--- /dev/null
+From 77e70d351db7de07a46ac49b87a6c3c7a60fca7e Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 26 Oct 2020 13:36:17 -0700
+Subject: Input: sunkbd - avoid use-after-free in teardown paths
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 77e70d351db7de07a46ac49b87a6c3c7a60fca7e upstream.
+
+We need to make sure we cancel the reinit work before we tear down the
+driver structures.
+
+Reported-by: Bodong Zhao <nopitydays@gmail.com>
+Tested-by: Bodong Zhao <nopitydays@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/sunkbd.c | 41 ++++++++++++++++++++++++++++++++--------
+ 1 file changed, 33 insertions(+), 8 deletions(-)
+
+--- a/drivers/input/keyboard/sunkbd.c
++++ b/drivers/input/keyboard/sunkbd.c
+@@ -99,7 +99,8 @@ static irqreturn_t sunkbd_interrupt(stru
+ switch (data) {
+
+ case SUNKBD_RET_RESET:
+- schedule_work(&sunkbd->tq);
++ if (sunkbd->enabled)
++ schedule_work(&sunkbd->tq);
+ sunkbd->reset = -1;
+ break;
+
+@@ -200,16 +201,12 @@ static int sunkbd_initialize(struct sunk
+ }
+
+ /*
+- * sunkbd_reinit() sets leds and beeps to a state the computer remembers they
+- * were in.
++ * sunkbd_set_leds_beeps() sets leds and beeps to a state the computer remembers
++ * they were in.
+ */
+
+-static void sunkbd_reinit(struct work_struct *work)
++static void sunkbd_set_leds_beeps(struct sunkbd *sunkbd)
+ {
+- struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq);
+-
+- wait_event_interruptible_timeout(sunkbd->wait, sunkbd->reset >= 0, HZ);
+-
+ serio_write(sunkbd->serio, SUNKBD_CMD_SETLED);
+ serio_write(sunkbd->serio,
+ (!!test_bit(LED_CAPSL, sunkbd->dev->led) << 3) |
+@@ -222,11 +219,39 @@ static void sunkbd_reinit(struct work_st
+ SUNKBD_CMD_BELLOFF - !!test_bit(SND_BELL, sunkbd->dev->snd));
+ }
+
++
++/*
++ * sunkbd_reinit() wait for the keyboard reset to complete and restores state
++ * of leds and beeps.
++ */
++
++static void sunkbd_reinit(struct work_struct *work)
++{
++ struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq);
++
++ /*
++ * It is OK that we check sunkbd->enabled without pausing serio,
++ * as we only want to catch true->false transition that will
++ * happen once and we will be woken up for it.
++ */
++ wait_event_interruptible_timeout(sunkbd->wait,
++ sunkbd->reset >= 0 || !sunkbd->enabled,
++ HZ);
++
++ if (sunkbd->reset >= 0 && sunkbd->enabled)
++ sunkbd_set_leds_beeps(sunkbd);
++}
++
+ static void sunkbd_enable(struct sunkbd *sunkbd, bool enable)
+ {
+ serio_pause_rx(sunkbd->serio);
+ sunkbd->enabled = enable;
+ serio_continue_rx(sunkbd->serio);
++
++ if (!enable) {
++ wake_up_interruptible(&sunkbd->wait);
++ cancel_work_sync(&sunkbd->tq);
++ }
+ }
+
+ /*
--- /dev/null
+From foo@baz Fri Nov 20 09:54:12 AM CET 2020
+From: Gabriel David <ultracoolguy@tutanota.com>
+Date: Fri, 2 Oct 2020 18:27:00 -0400
+Subject: leds: lm3697: Fix out-of-bound access
+
+From: Gabriel David <ultracoolguy@tutanota.com>
+
+commit 98d278ca00bd8f62c8bc98bd9e65372d16eb6956 upstream
+
+If both LED banks aren't used in device tree, an out-of-bounds
+condition in lm3697_init occurs because of the for loop assuming that
+all the banks are used. Fix it by adding a variable that contains the
+number of used banks.
+
+Signed-off-by: Gabriel David <ultracoolguy@tutanota.com>
+[removed extra rename, minor tweaks]
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Cc: stable@kernel.org
+[sudip: use client->dev]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/leds/leds-lm3697.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/leds/leds-lm3697.c
++++ b/drivers/leds/leds-lm3697.c
+@@ -78,6 +78,7 @@ struct lm3697 {
+ struct mutex lock;
+
+ int bank_cfg;
++ int num_banks;
+
+ struct lm3697_led leds[];
+ };
+@@ -180,7 +181,7 @@ static int lm3697_init(struct lm3697 *pr
+ if (ret)
+ dev_err(&priv->client->dev, "Cannot write OUTPUT config\n");
+
+- for (i = 0; i < LM3697_MAX_CONTROL_BANKS; i++) {
++ for (i = 0; i < priv->num_banks; i++) {
+ led = &priv->leds[i];
+ ret = ti_lmu_common_set_ramp(&led->lmu_data);
+ if (ret)
+@@ -307,8 +308,8 @@ static int lm3697_probe(struct i2c_clien
+ int ret;
+
+ count = device_get_child_node_count(&client->dev);
+- if (!count) {
+- dev_err(&client->dev, "LEDs are not defined in device tree!");
++ if (!count || count > LM3697_MAX_CONTROL_BANKS) {
++ dev_err(&client->dev, "Strange device tree!");
+ return -ENODEV;
+ }
+
+@@ -322,6 +323,7 @@ static int lm3697_probe(struct i2c_clien
+
+ led->client = client;
+ led->dev = &client->dev;
++ led->num_banks = count;
+ led->regmap = devm_regmap_init_i2c(client, &lm3697_regmap_config);
+ if (IS_ERR(led->regmap)) {
+ ret = PTR_ERR(led->regmap);
projects / thirdparty / kernel / stable-queue.git / commitdiff
