remove all queued up patches
diff --git a/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch b/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
deleted file mode 100644
index 54e94e7..0000000
--- a/can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b Mon Sep 17 00:00:00 2001
-From: Johan Hovold <johan@kernel.org>
-Date: Tue, 10 Dec 2019 12:32:31 +0100
-Subject: can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
-
-From: Johan Hovold <johan@kernel.org>
-
-commit 2f361cd9474ab2c4ab9ac8db20faf81e66c6279b upstream.
-
-Make sure to always use the descriptors of the current alternate setting
-to avoid future issues when accessing fields that may differ between
-settings.
-
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
-Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/net/can/usb/gs_usb.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/net/can/usb/gs_usb.c
-+++ b/drivers/net/can/usb/gs_usb.c
-@@ -847,7 +847,7 @@ static int gs_usb_probe(struct usb_inter
- GS_USB_BREQ_HOST_FORMAT,
- USB_DIR_OUT|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
- 1,
-- intf->altsetting[0].desc.bInterfaceNumber,
-+ intf->cur_altsetting->desc.bInterfaceNumber,
- hconf,
- sizeof(*hconf),
- 1000);
-@@ -870,7 +870,7 @@ static int gs_usb_probe(struct usb_inter
- GS_USB_BREQ_DEVICE_CONFIG,
- USB_DIR_IN|USB_TYPE_VENDOR|USB_RECIP_INTERFACE,
- 1,
-- intf->altsetting[0].desc.bInterfaceNumber,
-+ intf->cur_altsetting->desc.bInterfaceNumber,
- dconf,
- sizeof(*dconf),
- 1000);
diff --git a/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch b/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch
deleted file mode 100644
index 18e84ac..0000000
--- a/can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 Mon Sep 17 00:00:00 2001
-From: Florian Faber <faber@faberman.de>
-Date: Thu, 26 Dec 2019 19:51:24 +0100
-Subject: can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode
-
-From: Florian Faber <faber@faberman.de>
-
-commit 2d77bd61a2927be8f4e00d9478fe6996c47e8d45 upstream.
-
-Under load, the RX side of the mscan driver can get stuck while TX still
-works. Restarting the interface locks up the system. This behaviour
-could be reproduced reliably on a MPC5121e based system.
-
-The patch fixes the return value of the NAPI polling function (should be
-the number of processed packets, not constant 1) and the condition under
-which IRQs are enabled again after polling is finished.
-
-With this patch, no more lockups were observed over a test period of ten
-days.
-
-Fixes: afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan")
-Signed-off-by: Florian Faber <faber@faberman.de>
-Cc: linux-stable <stable@vger.kernel.org>
-Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/net/can/mscan/mscan.c | 21 ++++++++++-----------
- 1 file changed, 10 insertions(+), 11 deletions(-)
-
---- a/drivers/net/can/mscan/mscan.c
-+++ b/drivers/net/can/mscan/mscan.c
-@@ -412,13 +412,12 @@ static int mscan_rx_poll(struct napi_str
- struct net_device *dev = napi->dev;
- struct mscan_regs __iomem *regs = priv->reg_base;
- struct net_device_stats *stats = &dev->stats;
-- int npackets = 0;
-- int ret = 1;
-+ int work_done = 0;
- struct sk_buff *skb;
- struct can_frame *frame;
- u8 canrflg;
-
-- while (npackets < quota) {
-+ while (work_done < quota) {
- canrflg = in_8(®s->canrflg);
- if (!(canrflg & (MSCAN_RXF | MSCAN_ERR_IF)))
- break;
-@@ -439,18 +438,18 @@ static int mscan_rx_poll(struct napi_str
-
- stats->rx_packets++;
- stats->rx_bytes += frame->can_dlc;
-- npackets++;
-+ work_done++;
- netif_receive_skb(skb);
- }
-
-- if (!(in_8(®s->canrflg) & (MSCAN_RXF | MSCAN_ERR_IF))) {
-- napi_complete(&priv->napi);
-- clear_bit(F_RX_PROGRESS, &priv->flags);
-- if (priv->can.state < CAN_STATE_BUS_OFF)
-- out_8(®s->canrier, priv->shadow_canrier);
-- ret = 0;
-+ if (work_done < quota) {
-+ if (likely(napi_complete_done(&priv->napi, work_done))) {
-+ clear_bit(F_RX_PROGRESS, &priv->flags);
-+ if (priv->can.state < CAN_STATE_BUS_OFF)
-+ out_8(®s->canrier, priv->shadow_canrier);
-+ }
- }
-- return ret;
-+ return work_done;
- }
-
- static irqreturn_t mscan_isr(int irq, void *dev_id)
diff --git a/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch b/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
deleted file mode 100644
index 555c6f7..0000000
--- a/drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From c4e4fccc5d52d881afaac11d3353265ef4eccb8b Mon Sep 17 00:00:00 2001
-From: Wayne Lin <Wayne.Lin@amd.com>
-Date: Fri, 3 Jan 2020 13:50:01 +0800
-Subject: drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
-
-From: Wayne Lin <Wayne.Lin@amd.com>
-
-commit c4e4fccc5d52d881afaac11d3353265ef4eccb8b upstream.
-
-[Why]
-According to DP spec, it should shift left 4 digits for NO_STOP_BIT
-in REMOTE_I2C_READ message. Not 5 digits.
-
-In current code, NO_STOP_BIT is always set to zero which means I2C
-master is always generating a I2C stop at the end of each I2C write
-transaction while handling REMOTE_I2C_READ sideband message. This issue
-might have the generated I2C signal not meeting the requirement. Take
-random read in I2C for instance, I2C master should generate a repeat
-start to start to read data after writing the read address. This issue
-will cause the I2C master to generate a stop-start rather than a
-re-start which is not expected in I2C random read.
-
-[How]
-Correct the shifting value of NO_STOP_BIT for DP_REMOTE_I2C_READ case in
-drm_dp_encode_sideband_req().
-
-Changes since v1:(https://patchwork.kernel.org/patch/11312667/)
-* Add more descriptions in commit and cc to stable
-
-Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
-Reviewed-by: Harry Wentland <harry.wentland@amd.com>
-Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Lyude Paul <lyude@redhat.com>
-Link: https://patchwork.freedesktop.org/patch/msgid/20200103055001.10287-1-Wayne.Lin@amd.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/gpu/drm/drm_dp_mst_topology.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/drm_dp_mst_topology.c
-+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
-@@ -272,7 +272,7 @@ static void drm_dp_encode_sideband_req(s
- memcpy(&buf[idx], req->u.i2c_read.transactions[i].bytes, req->u.i2c_read.transactions[i].num_bytes);
- idx += req->u.i2c_read.transactions[i].num_bytes;
-
-- buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 5;
-+ buf[idx] = (req->u.i2c_read.transactions[i].no_stop_bit & 0x1) << 4;
- buf[idx] |= (req->u.i2c_read.transactions[i].i2c_transaction_delay & 0xf);
- idx++;
- }
diff --git a/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch b/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
deleted file mode 100644
index 29626ac..0000000
--- a/hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 8ec321e96e056de84022c032ffea253431a83c3c Mon Sep 17 00:00:00 2001
-From: Alan Stern <stern@rowland.harvard.edu>
-Date: Tue, 10 Dec 2019 16:26:11 -0500
-Subject: HID: Fix slab-out-of-bounds read in hid_field_extract
-
-From: Alan Stern <stern@rowland.harvard.edu>
-
-commit 8ec321e96e056de84022c032ffea253431a83c3c upstream.
-
-The syzbot fuzzer found a slab-out-of-bounds bug in the HID report
-handler. The bug was caused by a report descriptor which included a
-field with size 12 bits and count 4899, for a total size of 7349
-bytes.
-
-The usbhid driver uses at most a single-page 4-KB buffer for reports.
-In the test there wasn't any problem about overflowing the buffer,
-since only one byte was received from the device. Rather, the bug
-occurred when the HID core tried to extract the data from the report
-fields, which caused it to try reading data beyond the end of the
-allocated buffer.
-
-This patch fixes the problem by rejecting any report whose total
-length exceeds the HID_MAX_BUFFER_SIZE limit (minus one byte to allow
-for a possible report index). In theory a device could have a report
-longer than that, but if there was such a thing we wouldn't handle it
-correctly anyway.
-
-Reported-and-tested-by: syzbot+09ef48aa58261464b621@syzkaller.appspotmail.com
-Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-CC: <stable@vger.kernel.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/hid/hid-core.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
---- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -248,6 +248,12 @@ static int hid_add_field(struct hid_pars
- offset = report->size;
- report->size += parser->global.report_size * parser->global.report_count;
-
-+ /* Total size check: Allow for possible report index byte */
-+ if (report->size > (HID_MAX_BUFFER_SIZE - 1) << 3) {
-+ hid_err(parser->device, "report is too long\n");
-+ return -1;
-+ }
-+
- if (!parser->local.usage_index) /* Ignore padding fields */
- return 0;
-
diff --git a/hid-hid-input-clear-unmapped-usages.patch b/hid-hid-input-clear-unmapped-usages.patch
deleted file mode 100644
index 0447d77..0000000
--- a/hid-hid-input-clear-unmapped-usages.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 4f3882177240a1f55e45a3d241d3121341bead78 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Sat, 7 Dec 2019 13:05:18 -0800
-Subject: HID: hid-input: clear unmapped usages
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit 4f3882177240a1f55e45a3d241d3121341bead78 upstream.
-
-We should not be leaving half-mapped usages with potentially invalid
-keycodes, as that may confuse hidinput_find_key() when the key is located
-by index, which may end up feeding way too large keycode into the VT
-keyboard handler and cause OOB write there:
-
-BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
-BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
-BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
-Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
-...
- kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
- kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
- input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
- input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
- input_pass_values drivers/input/input.c:949 [inline]
- input_set_keycode+0x290/0x320 drivers/input/input.c:954
- evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
- evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
-
-Cc: stable@vger.kernel.org
-Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/hid/hid-input.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
---- a/drivers/hid/hid-input.c
-+++ b/drivers/hid/hid-input.c
-@@ -956,9 +956,15 @@ static void hidinput_configure_usage(str
- }
-
- mapped:
-- if (device->driver->input_mapped && device->driver->input_mapped(device,
-- hidinput, field, usage, &bit, &max) < 0)
-- goto ignore;
-+ if (device->driver->input_mapped &&
-+ device->driver->input_mapped(device, hidinput, field, usage,
-+ &bit, &max) < 0) {
-+ /*
-+ * The driver indicated that no further generic handling
-+ * of the usage is desired.
-+ */
-+ return;
-+ }
-
- set_bit(usage->type, input->evbit);
-
-@@ -1017,9 +1023,11 @@ mapped:
- set_bit(MSC_SCAN, input->mscbit);
- }
-
--ignore:
- return;
-
-+ignore:
-+ usage->type = 0;
-+ usage->code = 0;
- }
-
- void hidinput_hid_event(struct hid_device *hid, struct hid_field *field, struct hid_usage *usage, __s32 value)
diff --git a/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch b/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
deleted file mode 100644
index 64fbc65..0000000
--- a/hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 Mon Sep 17 00:00:00 2001
-From: Marcel Holtmann <marcel@holtmann.org>
-Date: Wed, 4 Dec 2019 03:43:55 +0100
-Subject: HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
-
-From: Marcel Holtmann <marcel@holtmann.org>
-
-commit be54e7461ffdc5809b67d2aeefc1ddc9a91470c7 upstream.
-
-Always return EPOLLOUT from uhid_char_poll to allow polling /dev/uhid
-for writable state.
-
-Fixes: 1f9dec1e0164 ("HID: uhid: allow poll()'ing on uhid devices")
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/hid/uhid.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/hid/uhid.c
-+++ b/drivers/hid/uhid.c
-@@ -26,6 +26,7 @@
- #include <linux/uhid.h>
- #include <linux/wait.h>
- #include <linux/uaccess.h>
-+#include <linux/eventpoll.h>
-
- #define UHID_NAME "uhid"
- #define UHID_BUFSIZE 32
-@@ -787,7 +788,7 @@ static unsigned int uhid_char_poll(struc
- if (uhid->head != uhid->tail)
- return POLLIN | POLLRDNORM;
-
-- return 0;
-+ return EPOLLOUT | EPOLLWRNORM;
- }
-
- static const struct file_operations uhid_fops = {
diff --git a/input-add-safety-guards-to-input_set_keycode.patch b/input-add-safety-guards-to-input_set_keycode.patch
deleted file mode 100644
index 69639d2..0000000
--- a/input-add-safety-guards-to-input_set_keycode.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From cb222aed03d798fc074be55e59d9a112338ee784 Mon Sep 17 00:00:00 2001
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Date: Fri, 13 Dec 2019 14:56:16 -0800
-Subject: Input: add safety guards to input_set_keycode()
-
-From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-
-commit cb222aed03d798fc074be55e59d9a112338ee784 upstream.
-
-If we happen to have a garbage in input device's keycode table with values
-too big we'll end up doing clear_bit() with offset way outside of our
-bitmaps, damaging other objects within an input device or even outside of
-it. Let's add sanity checks to the returned old keycodes.
-
-Reported-by: syzbot+c769968809f9359b07aa@syzkaller.appspotmail.com
-Reported-by: syzbot+76f3a30e88d256644c78@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/r/20191207212757.GA245964@dtor-ws
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/input/input.c | 26 ++++++++++++++++----------
- 1 file changed, 16 insertions(+), 10 deletions(-)
-
---- a/drivers/input/input.c
-+++ b/drivers/input/input.c
-@@ -845,16 +845,18 @@ static int input_default_setkeycode(stru
- }
- }
-
-- __clear_bit(*old_keycode, dev->keybit);
-- __set_bit(ke->keycode, dev->keybit);
--
-- for (i = 0; i < dev->keycodemax; i++) {
-- if (input_fetch_keycode(dev, i) == *old_keycode) {
-- __set_bit(*old_keycode, dev->keybit);
-- break; /* Setting the bit twice is useless, so break */
-+ if (*old_keycode <= KEY_MAX) {
-+ __clear_bit(*old_keycode, dev->keybit);
-+ for (i = 0; i < dev->keycodemax; i++) {
-+ if (input_fetch_keycode(dev, i) == *old_keycode) {
-+ __set_bit(*old_keycode, dev->keybit);
-+ /* Setting the bit twice is useless, so break */
-+ break;
-+ }
- }
- }
-
-+ __set_bit(ke->keycode, dev->keybit);
- return 0;
- }
-
-@@ -910,9 +912,13 @@ int input_set_keycode(struct input_dev *
- * Simulate keyup event if keycode is not present
- * in the keymap anymore
- */
-- if (test_bit(EV_KEY, dev->evbit) &&
-- !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
-- __test_and_clear_bit(old_keycode, dev->key)) {
-+ if (old_keycode > KEY_MAX) {
-+ dev_warn(dev->dev.parent ?: &dev->dev,
-+ "%s: got too big old keycode %#x\n",
-+ __func__, old_keycode);
-+ } else if (test_bit(EV_KEY, dev->evbit) &&
-+ !is_event_supported(old_keycode, dev->keybit, KEY_MAX) &&
-+ __test_and_clear_bit(old_keycode, dev->key)) {
- struct input_value vals[] = {
- { EV_KEY, old_keycode, 0 },
- input_value_sync
diff --git a/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch b/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
deleted file mode 100644
index e203b02..0000000
--- a/kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 50f9ad607ea891a9308e67b81f774c71736d1098 Mon Sep 17 00:00:00 2001
-From: Kaitao Cheng <pilgrimtao@gmail.com>
-Date: Tue, 31 Dec 2019 05:35:30 -0800
-Subject: kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail
-
-From: Kaitao Cheng <pilgrimtao@gmail.com>
-
-commit 50f9ad607ea891a9308e67b81f774c71736d1098 upstream.
-
-In the function, if register_trace_sched_migrate_task() returns error,
-sched_switch/sched_wakeup_new/sched_wakeup won't unregister. That is
-why fail_deprobe_sched_switch was added.
-
-Link: http://lkml.kernel.org/r/20191231133530.2794-1-pilgrimtao@gmail.com
-
-Cc: stable@vger.kernel.org
-Fixes: 478142c39c8c2 ("tracing: do not grab lock in wakeup latency function tracing")
-Signed-off-by: Kaitao Cheng <pilgrimtao@gmail.com>
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- kernel/trace/trace_sched_wakeup.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/kernel/trace/trace_sched_wakeup.c
-+++ b/kernel/trace/trace_sched_wakeup.c
-@@ -567,7 +567,7 @@ static void start_wakeup_tracer(struct t
- if (ret) {
- pr_info("wakeup trace: Couldn't activate tracepoint"
- " probe to kernel_sched_migrate_task\n");
-- return;
-+ goto fail_deprobe_sched_switch;
- }
-
- wakeup_reset(tr);
-@@ -585,6 +585,8 @@ static void start_wakeup_tracer(struct t
- printk(KERN_ERR "failed to start wakeup tracer\n");
-
- return;
-+fail_deprobe_sched_switch:
-+ unregister_trace_sched_switch(probe_wakeup_sched_switch, NULL);
- fail_deprobe_wake_new:
- unregister_trace_sched_wakeup_new(probe_wakeup, NULL);
- fail_deprobe:
diff --git a/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
deleted file mode 100644
index 7175e56..0000000
--- a/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b Mon Sep 17 00:00:00 2001
-From: Ganapathi Bhat <gbhat@marvell.com>
-Date: Thu, 21 Nov 2019 21:34:38 +0530
-Subject: mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
-
-From: Ganapathi Bhat <gbhat@marvell.com>
-
-commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
-
-mwifiex_process_country_ie() function parse elements of bss
-descriptor in beacon packet. When processing WLAN_EID_COUNTRY
-element, there is no upper limit check for country_ie_len before
-calling memcpy. The destination buffer domain_info->triplet is an
-array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
-attacker can build a fake AP with the same ssid as real AP, and
-send malicous beacon packet with long WLAN_EID_COUNTRY elemen
-(country_ie_len > 83). Attacker can force STA connect to fake AP
-on a different channel. When the victim STA connects to fake AP,
-will trigger the heap buffer overflow. Fix this by checking for
-length and if found invalid, don not connect to the AP.
-
-This fix addresses CVE-2019-14895.
-
-Reported-by: huangwen <huangwenabc@gmail.com>
-Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/net/wireless/mwifiex/sta_ioctl.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
---- a/drivers/net/wireless/mwifiex/sta_ioctl.c
-+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
-@@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st
- "11D: skip setting domain info in FW\n");
- return 0;
- }
-+
-+ if (country_ie_len >
-+ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
-+ wiphy_dbg(priv->wdev->wiphy,
-+ "11D: country_ie_len overflow!, deauth AP\n");
-+ return -EINVAL;
-+ }
-+
- memcpy(priv->adapter->country_code, &country_ie[2], 2);
-
- domain_info->country_code[0] = country_ie[2];
-@@ -266,7 +274,8 @@ int mwifiex_bss_start(struct mwifiex_pri
- priv->scan_block = false;
-
- if (bss) {
-- mwifiex_process_country_ie(priv, bss);
-+ if (mwifiex_process_country_ie(priv, bss))
-+ return -EINVAL;
-
- /* Allocate and fill new bss descriptor */
- bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
diff --git a/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch b/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
deleted file mode 100644
index e2bc8f6..0000000
--- a/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From db8fd2cde93227e566a412cf53173ffa227998bc Mon Sep 17 00:00:00 2001
-From: Navid Emamdoost <navid.emamdoost@gmail.com>
-Date: Fri, 4 Oct 2019 15:08:52 -0500
-Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
-
-From: Navid Emamdoost <navid.emamdoost@gmail.com>
-
-commit db8fd2cde93227e566a412cf53173ffa227998bc upstream.
-
-In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be
-released if mwifiex_map_pci_memory() fails. The release is added.
-
-Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
-Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
-Acked-by: Ganapathi Bhat <gbhat@marvell.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/net/wireless/mwifiex/pcie.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/net/wireless/mwifiex/pcie.c
-+++ b/drivers/net/wireless/mwifiex/pcie.c
-@@ -901,8 +901,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf
- }
- skb_put(skb, MWIFIEX_UPLD_SIZE);
- if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE,
-- PCI_DMA_FROMDEVICE))
-+ PCI_DMA_FROMDEVICE)) {
-+ kfree_skb(skb);
- return -1;
-+ }
-
- card->cmdrsp_buf = skb;
-
diff --git a/scsi-bfa-release-allocated-memory-in-case-of-error.patch b/scsi-bfa-release-allocated-memory-in-case-of-error.patch
deleted file mode 100644
index 2895012..0000000
--- a/scsi-bfa-release-allocated-memory-in-case-of-error.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 Mon Sep 17 00:00:00 2001
-From: Navid Emamdoost <navid.emamdoost@gmail.com>
-Date: Tue, 10 Sep 2019 18:44:15 -0500
-Subject: scsi: bfa: release allocated memory in case of error
-
-From: Navid Emamdoost <navid.emamdoost@gmail.com>
-
-commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream.
-
-In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to
-be released.
-
-Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com
-Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/scsi/bfa/bfad_attr.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/drivers/scsi/bfa/bfad_attr.c
-+++ b/drivers/scsi/bfa/bfad_attr.c
-@@ -282,8 +282,10 @@ bfad_im_get_stats(struct Scsi_Host *shos
- rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa),
- fcstats, bfad_hcb_comp, &fcomp);
- spin_unlock_irqrestore(&bfad->bfad_lock, flags);
-- if (rc != BFA_STATUS_OK)
-+ if (rc != BFA_STATUS_OK) {
-+ kfree(fcstats);
- return NULL;
-+ }
-
- wait_for_completion(&fcomp.comp);
-
diff --git a/series b/series
index 94f3fe4..e69de29 100644
--- a/series
+++ b/series
@@ -1,15 +0,0 @@
-kernel-trace-fix-do-not-unregister-tracepoints-when-register-sched_migrate_task-fail.patch
-tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
-hid-fix-slab-out-of-bounds-read-in-hid_field_extract.patch
-hid-uhid-fix-returning-epollout-from-uhid_char_poll.patch
-hid-hid-input-clear-unmapped-usages.patch
-input-add-safety-guards-to-input_set_keycode.patch
-drm-dp_mst-correct-the-shifting-in-dp_remote_i2c_read.patch
-can-gs_usb-gs_usb_probe-use-descriptors-of-current-altsetting.patch
-can-mscan-mscan_rx_poll-fix-rx-path-lockup-when-returning-from-polling-to-irq-mode.patch
-staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
-usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
-staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
-mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
-mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
-scsi-bfa-release-allocated-memory-in-case-of-error.patch
diff --git a/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch b/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
deleted file mode 100644
index 55c23f2..0000000
--- a/staging-rtl8188eu-add-device-code-for-tp-link-tl-wn727n-v5.21.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a Mon Sep 17 00:00:00 2001
-From: Michael Straube <straube.linux@gmail.com>
-Date: Sat, 28 Dec 2019 15:37:25 +0100
-Subject: staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
-
-From: Michael Straube <straube.linux@gmail.com>
-
-commit 58dcc5bf4030cab548d5c98cd4cd3632a5444d5a upstream.
-
-This device was added to the stand-alone driver on github.
-Add it to the staging driver as well.
-
-Link: https://github.com/lwfinger/rtl8188eu/commit/b9b537aa25a8
-Signed-off-by: Michael Straube <straube.linux@gmail.com>
-Cc: stable <stable@vger.kernel.org>
-Link: https://lore.kernel.org/r/20191228143725.24455-1-straube.linux@gmail.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
-+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
-@@ -50,6 +50,7 @@ static struct usb_device_id rtw_usb_id_t
- {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */
- {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */
- {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */
-+ {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
- {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
- {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
- {} /* Terminating entry */
diff --git a/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch b/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
deleted file mode 100644
index b34f08a..0000000
--- a/staging-vt6656-set-usb_set_intfdata-on-driver-fail.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 Mon Sep 17 00:00:00 2001
-From: Malcolm Priestley <tvboxspy@gmail.com>
-Date: Fri, 20 Dec 2019 21:15:59 +0000
-Subject: staging: vt6656: set usb_set_intfdata on driver fail.
-
-From: Malcolm Priestley <tvboxspy@gmail.com>
-
-commit c0bcf9f3f5b661d4ace2a64a79ef661edd2a4dc8 upstream.
-
-intfdata will contain stale pointer when the device is detached after
-failed initialization when referenced in vt6656_disconnect
-
-Provide driver access to it here and NULL it.
-
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
-Link: https://lore.kernel.org/r/6de448d7-d833-ef2e-dd7b-3ef9992fee0e@gmail.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/staging/vt6656/device.h | 1 +
- drivers/staging/vt6656/main_usb.c | 1 +
- drivers/staging/vt6656/wcmd.c | 1 +
- 3 files changed, 3 insertions(+)
-
---- a/drivers/staging/vt6656/device.h
-+++ b/drivers/staging/vt6656/device.h
-@@ -272,6 +272,7 @@ struct vnt_private {
- u8 mac_hw;
- /* netdev */
- struct usb_device *usb;
-+ struct usb_interface *intf;
-
- u64 tsf_time;
- u8 rx_rate;
---- a/drivers/staging/vt6656/main_usb.c
-+++ b/drivers/staging/vt6656/main_usb.c
-@@ -974,6 +974,7 @@ vt6656_probe(struct usb_interface *intf,
- priv = hw->priv;
- priv->hw = hw;
- priv->usb = udev;
-+ priv->intf = intf;
-
- vnt_set_options(priv);
-
---- a/drivers/staging/vt6656/wcmd.c
-+++ b/drivers/staging/vt6656/wcmd.c
-@@ -113,6 +113,7 @@ void vnt_run_command(struct work_struct
- if (vnt_init(priv)) {
- /* If fail all ends TODO retry */
- dev_err(&priv->usb->dev, "failed to start\n");
-+ usb_set_intfdata(priv->intf, NULL);
- ieee80211_free_hw(priv->hw);
- return;
- }
diff --git a/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch b/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
deleted file mode 100644
index 6a5fbc7..0000000
--- a/tracing-have-stack-tracer-compile-when-mcount_insn_size-is-not-defined.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From b8299d362d0837ae39e87e9019ebe6b736e0f035 Mon Sep 17 00:00:00 2001
-From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
-Date: Thu, 2 Jan 2020 22:02:41 -0500
-Subject: tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
-
-From: Steven Rostedt (VMware) <rostedt@goodmis.org>
-
-commit b8299d362d0837ae39e87e9019ebe6b736e0f035 upstream.
-
-On some archs with some configurations, MCOUNT_INSN_SIZE is not defined, and
-this makes the stack tracer fail to compile. Just define it to zero in this
-case.
-
-Link: https://lore.kernel.org/r/202001020219.zvE3vsty%lkp@intel.com
-
-Cc: stable@vger.kernel.org
-Fixes: 4df297129f622 ("tracing: Remove most or all of stack tracer stack size from stack_max_size")
-Reported-by: kbuild test robot <lkp@intel.com>
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- kernel/trace/trace_stack.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
---- a/kernel/trace/trace_stack.c
-+++ b/kernel/trace/trace_stack.c
-@@ -180,6 +180,11 @@ check_stack(unsigned long ip, unsigned l
- local_irq_restore(flags);
- }
-
-+/* Some archs may not define MCOUNT_INSN_SIZE */
-+#ifndef MCOUNT_INSN_SIZE
-+# define MCOUNT_INSN_SIZE 0
-+#endif
-+
- static void
- stack_trace_call(unsigned long ip, unsigned long parent_ip,
- struct ftrace_ops *op, struct pt_regs *pt_regs)
diff --git a/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch b/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
deleted file mode 100644
index 9ad5f9e..0000000
--- a/usb-musb-dma-correct-parameter-passed-to-irq-handler.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 Mon Sep 17 00:00:00 2001
-From: Paul Cercueil <paul@crapouillou.net>
-Date: Mon, 16 Dec 2019 10:18:43 -0600
-Subject: usb: musb: dma: Correct parameter passed to IRQ handler
-
-From: Paul Cercueil <paul@crapouillou.net>
-
-commit c80d0f4426c7fdc7efd6ae8d8b021dcfc89b4254 upstream.
-
-The IRQ handler was passed a pointer to a struct dma_controller, but the
-argument was then casted to a pointer to a struct musb_dma_controller.
-
-Fixes: 427c4f333474 ("usb: struct device - replace bus_id with dev_name(), dev_set_name()")
-Signed-off-by: Paul Cercueil <paul@crapouillou.net>
-Tested-by: Artur Rojek <contact@artur-rojek.eu>
-Cc: stable@vger.kernel.org
-Signed-off-by: Bin Liu <b-liu@ti.com>
-Link: https://lore.kernel.org/r/20191216161844.772-2-b-liu@ti.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/usb/musb/musbhsdma.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/musb/musbhsdma.c
-+++ b/drivers/usb/musb/musbhsdma.c
-@@ -395,7 +395,7 @@ struct dma_controller *dma_controller_cr
- controller->controller.channel_abort = dma_channel_abort;
-
- if (request_irq(irq, dma_controller_irq, 0,
-- dev_name(musb->controller), &controller->controller)) {
-+ dev_name(musb->controller), controller)) {
- dev_err(dev, "request_irq %d failed!\n", irq);
- dma_controller_destroy(&controller->controller);
-
