From 18e8a23c7161004c03b9f9ec24601846e150c31d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 20 Nov 2020 10:21:13 +0100 Subject: [PATCH] 5.9-stable patches added patches: input-sunkbd-avoid-use-after-free-in-teardown-paths.patch leds-lm3697-fix-out-of-bound-access.patch --- ...oid-use-after-free-in-teardown-paths.patch | 94 +++++++++++++++++++ .../leds-lm3697-fix-out-of-bound-access.patch | 63 +++++++++++++ queue-5.9/series | 2 + 3 files changed, 159 insertions(+) create mode 100644 queue-5.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch create mode 100644 queue-5.9/leds-lm3697-fix-out-of-bound-access.patch diff --git a/queue-5.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch b/queue-5.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch new file mode 100644 index 00000000000..92d81295120 --- /dev/null +++ b/queue-5.9/input-sunkbd-avoid-use-after-free-in-teardown-paths.patch @@ -0,0 +1,94 @@ +From 77e70d351db7de07a46ac49b87a6c3c7a60fca7e Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 26 Oct 2020 13:36:17 -0700 +Subject: Input: sunkbd - avoid use-after-free in teardown paths + +From: Dmitry Torokhov + +commit 77e70d351db7de07a46ac49b87a6c3c7a60fca7e upstream. + +We need to make sure we cancel the reinit work before we tear down the +driver structures. + +Reported-by: Bodong Zhao +Tested-by: Bodong Zhao +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/keyboard/sunkbd.c | 41 ++++++++++++++++++++++++++++++++-------- + 1 file changed, 33 insertions(+), 8 deletions(-) + +--- a/drivers/input/keyboard/sunkbd.c ++++ b/drivers/input/keyboard/sunkbd.c +@@ -99,7 +99,8 @@ static irqreturn_t sunkbd_interrupt(stru + switch (data) { + + case SUNKBD_RET_RESET: +- schedule_work(&sunkbd->tq); ++ if (sunkbd->enabled) ++ schedule_work(&sunkbd->tq); + sunkbd->reset = -1; + break; + +@@ -200,16 +201,12 @@ static int sunkbd_initialize(struct sunk + } + + /* +- * sunkbd_reinit() sets leds and beeps to a state the computer remembers they +- * were in. ++ * sunkbd_set_leds_beeps() sets leds and beeps to a state the computer remembers ++ * they were in. + */ + +-static void sunkbd_reinit(struct work_struct *work) ++static void sunkbd_set_leds_beeps(struct sunkbd *sunkbd) + { +- struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq); +- +- wait_event_interruptible_timeout(sunkbd->wait, sunkbd->reset >= 0, HZ); +- + serio_write(sunkbd->serio, SUNKBD_CMD_SETLED); + serio_write(sunkbd->serio, + (!!test_bit(LED_CAPSL, sunkbd->dev->led) << 3) | +@@ -222,11 +219,39 @@ static void sunkbd_reinit(struct work_st + SUNKBD_CMD_BELLOFF - !!test_bit(SND_BELL, sunkbd->dev->snd)); + } + ++ ++/* ++ * sunkbd_reinit() wait for the keyboard reset to complete and restores state ++ * of leds and beeps. ++ */ ++ ++static void sunkbd_reinit(struct work_struct *work) ++{ ++ struct sunkbd *sunkbd = container_of(work, struct sunkbd, tq); ++ ++ /* ++ * It is OK that we check sunkbd->enabled without pausing serio, ++ * as we only want to catch true->false transition that will ++ * happen once and we will be woken up for it. ++ */ ++ wait_event_interruptible_timeout(sunkbd->wait, ++ sunkbd->reset >= 0 || !sunkbd->enabled, ++ HZ); ++ ++ if (sunkbd->reset >= 0 && sunkbd->enabled) ++ sunkbd_set_leds_beeps(sunkbd); ++} ++ + static void sunkbd_enable(struct sunkbd *sunkbd, bool enable) + { + serio_pause_rx(sunkbd->serio); + sunkbd->enabled = enable; + serio_continue_rx(sunkbd->serio); ++ ++ if (!enable) { ++ wake_up_interruptible(&sunkbd->wait); ++ cancel_work_sync(&sunkbd->tq); ++ } + } + + /* diff --git a/queue-5.9/leds-lm3697-fix-out-of-bound-access.patch b/queue-5.9/leds-lm3697-fix-out-of-bound-access.patch new file mode 100644 index 00000000000..8e3b148bdf8 --- /dev/null +++ b/queue-5.9/leds-lm3697-fix-out-of-bound-access.patch @@ -0,0 +1,63 @@ +From foo@baz Fri Nov 20 09:54:12 AM CET 2020 +From: Gabriel David +Date: Fri, 2 Oct 2020 18:27:00 -0400 +Subject: leds: lm3697: Fix out-of-bound access + +From: Gabriel David + +commit 98d278ca00bd8f62c8bc98bd9e65372d16eb6956 upstream + +If both LED banks aren't used in device tree, an out-of-bounds +condition in lm3697_init occurs because of the for loop assuming that +all the banks are used. Fix it by adding a variable that contains the +number of used banks. + +Signed-off-by: Gabriel David +[removed extra rename, minor tweaks] +Signed-off-by: Pavel Machek +Cc: stable@kernel.org +[sudip: use client->dev] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-lm3697.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/leds/leds-lm3697.c ++++ b/drivers/leds/leds-lm3697.c +@@ -78,6 +78,7 @@ struct lm3697 { + struct mutex lock; + + int bank_cfg; ++ int num_banks; + + struct lm3697_led leds[]; + }; +@@ -180,7 +181,7 @@ static int lm3697_init(struct lm3697 *pr + if (ret) + dev_err(&priv->client->dev, "Cannot write OUTPUT config\n"); + +- for (i = 0; i < LM3697_MAX_CONTROL_BANKS; i++) { ++ for (i = 0; i < priv->num_banks; i++) { + led = &priv->leds[i]; + ret = ti_lmu_common_set_ramp(&led->lmu_data); + if (ret) +@@ -307,8 +308,8 @@ static int lm3697_probe(struct i2c_clien + int ret; + + count = device_get_child_node_count(&client->dev); +- if (!count) { +- dev_err(&client->dev, "LEDs are not defined in device tree!"); ++ if (!count || count > LM3697_MAX_CONTROL_BANKS) { ++ dev_err(&client->dev, "Strange device tree!"); + return -ENODEV; + } + +@@ -322,6 +323,7 @@ static int lm3697_probe(struct i2c_clien + + led->client = client; + led->dev = &client->dev; ++ led->num_banks = count; + led->regmap = devm_regmap_init_i2c(client, &lm3697_regmap_config); + if (IS_ERR(led->regmap)) { + ret = PTR_ERR(led->regmap); diff --git a/queue-5.9/series b/queue-5.9/series index 66fc4adb43e..f5166cd9249 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -3,3 +3,5 @@ powerpc-64s-flush-l1d-on-kernel-entry.patch powerpc-64s-flush-l1d-after-user-accesses.patch powerpc-only-include-kup-radix.h-for-64-bit-book3s.patch selftests-powerpc-entry-flush-test.patch +leds-lm3697-fix-out-of-bound-access.patch +input-sunkbd-avoid-use-after-free-in-teardown-paths.patch -- 2.47.3