From: Greg Kroah-Hartman Date: Mon, 31 Oct 2022 06:27:33 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.263~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=506a0ebe4da4f392e97fb01dc658a74ff11fd1ef;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: exec-copy-oldsighand-action-under-spin-lock.patch fbdev-smscufx-fix-several-use-after-free-bugs.patch fs-binfmt_elf-fix-memory-leak-in-load_elf_binary.patch iio-light-tsl2583-fix-module-unloading.patch iio-temperature-ltc2983-allocate-iio-channels-once.patch mac802154-fix-lqi-recording.patch scsi-qla2xxx-use-transport-defined-speed-mask-for-supported_speeds.patch tools-iio-iio_utils-fix-digit-calculation.patch --- diff --git a/queue-5.10/exec-copy-oldsighand-action-under-spin-lock.patch b/queue-5.10/exec-copy-oldsighand-action-under-spin-lock.patch new file mode 100644 index 00000000000..35050a00c7e --- /dev/null +++ b/queue-5.10/exec-copy-oldsighand-action-under-spin-lock.patch @@ -0,0 +1,39 @@ +From 5bf2fedca8f59379025b0d52f917b9ddb9bfe17e Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Mon, 7 Jun 2021 15:54:27 +0200 +Subject: exec: Copy oldsighand->action under spin-lock + +From: Bernd Edlinger + +commit 5bf2fedca8f59379025b0d52f917b9ddb9bfe17e upstream. + +unshare_sighand should only access oldsighand->action +while holding oldsighand->siglock, to make sure that +newsighand->action is in a consistent state. + +Signed-off-by: Bernd Edlinger +Cc: stable@vger.kernel.org +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/AM8PR10MB470871DEBD1DED081F9CC391E4389@AM8PR10MB4708.EURPRD10.PROD.OUTLOOK.COM +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1198,11 +1198,11 @@ static int unshare_sighand(struct task_s + return -ENOMEM; + + refcount_set(&newsighand->count, 1); +- memcpy(newsighand->action, oldsighand->action, +- sizeof(newsighand->action)); + + write_lock_irq(&tasklist_lock); + spin_lock(&oldsighand->siglock); ++ memcpy(newsighand->action, oldsighand->action, ++ sizeof(newsighand->action)); + rcu_assign_pointer(me->sighand, newsighand); + spin_unlock(&oldsighand->siglock); + write_unlock_irq(&tasklist_lock); diff --git a/queue-5.10/fbdev-smscufx-fix-several-use-after-free-bugs.patch b/queue-5.10/fbdev-smscufx-fix-several-use-after-free-bugs.patch new file mode 100644 index 00000000000..eb5db6ce349 --- /dev/null +++ b/queue-5.10/fbdev-smscufx-fix-several-use-after-free-bugs.patch @@ -0,0 +1,168 @@ +From cc67482c9e5f2c80d62f623bcc347c29f9f648e1 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Thu, 20 Oct 2022 18:15:44 -0700 +Subject: fbdev: smscufx: Fix several use-after-free bugs + +From: Hyunwoo Kim + +commit cc67482c9e5f2c80d62f623bcc347c29f9f648e1 upstream. + +Several types of UAFs can occur when physically removing a USB device. + +Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and +in this function, there is kref_put() that finally calls ufx_free(). + +This fix prevents multiple UAFs. + +Signed-off-by: Hyunwoo Kim +Link: https://lore.kernel.org/linux-fbdev/20221011153436.GA4446@ubuntu/ +Cc: +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/smscufx.c | 55 ++++++++++++++++++++++-------------------- + 1 file changed, 30 insertions(+), 25 deletions(-) + +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -97,7 +97,6 @@ struct ufx_data { + struct kref kref; + int fb_count; + bool virtualized; /* true when physical usb device not present */ +- struct delayed_work free_framebuffer_work; + atomic_t usb_active; /* 0 = update virtual buffer, but no usb traffic */ + atomic_t lost_pixels; /* 1 = a render op failed. Need screen refresh */ + u8 *edid; /* null until we read edid from hw or get from sysfs */ +@@ -1116,15 +1115,24 @@ static void ufx_free(struct kref *kref) + { + struct ufx_data *dev = container_of(kref, struct ufx_data, kref); + +- /* this function will wait for all in-flight urbs to complete */ +- if (dev->urbs.count > 0) +- ufx_free_urb_list(dev); ++ kfree(dev); ++} + +- pr_debug("freeing ufx_data %p", dev); ++static void ufx_ops_destory(struct fb_info *info) ++{ ++ struct ufx_data *dev = info->par; ++ int node = info->node; + +- kfree(dev); ++ /* Assume info structure is freed after this point */ ++ framebuffer_release(info); ++ ++ pr_debug("fb_info for /dev/fb%d has been freed", node); ++ ++ /* release reference taken by kref_init in probe() */ ++ kref_put(&dev->kref, ufx_free); + } + ++ + static void ufx_release_urb_work(struct work_struct *work) + { + struct urb_node *unode = container_of(work, struct urb_node, +@@ -1133,14 +1141,9 @@ static void ufx_release_urb_work(struct + up(&unode->dev->urbs.limit_sem); + } + +-static void ufx_free_framebuffer_work(struct work_struct *work) ++static void ufx_free_framebuffer(struct ufx_data *dev) + { +- struct ufx_data *dev = container_of(work, struct ufx_data, +- free_framebuffer_work.work); + struct fb_info *info = dev->info; +- int node = info->node; +- +- unregister_framebuffer(info); + + if (info->cmap.len != 0) + fb_dealloc_cmap(&info->cmap); +@@ -1152,11 +1155,6 @@ static void ufx_free_framebuffer_work(st + + dev->info = NULL; + +- /* Assume info structure is freed after this point */ +- framebuffer_release(info); +- +- pr_debug("fb_info for /dev/fb%d has been freed", node); +- + /* ref taken in probe() as part of registering framebfufer */ + kref_put(&dev->kref, ufx_free); + } +@@ -1168,11 +1166,13 @@ static int ufx_ops_release(struct fb_inf + { + struct ufx_data *dev = info->par; + ++ mutex_lock(&disconnect_mutex); ++ + dev->fb_count--; + + /* We can't free fb_info here - fbmem will touch it when we return */ + if (dev->virtualized && (dev->fb_count == 0)) +- schedule_delayed_work(&dev->free_framebuffer_work, HZ); ++ ufx_free_framebuffer(dev); + + if ((dev->fb_count == 0) && (info->fbdefio)) { + fb_deferred_io_cleanup(info); +@@ -1185,6 +1185,8 @@ static int ufx_ops_release(struct fb_inf + + kref_put(&dev->kref, ufx_free); + ++ mutex_unlock(&disconnect_mutex); ++ + return 0; + } + +@@ -1291,6 +1293,7 @@ static const struct fb_ops ufx_ops = { + .fb_blank = ufx_ops_blank, + .fb_check_var = ufx_ops_check_var, + .fb_set_par = ufx_ops_set_par, ++ .fb_destroy = ufx_ops_destory, + }; + + /* Assumes &info->lock held by caller +@@ -1672,9 +1675,6 @@ static int ufx_usb_probe(struct usb_inte + goto destroy_modedb; + } + +- INIT_DELAYED_WORK(&dev->free_framebuffer_work, +- ufx_free_framebuffer_work); +- + retval = ufx_reg_read(dev, 0x3000, &id_rev); + check_warn_goto_error(retval, "error %d reading 0x3000 register from device", retval); + dev_dbg(dev->gdev, "ID_REV register value 0x%08x", id_rev); +@@ -1747,10 +1747,12 @@ e_nomem: + static void ufx_usb_disconnect(struct usb_interface *interface) + { + struct ufx_data *dev; ++ struct fb_info *info; + + mutex_lock(&disconnect_mutex); + + dev = usb_get_intfdata(interface); ++ info = dev->info; + + pr_debug("USB disconnect starting\n"); + +@@ -1764,12 +1766,15 @@ static void ufx_usb_disconnect(struct us + + /* if clients still have us open, will be freed on last close */ + if (dev->fb_count == 0) +- schedule_delayed_work(&dev->free_framebuffer_work, 0); ++ ufx_free_framebuffer(dev); + +- /* release reference taken by kref_init in probe() */ +- kref_put(&dev->kref, ufx_free); ++ /* this function will wait for all in-flight urbs to complete */ ++ if (dev->urbs.count > 0) ++ ufx_free_urb_list(dev); + +- /* consider ufx_data freed */ ++ pr_debug("freeing ufx_data %p", dev); ++ ++ unregister_framebuffer(info); + + mutex_unlock(&disconnect_mutex); + } diff --git a/queue-5.10/fs-binfmt_elf-fix-memory-leak-in-load_elf_binary.patch b/queue-5.10/fs-binfmt_elf-fix-memory-leak-in-load_elf_binary.patch new file mode 100644 index 00000000000..6e6c1617a30 --- /dev/null +++ b/queue-5.10/fs-binfmt_elf-fix-memory-leak-in-load_elf_binary.patch @@ -0,0 +1,67 @@ +From 594d2a14f2168c09b13b114c3d457aa939403e52 Mon Sep 17 00:00:00 2001 +From: Li Zetao +Date: Mon, 24 Oct 2022 23:44:21 +0800 +Subject: fs/binfmt_elf: Fix memory leak in load_elf_binary() + +From: Li Zetao + +commit 594d2a14f2168c09b13b114c3d457aa939403e52 upstream. + +There is a memory leak reported by kmemleak: + + unreferenced object 0xffff88817104ef80 (size 224): + comm "xfs_admin", pid 47165, jiffies 4298708825 (age 1333.476s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 60 a8 b3 00 81 88 ff ff a8 10 5a 00 81 88 ff ff `.........Z..... + backtrace: + [] __alloc_file+0x21/0x250 + [] alloc_empty_file+0x41/0xf0 + [] path_openat+0xea/0x3d30 + [] do_filp_open+0x1b9/0x290 + [] do_open_execat+0xce/0x5b0 + [] open_exec+0x27/0x50 + [] load_elf_binary+0x510/0x3ed0 + [] bprm_execve+0x599/0x1240 + [] do_execveat_common.isra.0+0x4c7/0x680 + [] __x64_sys_execve+0x88/0xb0 + [] do_syscall_64+0x35/0x80 + +If "interp_elf_ex" fails to allocate memory in load_elf_binary(), +the program will take the "out_free_ph" error handing path, +resulting in "interpreter" file resource is not released. + +Fix it by adding an error handing path "out_free_file", which will +release the file resource when "interp_elf_ex" failed to allocate +memory. + +Fixes: 0693ffebcfe5 ("fs/binfmt_elf.c: allocate less for static executable") +Signed-off-by: Li Zetao +Reviewed-by: Alexey Dobriyan +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20221024154421.982230-1-lizetao1@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_elf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -907,7 +907,7 @@ static int load_elf_binary(struct linux_ + interp_elf_ex = kmalloc(sizeof(*interp_elf_ex), GFP_KERNEL); + if (!interp_elf_ex) { + retval = -ENOMEM; +- goto out_free_ph; ++ goto out_free_file; + } + + /* Get the exec headers */ +@@ -1328,6 +1328,7 @@ out: + out_free_dentry: + kfree(interp_elf_ex); + kfree(interp_elf_phdata); ++out_free_file: + allow_write_access(interpreter); + if (interpreter) + fput(interpreter); diff --git a/queue-5.10/iio-light-tsl2583-fix-module-unloading.patch b/queue-5.10/iio-light-tsl2583-fix-module-unloading.patch new file mode 100644 index 00000000000..7bf6292707b --- /dev/null +++ b/queue-5.10/iio-light-tsl2583-fix-module-unloading.patch @@ -0,0 +1,35 @@ +From 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 Mon Sep 17 00:00:00 2001 +From: Shreeya Patel +Date: Fri, 26 Aug 2022 17:53:52 +0530 +Subject: iio: light: tsl2583: Fix module unloading + +From: Shreeya Patel + +commit 0dec4d2f2636b9e54d9d29f17afc7687c5407f78 upstream. + +tsl2583 probe() uses devm_iio_device_register() and calling +iio_device_unregister() causes the unregister to occur twice. s +Switch to iio_device_register() instead of devm_iio_device_register() +in probe to avoid the device managed cleanup. + +Fixes: 371894f5d1a0 ("iio: tsl2583: add runtime power management support") +Signed-off-by: Shreeya Patel +Link: https://lore.kernel.org/r/20220826122352.288438-1-shreeya.patel@collabora.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/tsl2583.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/light/tsl2583.c ++++ b/drivers/iio/light/tsl2583.c +@@ -856,7 +856,7 @@ static int tsl2583_probe(struct i2c_clie + TSL2583_POWER_OFF_DELAY_MS); + pm_runtime_use_autosuspend(&clientp->dev); + +- ret = devm_iio_device_register(indio_dev->dev.parent, indio_dev); ++ ret = iio_device_register(indio_dev); + if (ret) { + dev_err(&clientp->dev, "%s: iio registration failed\n", + __func__); diff --git a/queue-5.10/iio-temperature-ltc2983-allocate-iio-channels-once.patch b/queue-5.10/iio-temperature-ltc2983-allocate-iio-channels-once.patch new file mode 100644 index 00000000000..1b7705575bb --- /dev/null +++ b/queue-5.10/iio-temperature-ltc2983-allocate-iio-channels-once.patch @@ -0,0 +1,54 @@ +From 4132f19173211856d35180958d2754f5c56d520a Mon Sep 17 00:00:00 2001 +From: Cosmin Tanislav +Date: Fri, 14 Oct 2022 15:37:22 +0300 +Subject: iio: temperature: ltc2983: allocate iio channels once + +From: Cosmin Tanislav + +commit 4132f19173211856d35180958d2754f5c56d520a upstream. + +Currently, every time the device wakes up from sleep, the +iio_chan array is reallocated, leaking the previous one +until the device is removed (basically never). + +Move the allocation to the probe function to avoid this. + +Signed-off-by: Cosmin Tanislav +Fixes: f110f3188e563 ("iio: temperature: Add support for LTC2983") +Cc: +Link: https://lore.kernel.org/r/20221014123724.1401011-2-demonsingur@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/temperature/ltc2983.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/iio/temperature/ltc2983.c ++++ b/drivers/iio/temperature/ltc2983.c +@@ -1376,13 +1376,6 @@ static int ltc2983_setup(struct ltc2983_ + return ret; + } + +- st->iio_chan = devm_kzalloc(&st->spi->dev, +- st->iio_channels * sizeof(*st->iio_chan), +- GFP_KERNEL); +- +- if (!st->iio_chan) +- return -ENOMEM; +- + ret = regmap_update_bits(st->regmap, LTC2983_GLOBAL_CONFIG_REG, + LTC2983_NOTCH_FREQ_MASK, + LTC2983_NOTCH_FREQ(st->filter_notch_freq)); +@@ -1494,6 +1487,12 @@ static int ltc2983_probe(struct spi_devi + if (ret) + return ret; + ++ st->iio_chan = devm_kzalloc(&spi->dev, ++ st->iio_channels * sizeof(*st->iio_chan), ++ GFP_KERNEL); ++ if (!st->iio_chan) ++ return -ENOMEM; ++ + ret = ltc2983_setup(st, true); + if (ret) + return ret; diff --git a/queue-5.10/mac802154-fix-lqi-recording.patch b/queue-5.10/mac802154-fix-lqi-recording.patch new file mode 100644 index 00000000000..0d504a16f18 --- /dev/null +++ b/queue-5.10/mac802154-fix-lqi-recording.patch @@ -0,0 +1,60 @@ +From 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 20 Oct 2022 16:25:35 +0200 +Subject: mac802154: Fix LQI recording + +From: Miquel Raynal + +commit 5a5c4e06fd03b595542d5590f2bc05a6b7fc5c2b upstream. + +Back in 2014, the LQI was saved in the skb control buffer (skb->cb, or +mac_cb(skb)) without any actual reset of this area prior to its use. + +As part of a useful rework of the use of this region, 32edc40ae65c +("ieee802154: change _cb handling slightly") introduced mac_cb_init() to +basically memset the cb field to 0. In particular, this new function got +called at the beginning of mac802154_parse_frame_start(), right before +the location where the buffer got actually filled. + +What went through unnoticed however, is the fact that the very first +helper called by device drivers in the receive path already used this +area to save the LQI value for later extraction. Resetting the cb field +"so late" led to systematically zeroing the LQI. + +If we consider the reset of the cb field needed, we can make it as soon +as we get an skb from a device driver, right before storing the LQI, +as is the very first time we need to write something there. + +Cc: stable@vger.kernel.org +Fixes: 32edc40ae65c ("ieee802154: change _cb handling slightly") +Signed-off-by: Miquel Raynal +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20221020142535.1038885-1-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac802154/rx.c ++++ b/net/mac802154/rx.c +@@ -132,7 +132,7 @@ static int + ieee802154_parse_frame_start(struct sk_buff *skb, struct ieee802154_hdr *hdr) + { + int hlen; +- struct ieee802154_mac_cb *cb = mac_cb_init(skb); ++ struct ieee802154_mac_cb *cb = mac_cb(skb); + + skb_reset_mac_header(skb); + +@@ -294,8 +294,9 @@ void + ieee802154_rx_irqsafe(struct ieee802154_hw *hw, struct sk_buff *skb, u8 lqi) + { + struct ieee802154_local *local = hw_to_local(hw); ++ struct ieee802154_mac_cb *cb = mac_cb_init(skb); + +- mac_cb(skb)->lqi = lqi; ++ cb->lqi = lqi; + skb->pkt_type = IEEE802154_RX_MSG; + skb_queue_tail(&local->skb_queue, skb); + tasklet_schedule(&local->tasklet); diff --git a/queue-5.10/scsi-qla2xxx-use-transport-defined-speed-mask-for-supported_speeds.patch b/queue-5.10/scsi-qla2xxx-use-transport-defined-speed-mask-for-supported_speeds.patch new file mode 100644 index 00000000000..4c3dddb9266 --- /dev/null +++ b/queue-5.10/scsi-qla2xxx-use-transport-defined-speed-mask-for-supported_speeds.patch @@ -0,0 +1,73 @@ +From 0b863257c17c5f57a41e0a48de140ed026957a63 Mon Sep 17 00:00:00 2001 +From: Manish Rangankar +Date: Tue, 27 Sep 2022 04:59:46 -0700 +Subject: scsi: qla2xxx: Use transport-defined speed mask for supported_speeds + +From: Manish Rangankar + +commit 0b863257c17c5f57a41e0a48de140ed026957a63 upstream. + +One of the sysfs values reported for supported_speeds was not valid (20Gb/s +reported instead of 64Gb/s). Instead of driver internal speed mask +definition, use speed mask defined in transport_fc for reporting +host->supported_speeds. + +Link: https://lore.kernel.org/r/20220927115946.17559-1-njavali@marvell.com +Cc: stable@vger.kernel.org +Reviewed-by: Himanshu Madhani +Signed-off-by: Manish Rangankar +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_attr.c | 28 ++++++++++++++++++++++++++-- + 1 file changed, 26 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_attr.c ++++ b/drivers/scsi/qla2xxx/qla_attr.c +@@ -3262,11 +3262,34 @@ struct fc_function_template qla2xxx_tran + .bsg_timeout = qla24xx_bsg_timeout, + }; + ++static uint ++qla2x00_get_host_supported_speeds(scsi_qla_host_t *vha, uint speeds) ++{ ++ uint supported_speeds = FC_PORTSPEED_UNKNOWN; ++ ++ if (speeds & FDMI_PORT_SPEED_64GB) ++ supported_speeds |= FC_PORTSPEED_64GBIT; ++ if (speeds & FDMI_PORT_SPEED_32GB) ++ supported_speeds |= FC_PORTSPEED_32GBIT; ++ if (speeds & FDMI_PORT_SPEED_16GB) ++ supported_speeds |= FC_PORTSPEED_16GBIT; ++ if (speeds & FDMI_PORT_SPEED_8GB) ++ supported_speeds |= FC_PORTSPEED_8GBIT; ++ if (speeds & FDMI_PORT_SPEED_4GB) ++ supported_speeds |= FC_PORTSPEED_4GBIT; ++ if (speeds & FDMI_PORT_SPEED_2GB) ++ supported_speeds |= FC_PORTSPEED_2GBIT; ++ if (speeds & FDMI_PORT_SPEED_1GB) ++ supported_speeds |= FC_PORTSPEED_1GBIT; ++ ++ return supported_speeds; ++} ++ + void + qla2x00_init_host_attr(scsi_qla_host_t *vha) + { + struct qla_hw_data *ha = vha->hw; +- u32 speeds = FC_PORTSPEED_UNKNOWN; ++ u32 speeds = 0, fdmi_speed = 0; + + fc_host_dev_loss_tmo(vha->host) = ha->port_down_retry_count; + fc_host_node_name(vha->host) = wwn_to_u64(vha->node_name); +@@ -3276,7 +3299,8 @@ qla2x00_init_host_attr(scsi_qla_host_t * + fc_host_max_npiv_vports(vha->host) = ha->max_npiv_vports; + fc_host_npiv_vports_inuse(vha->host) = ha->cur_vport_count; + +- speeds = qla25xx_fdmi_port_speed_capability(ha); ++ fdmi_speed = qla25xx_fdmi_port_speed_capability(ha); ++ speeds = qla2x00_get_host_supported_speeds(vha, fdmi_speed); + + fc_host_supported_speeds(vha->host) = speeds; + } diff --git a/queue-5.10/series b/queue-5.10/series index 6a34d138e10..cce8dc910d3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -11,3 +11,11 @@ usb-xhci-add-xhci_spurious_success-to-asm1042-despite-being-a-v0.96-controller.p mtd-rawnand-marvell-use-correct-logic-for-nand-keep-config.patch xhci-add-quirk-to-reset-host-back-to-default-state-at-shutdown.patch xhci-remove-device-endpoints-from-bandwidth-list-when-freeing-the-device.patch +tools-iio-iio_utils-fix-digit-calculation.patch +iio-light-tsl2583-fix-module-unloading.patch +iio-temperature-ltc2983-allocate-iio-channels-once.patch +fbdev-smscufx-fix-several-use-after-free-bugs.patch +fs-binfmt_elf-fix-memory-leak-in-load_elf_binary.patch +exec-copy-oldsighand-action-under-spin-lock.patch +mac802154-fix-lqi-recording.patch +scsi-qla2xxx-use-transport-defined-speed-mask-for-supported_speeds.patch diff --git a/queue-5.10/tools-iio-iio_utils-fix-digit-calculation.patch b/queue-5.10/tools-iio-iio_utils-fix-digit-calculation.patch new file mode 100644 index 00000000000..e267f3d93c4 --- /dev/null +++ b/queue-5.10/tools-iio-iio_utils-fix-digit-calculation.patch @@ -0,0 +1,42 @@ +From 72b2aa38191bcba28389b0e20bf6b4f15017ff2b Mon Sep 17 00:00:00 2001 +From: Matti Vaittinen +Date: Thu, 13 Oct 2022 15:04:04 +0300 +Subject: tools: iio: iio_utils: fix digit calculation + +From: Matti Vaittinen + +commit 72b2aa38191bcba28389b0e20bf6b4f15017ff2b upstream. + +The iio_utils uses a digit calculation in order to know length of the +file name containing a buffer number. The digit calculation does not +work for number 0. + +This leads to allocation of one character too small buffer for the +file-name when file name contains value '0'. (Eg. buffer0). + +Fix digit calculation by returning one digit to be present for number +'0'. + +Fixes: 096f9b862e60 ("tools:iio:iio_utils: implement digit calculation") +Signed-off-by: Matti Vaittinen +Link: https://lore.kernel.org/r/Y0f+tKCz+ZAIoroQ@dc75zzyyyyyyyyyyyyycy-3.rev.dnainternet.fi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + tools/iio/iio_utils.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/iio/iio_utils.c ++++ b/tools/iio/iio_utils.c +@@ -543,6 +543,10 @@ static int calc_digits(int num) + { + int count = 0; + ++ /* It takes a digit to represent zero */ ++ if (!num) ++ return 1; ++ + while (num != 0) { + num /= 10; + count++;