--- /dev/null
+From 883f616530692d81cb70f8a32d85c0d2afc05f69 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lars=20M=C3=B6llendorf?= <lars.moellendorf@plating.de>
+Date: Fri, 13 Dec 2019 14:50:55 +0100
+Subject: iio: buffer: align the size of scan bytes to size of the largest element
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lars Möllendorf <lars.moellendorf@plating.de>
+
+commit 883f616530692d81cb70f8a32d85c0d2afc05f69 upstream.
+
+Previous versions of `iio_compute_scan_bytes` only aligned each element
+to its own length (i.e. its own natural alignment). Because multiple
+consecutive sets of scan elements are buffered this does not work in
+case the computed scan bytes do not align with the natural alignment of
+the first scan element in the set.
+
+This commit fixes this by aligning the scan bytes to the natural
+alignment of the largest scan element in the set.
+
+Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.")
+Signed-off-by: Lars Möllendorf <lars.moellendorf@plating.de>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/iio/industrialio-buffer.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -527,7 +527,7 @@ static int iio_compute_scan_bytes(struct
+ {
+ const struct iio_chan_spec *ch;
+ unsigned bytes = 0;
+- int length, i;
++ int length, i, largest = 0;
+
+ /* How much space will the demuxed element take? */
+ for_each_set_bit(i, mask,
+@@ -540,6 +540,7 @@ static int iio_compute_scan_bytes(struct
+ length = ch->scan_type.storagebits / 8;
+ bytes = ALIGN(bytes, length);
+ bytes += length;
++ largest = max(largest, length);
+ }
+ if (timestamp) {
+ ch = iio_find_channel_from_si(indio_dev,
+@@ -551,7 +552,10 @@ static int iio_compute_scan_bytes(struct
+ length = ch->scan_type.storagebits / 8;
+ bytes = ALIGN(bytes, length);
+ bytes += length;
++ largest = max(largest, length);
+ }
++
++ bytes = ALIGN(bytes, largest);
+ return bytes;
+ }
+
--- /dev/null
+From e5e884b42639c74b5b57dc277909915c0aefc8bb Mon Sep 17 00:00:00 2001
+From: Wen Huang <huangwenabc@gmail.com>
+Date: Thu, 28 Nov 2019 18:51:04 +0800
+Subject: libertas: Fix two buffer overflows at parsing bss descriptor
+
+From: Wen Huang <huangwenabc@gmail.com>
+
+commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.
+
+add_ie_rates() copys rates without checking the length
+in bss descriptor from remote AP.when victim connects to
+remote attacker, this may trigger buffer overflow.
+lbs_ibss_join_existing() copys rates without checking the length
+in bss descriptor from remote IBSS node.when victim connects to
+remote attacker, this may trigger buffer overflow.
+Fix them by putting the length check before performing copy.
+
+This fix addresses CVE-2019-14896 and CVE-2019-14897.
+This also fix build warning of mixed declarations and code.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Wen Huang <huangwenabc@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/libertas/cfg.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/libertas/cfg.c
++++ b/drivers/net/wireless/libertas/cfg.c
+@@ -272,6 +272,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
+ int hw, ap, ap_max = ie[1];
+ u8 hw_rate;
+
++ if (ap_max > MAX_RATES) {
++ lbs_deb_assoc("invalid rates\n");
++ return tlv;
++ }
+ /* Advance past IE header */
+ ie += 2;
+
+@@ -1656,6 +1660,9 @@ static int lbs_change_intf(struct wiphy
+ {
+ struct lbs_private *priv = wiphy_priv(wiphy);
+ int ret = 0;
++ int hw, i;
++ u8 rates_max;
++ u8 *rates;
+
+ if (dev == priv->mesh_dev)
+ return -EOPNOTSUPP;
+@@ -1843,9 +1850,12 @@ static int lbs_ibss_join_existing(struct
+ if (!rates_eid) {
+ lbs_add_rates(cmd.bss.rates);
+ } else {
+- int hw, i;
+- u8 rates_max = rates_eid[1];
+- u8 *rates = cmd.bss.rates;
++ rates_max = rates_eid[1];
++ if (rates_max > MAX_RATES) {
++ lbs_deb_join("invalid rates");
++ goto out;
++ }
++ rates = cmd.bss.rates;
+ for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
+ u8 hw_rate = lbs_rates[hw].bitrate / 5;
+ for (i = 0; i < rates_max; i++) {
--- /dev/null
+From bba340c79bfe3644829db5c852fdfa9e33837d6d Mon Sep 17 00:00:00 2001
+From: Bo Wu <wubo40@huawei.com>
+Date: Wed, 20 Nov 2019 13:26:17 +0000
+Subject: scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
+
+From: Bo Wu <wubo40@huawei.com>
+
+commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream.
+
+In iscsi_if_rx func, after receiving one request through
+iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to
+reply to the request in a do-while loop. If the iscsi_if_send_reply
+function keeps returning -EAGAIN, a deadlock will occur.
+
+For example, a client only send msg without calling recvmsg func, then
+it will result in the watchdog soft lockup. The details are given as
+follows:
+
+ sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
+ retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr);
+ while (1) {
+ state_msg = sendmsg(sock_fd, &msg, 0);
+ //Note: recvmsg(sock_fd, &msg, 0) is not processed here.
+ }
+ close(sock_fd);
+
+watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat:
+curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0
+deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq:
+ TIMER: 992
+ SCHED: 8
+Sample irqstat:
+ irq 2: delta 1003, curr: 3103802, arch_timer
+CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G OE
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 40400005 (nZcv daif +PAN -UAO)
+pc : __alloc_skb+0x104/0x1b0
+lr : __alloc_skb+0x9c/0x1b0
+sp : ffff000033603a30
+x29: ffff000033603a30 x28: 00000000000002dd
+x27: ffff800b34ced810 x26: ffff800ba7569f00
+x25: 00000000ffffffff x24: 0000000000000000
+x23: ffff800f7c43f600 x22: 0000000000480020
+x21: ffff0000091d9000 x20: ffff800b34eff200
+x19: ffff800ba7569f00 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000000 x14: 0001000101000100
+x13: 0000000101010000 x12: 0101000001010100
+x11: 0001010101010001 x10: 00000000000002dd
+x9 : ffff000033603d58 x8 : ffff800b34eff400
+x7 : ffff800ba7569200 x6 : ffff800b34eff400
+x5 : 0000000000000000 x4 : 00000000ffffffff
+x3 : 0000000000000000 x2 : 0000000000000001
+x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace:
+__alloc_skb+0x104/0x1b0
+iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi]
+netlink_unicast+0x1e0/0x258
+netlink_sendmsg+0x310/0x378
+sock_sendmsg+0x4c/0x70
+sock_write_iter+0x90/0xf0
+__vfs_write+0x11c/0x190
+vfs_write+0xac/0x1c0
+ksys_write+0x6c/0xd8
+__arm64_sys_write+0x24/0x30
+el0_svc_common+0x78/0x130
+el0_svc_handler+0x38/0x78
+el0_svc+0x8/0xc
+
+Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com
+Signed-off-by: Bo Wu <wubo40@huawei.com>
+Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -37,6 +37,8 @@
+
+ #define ISCSI_TRANSPORT_VERSION "2.0-870"
+
++#define ISCSI_SEND_MAX_ALLOWED 10
++
+ static int dbg_session;
+ module_param_named(debug_session, dbg_session, int,
+ S_IRUGO | S_IWUSR);
+@@ -3695,6 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ struct nlmsghdr *nlh;
+ struct iscsi_uevent *ev;
+ uint32_t group;
++ int retries = ISCSI_SEND_MAX_ALLOWED;
+
+ nlh = nlmsg_hdr(skb);
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+@@ -3725,6 +3728,10 @@ iscsi_if_rx(struct sk_buff *skb)
+ break;
+ err = iscsi_if_send_reply(group, nlh->nlmsg_seq,
+ nlh->nlmsg_type, 0, 0, ev, sizeof(*ev));
++ if (err == -EAGAIN && --retries < 0) {
++ printk(KERN_WARNING "Send reply failed, error %d\n", err);
++ break;
++ }
+ } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
+ skb_pull(skb, rlen);
+ }
net-cxgb3_main-add-cap_net_admin-check-to-chelsio_get_mem.patch
net-ip_tunnel-fix-namespaces-move.patch
net_sched-fix-datalen-for-ematch.patch
-net-sysfs-fix-reference-count-leak.patch
net-usb-lan78xx-add-.ndo_features_check.patch
hwmon-adt7475-make-volt2reg-return-same-reg-as-reg2volt-input.patch
input-keyspan-remote-fix-control-message-timeouts.patch
scsi-rdma-isert-fix-a-recently-introduced-regression-related-to-logout.patch
tracing-xen-ordered-comparison-of-function-pointers.patch
do_last-fetch-directory-i_mode-and-i_uid-before-it-s-too-late.patch
+iio-buffer-align-the-size-of-scan-bytes-to-size-of-the-largest-element.patch
+libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
+scsi-iscsi-avoid-potential-deadlock-in-iscsi_if_rx-func.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
