart *hu)
+       if (h5->vnd && h5->vnd->close)
+               h5->vnd->close(h5);
+ 
+-      if (hu->serdev)
+-              serdev_device_close(hu->serdev);
+-
+-      kfree_skb(h5->rx_skb);
+-      kfree(h5);
+-      h5 = NULL;
++      if (!hu->serdev)
++              kfree(h5);
+ 
+       return 0;
+ }

diff --git a/queue-5.10/series b/queue-5.10/series
index f24a483cf67da949d1f1aa13cce87e703b5631aa..082cf81ff5e27f12bae1e24e4c829e12bc3a9c46 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -66,3 +66,4 @@ lib-genalloc-fix-the-overflow-when-size-is-too-big.patch
 depmod-handle-the-case-of-sbin-depmod-without-sbin-i.patch
 scsi-ufs-clear-uac-for-ffu-and-rpmb-luns.patch
 kbuild-don-t-hardcode-depmod-path.patch
+bluetooth-revert-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch