--- /dev/null
+From cc67482c9e5f2c80d62f623bcc347c29f9f648e1 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Thu, 20 Oct 2022 18:15:44 -0700
+Subject: fbdev: smscufx: Fix several use-after-free bugs
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+commit cc67482c9e5f2c80d62f623bcc347c29f9f648e1 upstream.
+
+Several types of UAFs can occur when physically removing a USB device.
+
+Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and
+in this function, there is kref_put() that finally calls ufx_free().
+
+This fix prevents multiple UAFs.
+
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/smscufx.c | 55 ++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 25 deletions(-)
+
+--- a/drivers/video/fbdev/smscufx.c
++++ b/drivers/video/fbdev/smscufx.c
+@@ -100,7 +100,6 @@ struct ufx_data {
+ struct kref kref;
+ int fb_count;
+ bool virtualized; /* true when physical usb device not present */
+- struct delayed_work free_framebuffer_work;
+ atomic_t usb_active; /* 0 = update virtual buffer, but no usb traffic */
+ atomic_t lost_pixels; /* 1 = a render op failed. Need screen refresh */
+ u8 *edid; /* null until we read edid from hw or get from sysfs */
+@@ -1119,15 +1118,24 @@ static void ufx_free(struct kref *kref)
+ {
+ struct ufx_data *dev = container_of(kref, struct ufx_data, kref);
+
+- /* this function will wait for all in-flight urbs to complete */
+- if (dev->urbs.count > 0)
+- ufx_free_urb_list(dev);
++ kfree(dev);
++}
+
+- pr_debug("freeing ufx_data %p", dev);
++static void ufx_ops_destory(struct fb_info *info)
++{
++ struct ufx_data *dev = info->par;
++ int node = info->node;
+
+- kfree(dev);
++ /* Assume info structure is freed after this point */
++ framebuffer_release(info);
++
++ pr_debug("fb_info for /dev/fb%d has been freed", node);
++
++ /* release reference taken by kref_init in probe() */
++ kref_put(&dev->kref, ufx_free);
+ }
+
++
+ static void ufx_release_urb_work(struct work_struct *work)
+ {
+ struct urb_node *unode = container_of(work, struct urb_node,
+@@ -1136,14 +1144,9 @@ static void ufx_release_urb_work(struct
+ up(&unode->dev->urbs.limit_sem);
+ }
+
+-static void ufx_free_framebuffer_work(struct work_struct *work)
++static void ufx_free_framebuffer(struct ufx_data *dev)
+ {
+- struct ufx_data *dev = container_of(work, struct ufx_data,
+- free_framebuffer_work.work);
+ struct fb_info *info = dev->info;
+- int node = info->node;
+-
+- unregister_framebuffer(info);
+
+ if (info->cmap.len != 0)
+ fb_dealloc_cmap(&info->cmap);
+@@ -1155,11 +1158,6 @@ static void ufx_free_framebuffer_work(st
+
+ dev->info = NULL;
+
+- /* Assume info structure is freed after this point */
+- framebuffer_release(info);
+-
+- pr_debug("fb_info for /dev/fb%d has been freed", node);
+-
+ /* ref taken in probe() as part of registering framebfufer */
+ kref_put(&dev->kref, ufx_free);
+ }
+@@ -1171,11 +1169,13 @@ static int ufx_ops_release(struct fb_inf
+ {
+ struct ufx_data *dev = info->par;
+
++ mutex_lock(&disconnect_mutex);
++
+ dev->fb_count--;
+
+ /* We can't free fb_info here - fbmem will touch it when we return */
+ if (dev->virtualized && (dev->fb_count == 0))
+- schedule_delayed_work(&dev->free_framebuffer_work, HZ);
++ ufx_free_framebuffer(dev);
+
+ if ((dev->fb_count == 0) && (info->fbdefio)) {
+ fb_deferred_io_cleanup(info);
+@@ -1189,6 +1189,8 @@ static int ufx_ops_release(struct fb_inf
+
+ kref_put(&dev->kref, ufx_free);
+
++ mutex_unlock(&disconnect_mutex);
++
+ return 0;
+ }
+
+@@ -1295,6 +1297,7 @@ static struct fb_ops ufx_ops = {
+ .fb_blank = ufx_ops_blank,
+ .fb_check_var = ufx_ops_check_var,
+ .fb_set_par = ufx_ops_set_par,
++ .fb_destroy = ufx_ops_destory,
+ };
+
+ /* Assumes &info->lock held by caller
+@@ -1678,9 +1681,6 @@ static int ufx_usb_probe(struct usb_inte
+ goto destroy_modedb;
+ }
+
+- INIT_DELAYED_WORK(&dev->free_framebuffer_work,
+- ufx_free_framebuffer_work);
+-
+ retval = ufx_reg_read(dev, 0x3000, &id_rev);
+ check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval);
+ dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev);
+@@ -1753,10 +1753,12 @@ e_nomem:
+ static void ufx_usb_disconnect(struct usb_interface *interface)
+ {
+ struct ufx_data *dev;
++ struct fb_info *info;
+
+ mutex_lock(&disconnect_mutex);
+
+ dev = usb_get_intfdata(interface);
++ info = dev->info;
+
+ pr_debug("USB disconnect starting\n");
+
+@@ -1770,12 +1772,15 @@ static void ufx_usb_disconnect(struct us
+
+ /* if clients still have us open, will be freed on last close */
+ if (dev->fb_count == 0)
+- schedule_delayed_work(&dev->free_framebuffer_work, 0);
++ ufx_free_framebuffer(dev);
+
+- /* release reference taken by kref_init in probe() */
+- kref_put(&dev->kref, ufx_free);
++ /* this function will wait for all in-flight urbs to complete */
++ if (dev->urbs.count > 0)
++ ufx_free_urb_list(dev);
+
+- /* consider ufx_data freed */
++ pr_debug("freeing ufx_data %p", dev);
++
++ unregister_framebuffer(info);
+
+ mutex_unlock(&disconnect_mutex);
+ }
--- /dev/null
+From 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 Mon Sep 17 00:00:00 2001
+From: Shreeya Patel <shreeya.patel@collabora.com>
+Date: Fri, 26 Aug 2022 17:53:52 +0530
+Subject: iio: light: tsl2583: Fix module unloading
+
+From: Shreeya Patel <shreeya.patel@collabora.com>
+
+commit 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 upstream.
+
+tsl2583 probe() uses devm_iio_device_register() and calling
+iio_device_unregister() causes the unregister to occur twice. s
+Switch to iio_device_register() instead of devm_iio_device_register()
+in probe to avoid the device managed cleanup.
+
+Fixes: 371894f5d1a0 ("iio: tsl2583: add runtime power management support")
+Signed-off-by: Shreeya Patel <shreeya.patel@collabora.com>
+Link: https://lore.kernel.org/r/20220826122352.288438-1-shreeya.patel@collabora.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/tsl2583.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/light/tsl2583.c
++++ b/drivers/iio/light/tsl2583.c
+@@ -866,7 +866,7 @@ static int tsl2583_probe(struct i2c_clie
+ TSL2583_POWER_OFF_DELAY_MS);
+ pm_runtime_use_autosuspend(&clientp->dev);
+
+- ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev);
++ ret = iio_device_register(indio_dev);
+ if (ret) {
+ dev_err(&clientp->dev, "%s: iio registration failed\n",
+ __func__);
--- /dev/null
+From 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Thu, 20 Oct 2022 16:25:35 +0200
+Subject: mac802154: Fix LQI recording
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b upstream.
+
+Back in 2014, the LQI was saved in the skb control buffer (skb->cb, or
+mac_cb(skb)) without any actual reset of this area prior to its use.
+
+As part of a useful rework of the use of this region, 32edc40ae65c
+("ieee802154: change _cb handling slightly") introduced mac_cb_init() to
+basically memset the cb field to 0. In particular, this new function got
+called at the beginning of mac802154_parse_frame_start(), right before
+the location where the buffer got actually filled.
+
+What went through unnoticed however, is the fact that the very first
+helper called by device drivers in the receive path already used this
+area to save the LQI value for later extraction. Resetting the cb field
+"so late" led to systematically zeroing the LQI.
+
+If we consider the reset of the cb field needed, we can make it as soon
+as we get an skb from a device driver, right before storing the LQI,
+as is the very first time we need to write something there.
+
+Cc: stable@vger.kernel.org
+Fixes: 32edc40ae65c ("ieee802154: change _cb handling slightly")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20221020142535.1038885-1-miquel.raynal@bootlin.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac802154/rx.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac802154/rx.c
++++ b/net/mac802154/rx.c
+@@ -140,7 +140,7 @@ static int
+ ieee802154_parse_frame_start(struct sk_buff *skb, struct ieee802154_hdr *hdr)
+ {
+ int hlen;
+- struct ieee802154_mac_cb *cb = mac_cb_init(skb);
++ struct ieee802154_mac_cb *cb = mac_cb(skb);
+
+ skb_reset_mac_header(skb);
+
+@@ -302,8 +302,9 @@ void
+ ieee802154_rx_irqsafe(struct ieee802154_hw *hw, struct sk_buff *skb, u8 lqi)
+ {
+ struct ieee802154_local *local = hw_to_local(hw);
++ struct ieee802154_mac_cb *cb = mac_cb_init(skb);
+
+- mac_cb(skb)->lqi = lqi;
++ cb->lqi = lqi;
+ skb->pkt_type = IEEE802154_RX_MSG;
+ skb_queue_tail(&local->skb_queue, skb);
+ tasklet_schedule(&local->tasklet);
--- /dev/null
+From 72b2aa38191bcba28389b0e20bf6b4f15017ff2b Mon Sep 17 00:00:00 2001
+From: Matti Vaittinen <mazziesaccount@gmail.com>
+Date: Thu, 13 Oct 2022 15:04:04 +0300
+Subject: tools: iio: iio_utils: fix digit calculation
+
+From: Matti Vaittinen <mazziesaccount@gmail.com>
+
+commit 72b2aa38191bcba28389b0e20bf6b4f15017ff2b upstream.
+
+The iio_utils uses a digit calculation in order to know length of the
+file name containing a buffer number. The digit calculation does not
+work for number 0.
+
+This leads to allocation of one character too small buffer for the
+file-name when file name contains value '0'. (Eg. buffer0).
+
+Fix digit calculation by returning one digit to be present for number
+'0'.
+
+Fixes: 096f9b862e60 ("tools:iio:iio_utils: implement digit calculation")
+Signed-off-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Link: https://lore.kernel.org/r/Y0f+tKCz+ZAIoroQ@dc75zzyyyyyyyyyyyyycy-3.rev.dnainternet.fi
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/iio/iio_utils.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/iio/iio_utils.c
++++ b/tools/iio/iio_utils.c
+@@ -546,6 +546,10 @@ static int calc_digits(int num)
+ {
+ int count = 0;
+
++ /* It takes a digit to represent zero */
++ if (!num)
++ return 1;
++
+ while (num != 0) {
+ num /= 10;
+ count++;
projects / thirdparty / kernel / stable-queue.git / commitdiff
