From 8afef41a4059d57fabc5dd73e641c2701e5cae1b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 18 Feb 2022 10:20:34 +0100
Subject: [PATCH] 4.14-stable patches

added patches:
	drm-radeon-fix-backlight-control-on-imac-12-1.patch
	iwlwifi-fix-use-after-free.patch
---
 ...n-fix-backlight-control-on-imac-12-1.patch | 33 +++++++++++++
 queue-4.14/iwlwifi-fix-use-after-free.patch   | 48 +++++++++++++++++++
 queue-4.14/series                             |  2 +
 3 files changed, 83 insertions(+)
 create mode 100644 queue-4.14/drm-radeon-fix-backlight-control-on-imac-12-1.patch
 create mode 100644 queue-4.14/iwlwifi-fix-use-after-free.patch

diff --git a/queue-4.14/drm-radeon-fix-backlight-control-on-imac-12-1.patch b/queue-4.14/drm-radeon-fix-backlight-control-on-imac-12-1.patch
new file mode 100644
index 00000000000..5dd309b9450
--- /dev/null
+++ b/queue-4.14/drm-radeon-fix-backlight-control-on-imac-12-1.patch
@@ -0,0 +1,33 @@
+From 364438fd629f7611a84c8e6d7de91659300f1502 Mon Sep 17 00:00:00 2001
+From: Nicholas Bishop <nicholasbishop@google.com>
+Date: Fri, 11 Feb 2022 14:57:39 -0500
+Subject: drm/radeon: Fix backlight control on iMac 12,1
+
+From: Nicholas Bishop <nicholasbishop@google.com>
+
+commit 364438fd629f7611a84c8e6d7de91659300f1502 upstream.
+
+The iMac 12,1 does not use the gmux driver for backlight, so the radeon
+backlight device is needed to set the brightness.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1838
+Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/atombios_encoders.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/atombios_encoders.c
++++ b/drivers/gpu/drm/radeon/atombios_encoders.c
+@@ -193,7 +193,8 @@ void radeon_atom_backlight_init(struct r
+ 	 * so don't register a backlight device
+ 	 */
+ 	if ((rdev->pdev->subsystem_vendor == PCI_VENDOR_ID_APPLE) &&
+-	    (rdev->pdev->device == 0x6741))
++	    (rdev->pdev->device == 0x6741) &&
++	    !dmi_match(DMI_PRODUCT_NAME, "iMac12,1"))
+ 		return;
+ 
+ 	if (!radeon_encoder->enc_priv)
diff --git a/queue-4.14/iwlwifi-fix-use-after-free.patch b/queue-4.14/iwlwifi-fix-use-after-free.patch
new file mode 100644
index 00000000000..1cab73189b7
--- /dev/null
+++ b/queue-4.14/iwlwifi-fix-use-after-free.patch
@@ -0,0 +1,48 @@
+From bea2662e7818e15d7607d17d57912ac984275d94 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 8 Feb 2022 11:47:30 +0100
+Subject: iwlwifi: fix use-after-free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit bea2662e7818e15d7607d17d57912ac984275d94 upstream.
+
+If no firmware was present at all (or, presumably, all of the
+firmware files failed to parse), we end up unbinding by calling
+device_release_driver(), which calls remove(), which then in
+iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
+the new code I added will still erroneously access it after it
+was freed.
+
+Set 'failure=false' in this case to avoid the access, all data
+was already freed anyway.
+
+Cc: stable@vger.kernel.org
+Reported-by: Stefan Agner <stefan@agner.ch>
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Reported-by: Jason Self <jason@bluehome.net>
+Reported-by: Dominik Behr <dominik@dominikbehr.com>
+Reported-by: Marek Marczykowski-GÃ³recki <marmarek@invisiblethingslab.com>
+Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220208114728.e6b514cf4c85.Iffb575ca2a623d7859b542c33b2a507d01554251@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1511,6 +1511,8 @@ static void iwl_req_fw_callback(const st
+  out_unbind:
+ 	complete(&drv->request_firmware_complete);
+ 	device_release_driver(drv->trans->dev);
++	/* drv has just been freed by the release */
++	failure = false;
+  free:
+ 	if (failure)
+ 		iwl_dealloc_ucode(drv);
diff --git a/queue-4.14/series b/queue-4.14/series
index b86f7166766..532dd7f2efb 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -12,3 +12,5 @@ ax25-improve-the-incomplete-fix-to-avoid-uaf-and-npd.patch
 vfs-make-freeze_super-abort-when-sync_filesystem-ret.patch
 quota-make-dquot_quota_sync-return-errors-from-sync_.patch
 revert-module-async-async_synchronize_full-on-module.patch
+iwlwifi-fix-use-after-free.patch
+drm-radeon-fix-backlight-control-on-imac-12-1.patch
-- 
2.47.3