From 53a540a999d70e513e90a3e6e498e9f69da2b295 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 31 Oct 2022 07:27:12 +0100 Subject: [PATCH] 4.19-stable patches added patches: fbdev-smscufx-fix-several-use-after-free-bugs.patch iio-light-tsl2583-fix-module-unloading.patch mac802154-fix-lqi-recording.patch tools-iio-iio_utils-fix-digit-calculation.patch --- ...cufx-fix-several-use-after-free-bugs.patch | 168 ++++++++++++++++++ ...o-light-tsl2583-fix-module-unloading.patch | 35 ++++ queue-4.19/mac802154-fix-lqi-recording.patch | 60 +++++++ queue-4.19/series | 4 + ...-iio-iio_utils-fix-digit-calculation.patch | 42 +++++ 5 files changed, 309 insertions(+) create mode 100644 queue-4.19/fbdev-smscufx-fix-several-use-after-free-bugs.patch create mode 100644 queue-4.19/iio-light-tsl2583-fix-module-unloading.patch create mode 100644 queue-4.19/mac802154-fix-lqi-recording.patch create mode 100644 queue-4.19/tools-iio-iio_utils-fix-digit-calculation.patch diff --git a/queue-4.19/fbdev-smscufx-fix-several-use-after-free-bugs.patch b/queue-4.19/fbdev-smscufx-fix-several-use-after-free-bugs.patch new file mode 100644 index 00000000000..71e09ad34da --- /dev/null +++ b/queue-4.19/fbdev-smscufx-fix-several-use-after-free-bugs.patch @@ -0,0 +1,168 @@ +From cc67482c9e5f2c80d62f623bcc347c29f9f648e1 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 20 Oct 2022 18:15:44 -0700 +Subject: fbdev: smscufx: Fix several use-after-free bugs + +From: Hyunwoo Kim + +commit cc67482c9e5f2c80d62f623bcc347c29f9f648e1 upstream. + +Several types of UAFs can occur when physically removing a USB device. + +Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and +in this function, there is kref_put() that finally calls ufx_free(). + +This fix prevents multiple UAFs. + +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/ +Cc: +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/smscufx.c | 55 ++++++++++++++++++++++-------------------- + 1 file changed, 30 insertions(+), 25 deletions(-) + +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -100,7 +100,6 @@ struct ufx_data { + struct kref kref; + int fb_count; + bool virtualized; /* true when physical usb device not present */ +- struct delayed_work free_framebuffer_work; + atomic_t usb_active; /* 0 = update virtual buffer, but no usb traffic */ + atomic_t lost_pixels; /* 1 = a render op failed. Need screen refresh */ + u8 *edid; /* null until we read edid from hw or get from sysfs */ +@@ -1119,15 +1118,24 @@ static void ufx_free(struct kref *kref) + { + struct ufx_data *dev = container_of(kref, struct ufx_data, kref); + +- /* this function will wait for all in-flight urbs to complete */ +- if (dev->urbs.count > 0) +- ufx_free_urb_list(dev); ++ kfree(dev); ++} + +- pr_debug("freeing ufx_data %p", dev); ++static void ufx_ops_destory(struct fb_info *info) ++{ ++ struct ufx_data *dev = info->par; ++ int node = info->node; + +- kfree(dev); ++ /* Assume info structure is freed after this point */ ++ framebuffer_release(info); ++ ++ pr_debug("fb_info for /dev/fb%d has been freed", node); ++ ++ /* release reference taken by kref_init in probe() */ ++ kref_put(&dev->kref, ufx_free); + } + ++ + static void ufx_release_urb_work(struct work_struct *work) + { + struct urb_node *unode = container_of(work, struct urb_node, +@@ -1136,14 +1144,9 @@ static void ufx_release_urb_work(struct + up(&unode->dev->urbs.limit_sem); + } + +-static void ufx_free_framebuffer_work(struct work_struct *work) ++static void ufx_free_framebuffer(struct ufx_data *dev) + { +- struct ufx_data *dev = container_of(work, struct ufx_data, +- free_framebuffer_work.work); + struct fb_info *info = dev->info; +- int node = info->node; +- +- unregister_framebuffer(info); + + if (info->cmap.len != 0) + fb_dealloc_cmap(&info->cmap); +@@ -1155,11 +1158,6 @@ static void ufx_free_framebuffer_work(st + + dev->info = NULL; + +- /* Assume info structure is freed after this point */ +- framebuffer_release(info); +- +- pr_debug("fb_info for /dev/fb%d has been freed", node); +- + /* ref taken in probe() as part of registering framebfufer */ + kref_put(&dev->kref, ufx_free); + } +@@ -1171,11 +1169,13 @@ static int ufx_ops_release(struct fb_inf + { + struct ufx_data *dev = info->par; + ++ mutex_lock(&disconnect_mutex); ++ + dev->fb_count--; + + /* We can't free fb_info here - fbmem will touch it when we return */ + if (dev->virtualized && (dev->fb_count == 0)) +- schedule_delayed_work(&dev->free_framebuffer_work, HZ); ++ ufx_free_framebuffer(dev); + + if ((dev->fb_count == 0) && (info->fbdefio)) { + fb_deferred_io_cleanup(info); +@@ -1189,6 +1189,8 @@ static int ufx_ops_release(struct fb_inf + + kref_put(&dev->kref, ufx_free); + ++ mutex_unlock(&disconnect_mutex); ++ + return 0; + } + +@@ -1295,6 +1297,7 @@ static struct fb_ops ufx_ops = { + .fb_blank = ufx_ops_blank, + .fb_check_var = ufx_ops_check_var, + .fb_set_par = ufx_ops_set_par, ++ .fb_destroy = ufx_ops_destory, + }; + + /* Assumes &info->lock held by caller +@@ -1678,9 +1681,6 @@ static int ufx_usb_probe(struct usb_inte + goto destroy_modedb; + } + +- INIT_DELAYED_WORK(&dev->free_framebuffer_work, +- ufx_free_framebuffer_work); +- + retval = ufx_reg_read(dev, 0x3000, &id_rev); + check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval); + dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev); +@@ -1753,10 +1753,12 @@ e_nomem: + static void ufx_usb_disconnect(struct usb_interface *interface) + { + struct ufx_data *dev; ++ struct fb_info *info; + + mutex_lock(&disconnect_mutex); + + dev = usb_get_intfdata(interface); ++ info = dev->info; + + pr_debug("USB disconnect starting\n"); + +@@ -1770,12 +1772,15 @@ static void ufx_usb_disconnect(struct us + + /* if clients still have us open, will be freed on last close */ + if (dev->fb_count == 0) +- schedule_delayed_work(&dev->free_framebuffer_work, 0); ++ ufx_free_framebuffer(dev); + +- /* release reference taken by kref_init in probe() */ +- kref_put(&dev->kref, ufx_free); ++ /* this function will wait for all in-flight urbs to complete */ ++ if (dev->urbs.count > 0) ++ ufx_free_urb_list(dev); + +- /* consider ufx_data freed */ ++ pr_debug("freeing ufx_data %p", dev); ++ ++ unregister_framebuffer(info); + + mutex_unlock(&disconnect_mutex); + } diff --git a/queue-4.19/iio-light-tsl2583-fix-module-unloading.patch b/queue-4.19/iio-light-tsl2583-fix-module-unloading.patch new file mode 100644 index 00000000000..28223344a95 --- /dev/null +++ b/queue-4.19/iio-light-tsl2583-fix-module-unloading.patch @@ -0,0 +1,35 @@ +From 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 Mon Sep 17 00:00:00 2001 +From: Shreeya Patel +Date: Fri, 26 Aug 2022 17:53:52 +0530 +Subject: iio: light: tsl2583: Fix module unloading + +From: Shreeya Patel + +commit 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 upstream. + +tsl2583 probe() uses devm_iio_device_register() and calling +iio_device_unregister() causes the unregister to occur twice. s +Switch to iio_device_register() instead of devm_iio_device_register() +in probe to avoid the device managed cleanup. + +Fixes: 371894f5d1a0 ("iio: tsl2583: add runtime power management support") +Signed-off-by: Shreeya Patel +Link: https://lore.kernel.org/r/20220826122352.288438-1-shreeya.patel@collabora.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/tsl2583.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/tsl2583.c ++++ b/drivers/iio/light/tsl2583.c +@@ -866,7 +866,7 @@ static int tsl2583_probe(struct i2c_clie + TSL2583_POWER_OFF_DELAY_MS); + pm_runtime_use_autosuspend(&clientp->dev); + +- ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev); ++ ret = iio_device_register(indio_dev); + if (ret) { + dev_err(&clientp->dev, "%s: iio registration failed\n", + __func__); diff --git a/queue-4.19/mac802154-fix-lqi-recording.patch b/queue-4.19/mac802154-fix-lqi-recording.patch new file mode 100644 index 00000000000..5a91ea55e4d --- /dev/null +++ b/queue-4.19/mac802154-fix-lqi-recording.patch @@ -0,0 +1,60 @@ +From 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 20 Oct 2022 16:25:35 +0200 +Subject: mac802154: Fix LQI recording + +From: Miquel Raynal + +commit 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b upstream. + +Back in 2014, the LQI was saved in the skb control buffer (skb->cb, or +mac_cb(skb)) without any actual reset of this area prior to its use. + +As part of a useful rework of the use of this region, 32edc40ae65c +("ieee802154: change _cb handling slightly") introduced mac_cb_init() to +basically memset the cb field to 0. In particular, this new function got +called at the beginning of mac802154_parse_frame_start(), right before +the location where the buffer got actually filled. + +What went through unnoticed however, is the fact that the very first +helper called by device drivers in the receive path already used this +area to save the LQI value for later extraction. Resetting the cb field +"so late" led to systematically zeroing the LQI. + +If we consider the reset of the cb field needed, we can make it as soon +as we get an skb from a device driver, right before storing the LQI, +as is the very first time we need to write something there. + +Cc: stable@vger.kernel.org +Fixes: 32edc40ae65c ("ieee802154: change _cb handling slightly") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20221020142535.1038885-1-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac802154/rx.c ++++ b/net/mac802154/rx.c +@@ -140,7 +140,7 @@ static int + ieee802154_parse_frame_start(struct sk_buff *skb, struct ieee802154_hdr *hdr) + { + int hlen; +- struct ieee802154_mac_cb *cb = mac_cb_init(skb); ++ struct ieee802154_mac_cb *cb = mac_cb(skb); + + skb_reset_mac_header(skb); + +@@ -302,8 +302,9 @@ void + ieee802154_rx_irqsafe(struct ieee802154_hw *hw, struct sk_buff *skb, u8 lqi) + { + struct ieee802154_local *local = hw_to_local(hw); ++ struct ieee802154_mac_cb *cb = mac_cb_init(skb); + +- mac_cb(skb)->lqi = lqi; ++ cb->lqi = lqi; + skb->pkt_type = IEEE802154_RX_MSG; + skb_queue_tail(&local->skb_queue, skb); + tasklet_schedule(&local->tasklet); diff --git a/queue-4.19/series b/queue-4.19/series index 1d96d92d6b6..cd2dc5d1fe3 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -32,3 +32,7 @@ usb-dwc3-gadget-don-t-set-imi-for-no_interrupt.patch usb-bdc-change-state-when-port-disconnected.patch usb-xhci-add-xhci_spurious_success-to-asm1042-despite-being-a-v0.96-controller.patch xhci-remove-device-endpoints-from-bandwidth-list-when-freeing-the-device.patch +tools-iio-iio_utils-fix-digit-calculation.patch +iio-light-tsl2583-fix-module-unloading.patch +fbdev-smscufx-fix-several-use-after-free-bugs.patch +mac802154-fix-lqi-recording.patch diff --git a/queue-4.19/tools-iio-iio_utils-fix-digit-calculation.patch b/queue-4.19/tools-iio-iio_utils-fix-digit-calculation.patch new file mode 100644 index 00000000000..3b7e2d8a830 --- /dev/null +++ b/queue-4.19/tools-iio-iio_utils-fix-digit-calculation.patch @@ -0,0 +1,42 @@ +From 72b2aa38191bcba28389b0e20bf6b4f15017ff2b Mon Sep 17 00:00:00 2001 +From: Matti Vaittinen +Date: Thu, 13 Oct 2022 15:04:04 +0300 +Subject: tools: iio: iio_utils: fix digit calculation + +From: Matti Vaittinen + +commit 72b2aa38191bcba28389b0e20bf6b4f15017ff2b upstream. + +The iio_utils uses a digit calculation in order to know length of the +file name containing a buffer number. The digit calculation does not +work for number 0. + +This leads to allocation of one character too small buffer for the +file-name when file name contains value '0'. (Eg. buffer0). + +Fix digit calculation by returning one digit to be present for number +'0'. + +Fixes: 096f9b862e60 ("tools:iio:iio_utils: implement digit calculation") +Signed-off-by: Matti Vaittinen +Link: https://lore.kernel.org/r/Y0f+tKCz+ZAIoroQ@dc75zzyyyyyyyyyyyyycy-3.rev.dnainternet.fi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + tools/iio/iio_utils.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -546,6 +546,10 @@ static int calc_digits(int num) + { + int count = 0; + ++ /* It takes a digit to represent zero */ ++ if (!num) ++ return 1; ++ + while (num != 0) { + num /= 10; + count++; -- 2.47.3