--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Dedy Lansky <dlansky@codeaurora.org>
+Date: Sun, 29 Jul 2018 14:59:16 +0300
+Subject: cfg80211/mac80211: make ieee80211_send_layer2_update a public function
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3 upstream.
+
+Make ieee80211_send_layer2_update() a common function so other drivers
+can re-use it.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[bwh: Backported to 4.19 as dependency of commit 3e493173b784
+ "mac80211: Do not send Layer 2 Update frame before authorization"]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 11 +++++++++++
+ net/mac80211/cfg.c | 48 ++----------------------------------------------
+ net/wireless/util.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 58 insertions(+), 46 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -4734,6 +4734,17 @@ const u8 *cfg80211_find_vendor_ie(unsign
+ const u8 *ies, int len);
+
+ /**
++ * cfg80211_send_layer2_update - send layer 2 update frame
++ *
++ * @dev: network device
++ * @addr: STA MAC address
++ *
++ * Wireless drivers can use this function to update forwarding tables in bridge
++ * devices upon STA association.
++ */
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr);
++
++/**
+ * DOC: Regulatory enforcement infrastructure
+ *
+ * TODO
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1096,50 +1096,6 @@ static int ieee80211_stop_ap(struct wiph
+ return 0;
+ }
+
+-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+-struct iapp_layer2_update {
+- u8 da[ETH_ALEN]; /* broadcast */
+- u8 sa[ETH_ALEN]; /* STA addr */
+- __be16 len; /* 6 */
+- u8 dsap; /* 0 */
+- u8 ssap; /* 0 */
+- u8 control;
+- u8 xid_info[3];
+-} __packed;
+-
+-static void ieee80211_send_layer2_update(struct sta_info *sta)
+-{
+- struct iapp_layer2_update *msg;
+- struct sk_buff *skb;
+-
+- /* Send Level 2 Update Frame to update forwarding tables in layer 2
+- * bridge devices */
+-
+- skb = dev_alloc_skb(sizeof(*msg));
+- if (!skb)
+- return;
+- msg = skb_put(skb, sizeof(*msg));
+-
+- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+-
+- eth_broadcast_addr(msg->da);
+- memcpy(msg->sa, sta->sta.addr, ETH_ALEN);
+- msg->len = htons(6);
+- msg->dsap = 0;
+- msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
+- msg->control = 0xaf; /* XID response lsb.1111F101.
+- * F=0 (no poll command; unsolicited frame) */
+- msg->xid_info[0] = 0x81; /* XID format identifier */
+- msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
+- msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
+-
+- skb->dev = sta->sdata->dev;
+- skb->protocol = eth_type_trans(skb, sta->sdata->dev);
+- memset(skb->cb, 0, sizeof(skb->cb));
+- netif_rx_ni(skb);
+-}
+-
+ static int sta_apply_auth_flags(struct ieee80211_local *local,
+ struct sta_info *sta,
+ u32 mask, u32 set)
+@@ -1508,7 +1464,7 @@ static int ieee80211_add_station(struct
+ }
+
+ if (layer2_update)
+- ieee80211_send_layer2_update(sta);
++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+
+ rcu_read_unlock();
+
+@@ -1610,7 +1566,7 @@ static int ieee80211_change_station(stru
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ ieee80211_vif_inc_num_mcast(sta->sdata);
+
+- ieee80211_send_layer2_update(sta);
++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ }
+
+ err = sta_apply_parameters(local, sta, params);
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1919,3 +1919,48 @@ bool cfg80211_iftype_allowed(struct wiph
+ return false;
+ }
+ EXPORT_SYMBOL(cfg80211_iftype_allowed);
++
++/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
++struct iapp_layer2_update {
++ u8 da[ETH_ALEN]; /* broadcast */
++ u8 sa[ETH_ALEN]; /* STA addr */
++ __be16 len; /* 6 */
++ u8 dsap; /* 0 */
++ u8 ssap; /* 0 */
++ u8 control;
++ u8 xid_info[3];
++} __packed;
++
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr)
++{
++ struct iapp_layer2_update *msg;
++ struct sk_buff *skb;
++
++ /* Send Level 2 Update Frame to update forwarding tables in layer 2
++ * bridge devices */
++
++ skb = dev_alloc_skb(sizeof(*msg));
++ if (!skb)
++ return;
++ msg = skb_put(skb, sizeof(*msg));
++
++ /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
++ * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
++
++ eth_broadcast_addr(msg->da);
++ ether_addr_copy(msg->sa, addr);
++ msg->len = htons(6);
++ msg->dsap = 0;
++ msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
++ msg->control = 0xaf; /* XID response lsb.1111F101.
++ * F=0 (no poll command; unsolicited frame) */
++ msg->xid_info[0] = 0x81; /* XID format identifier */
++ msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
++ msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
++
++ skb->dev = dev;
++ skb->protocol = eth_type_trans(skb, dev);
++ memset(skb->cb, 0, sizeof(skb->cb));
++ netif_rx_ni(skb);
++}
++EXPORT_SYMBOL(cfg80211_send_layer2_update);
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 1 Apr 2019 09:35:54 +0800
+Subject: dccp: Fix memleak in __feat_register_sp
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream.
+
+If dccp_feat_push_change fails, we forget free the mem
+which is alloced by kmemdup in dccp_feat_clone_sp_val.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values")
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/feat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/dccp/feat.c
++++ b/net/dccp/feat.c
+@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis
+ if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+ return -ENOMEM;
+
+- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
++ kfree(fval.sp.vec);
++ return -ENOMEM;
++ }
++
++ return 0;
+ }
+
+ /**
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Sheng Yong <shengyong1@huawei.com>
+Date: Mon, 7 Jan 2019 15:02:34 +0800
+Subject: f2fs: check if file namelen exceeds max value
+
+From: Sheng Yong <shengyong1@huawei.com>
+
+commit 720db068634c91553a8e1d9a0fcd8c7050e06d2b upstream.
+
+Dentry bitmap is not enough to detect incorrect dentries. So this patch
+also checks the namelen value of a dentry.
+
+Signed-off-by: Gong Chen <gongchen4@huawei.com>
+Signed-off-by: Sheng Yong <shengyong1@huawei.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -808,7 +808,8 @@ int f2fs_fill_dentries(struct dir_contex
+
+ /* check memory boundary before moving forward */
+ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+- if (unlikely(bit_pos > d->max)) {
++ if (unlikely(bit_pos > d->max ||
++ le16_to_cpu(de->name_len) > F2FS_NAME_LEN)) {
+ f2fs_msg(sbi->sb, KERN_WARNING,
+ "%s: corrupted namelen=%d, run fsck to fix.",
+ __func__, le16_to_cpu(de->name_len));
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 14 Nov 2018 12:40:30 -0800
+Subject: f2fs: check memory boundary by insane namelen
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 4e240d1bab1ead280ddf5eb05058dba6bbd57d10 upstream.
+
+If namelen is corrupted to have very long value, fill_dentries can copy
+wrong memory area.
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -806,6 +806,17 @@ int f2fs_fill_dentries(struct dir_contex
+ de_name.name = d->filename[bit_pos];
+ de_name.len = le16_to_cpu(de->name_len);
+
++ /* check memory boundary before moving forward */
++ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
++ if (unlikely(bit_pos > d->max)) {
++ f2fs_msg(sbi->sb, KERN_WARNING,
++ "%s: corrupted namelen=%d, run fsck to fix.",
++ __func__, le16_to_cpu(de->name_len));
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ err = -EINVAL;
++ goto out;
++ }
++
+ if (f2fs_encrypted_inode(d->inode)) {
+ int save_len = fstr->len;
+
+@@ -826,7 +837,6 @@ int f2fs_fill_dentries(struct dir_contex
+ if (sbi->readdir_ra == 1)
+ f2fs_ra_node_page(sbi, le32_to_cpu(de->ino));
+
+- bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+ ctx->pos = start_pos + bit_pos;
+ }
+ out:
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Mon, 13 Jan 2020 23:20:07 +0000
+Subject: f2fs: Move err variable to function scope in f2fs_fill_dentries()
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+This is preparation for the following backported fixes. It was done
+upstream as part of commit e1293bdfa01d "f2fs: plug readahead IO in
+readdir()", the rest of which does not seem suitable for stable.
+
+Cc: Jaegeuk Kim <jaegeuk@kernel.org>
+Cc: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -785,6 +785,7 @@ int f2fs_fill_dentries(struct dir_contex
+ struct f2fs_dir_entry *de = NULL;
+ struct fscrypt_str de_name = FSTR_INIT(NULL, 0);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(d->inode);
++ int err = 0;
+
+ bit_pos = ((unsigned long)ctx->pos % d->max);
+
+@@ -807,7 +808,6 @@ int f2fs_fill_dentries(struct dir_contex
+
+ if (f2fs_encrypted_inode(d->inode)) {
+ int save_len = fstr->len;
+- int err;
+
+ err = fscrypt_fname_disk_to_usr(d->inode,
+ (u32)de->hash_code, 0,
+@@ -829,7 +829,8 @@ int f2fs_fill_dentries(struct dir_contex
+ bit_pos += GET_DENTRY_SLOTS(le16_to_cpu(de->name_len));
+ ctx->pos = start_pos + bit_pos;
+ }
+- return 0;
++out:
++ return err;
+ }
+
+ static int f2fs_readdir(struct file *file, struct dir_context *ctx)
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 12 Sep 2019 23:23:27 -0500
+Subject: iwlwifi: dbg_ini: fix memory leak in alloc_sgtable
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit b4b814fec1a5a849383f7b3886b654a13abbda7d upstream.
+
+In alloc_sgtable if alloc_page fails, the alocated table should be
+released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -547,6 +547,7 @@ static struct scatterlist *alloc_sgtable
+ if (new_page)
+ __free_page(new_page);
+ }
++ kfree(table);
+ return NULL;
+ }
+ alloc_size = min_t(int, size, PAGE_SIZE);
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 27 Sep 2019 15:56:04 -0500
+Subject: iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 0f4f199443faca715523b0659aa536251d8b978f upstream.
+
+In iwl_pcie_ctxt_info_gen3_init there are cases that the allocated dma
+memory is leaked in case of error.
+
+DMA memories prph_scratch, prph_info, and ctxt_info_gen3 are allocated
+and initialized to be later assigned to trans_pcie. But in any error case
+before such assignment the allocated memories should be released.
+
+First of such error cases happens when iwl_pcie_init_fw_sec fails.
+Current implementation correctly releases prph_scratch. But in two
+sunsequent error cases where dma_alloc_coherent may fail, such
+releases are missing.
+
+This commit adds release for prph_scratch when allocation for
+prph_info fails, and adds releases for prph_scratch and prph_info when
+allocation for ctxt_info_gen3 fails.
+
+Fixes: 2ee824026288 ("iwlwifi: pcie: support context information for 22560 devices")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 36 ++++++++++-----
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+@@ -102,13 +102,9 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+
+ /* allocate ucode sections in dram and set addresses */
+ ret = iwl_pcie_init_fw_sec(trans, fw, &prph_scratch->dram);
+- if (ret) {
+- dma_free_coherent(trans->dev,
+- sizeof(*prph_scratch),
+- prph_scratch,
+- trans_pcie->prph_scratch_dma_addr);
+- return ret;
+- }
++ if (ret)
++ goto err_free_prph_scratch;
++
+
+ /* Allocate prph information
+ * currently we don't assign to the prph info anything, but it would get
+@@ -116,16 +112,20 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+ prph_info = dma_alloc_coherent(trans->dev, sizeof(*prph_info),
+ &trans_pcie->prph_info_dma_addr,
+ GFP_KERNEL);
+- if (!prph_info)
+- return -ENOMEM;
++ if (!prph_info) {
++ ret = -ENOMEM;
++ goto err_free_prph_scratch;
++ }
+
+ /* Allocate context info */
+ ctxt_info_gen3 = dma_alloc_coherent(trans->dev,
+ sizeof(*ctxt_info_gen3),
+ &trans_pcie->ctxt_info_dma_addr,
+ GFP_KERNEL);
+- if (!ctxt_info_gen3)
+- return -ENOMEM;
++ if (!ctxt_info_gen3) {
++ ret = -ENOMEM;
++ goto err_free_prph_info;
++ }
+
+ ctxt_info_gen3->prph_info_base_addr =
+ cpu_to_le64(trans_pcie->prph_info_dma_addr);
+@@ -176,6 +176,20 @@ int iwl_pcie_ctxt_info_gen3_init(struct
+ iwl_set_bit(trans, CSR_GP_CNTRL, CSR_AUTO_FUNC_INIT);
+
+ return 0;
++
++err_free_prph_info:
++ dma_free_coherent(trans->dev,
++ sizeof(*prph_info),
++ prph_info,
++ trans_pcie->prph_info_dma_addr);
++
++err_free_prph_scratch:
++ dma_free_coherent(trans->dev,
++ sizeof(*prph_scratch),
++ prph_scratch,
++ trans_pcie->prph_scratch_dma_addr);
++ return ret;
++
+ }
+
+ void iwl_pcie_ctxt_info_gen3_free(struct iwl_trans *trans)
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 11 Sep 2019 16:03:05 +0300
+Subject: mac80211: Do not send Layer 2 Update frame before authorization
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream.
+
+The Layer 2 Update frame is used to update bridges when a station roams
+to another AP even if that STA does not transmit any frames after the
+reassociation. This behavior was described in IEEE Std 802.11F-2003 as
+something that would happen based on MLME-ASSOCIATE.indication, i.e.,
+before completing 4-way handshake. However, this IEEE trial-use
+recommended practice document was published before RSN (IEEE Std
+802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
+IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
+maintained amd should not be used anymore.
+
+Sending out the Layer 2 Update frame immediately after association is
+fine for open networks (and also when using SAE, FT protocol, or FILS
+authentication when the station is actually authenticated by the time
+association completes). However, it is not appropriate for cases where
+RSN is used with PSK or EAP authentication since the station is actually
+fully authenticated only once the 4-way handshake completes after
+authentication and attackers might be able to use the unauthenticated
+triggering of Layer 2 Update frame transmission to disrupt bridge
+behavior.
+
+Fix this by postponing transmission of the Layer 2 Update frame from
+station entry addition to the point when the station entry is marked
+authorized. Similarly, send out the VLAN binding update only if the STA
+entry has already been authorized.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 14 ++++----------
+ net/mac80211/sta_info.c | 4 ++++
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1410,7 +1410,6 @@ static int ieee80211_add_station(struct
+ struct sta_info *sta;
+ struct ieee80211_sub_if_data *sdata;
+ int err;
+- int layer2_update;
+
+ if (params->vlan) {
+ sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
+@@ -1454,18 +1453,12 @@ static int ieee80211_add_station(struct
+ test_sta_flag(sta, WLAN_STA_ASSOC))
+ rate_control_rate_init(sta);
+
+- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+- sdata->vif.type == NL80211_IFTYPE_AP;
+-
+ err = sta_info_insert_rcu(sta);
+ if (err) {
+ rcu_read_unlock();
+ return err;
+ }
+
+- if (layer2_update)
+- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+-
+ rcu_read_unlock();
+
+ return 0;
+@@ -1563,10 +1556,11 @@ static int ieee80211_change_station(stru
+ sta->sdata = vlansdata;
+ ieee80211_check_fast_xmit(sta);
+
+- if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
++ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
+ ieee80211_vif_inc_num_mcast(sta->sdata);
+-
+- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
++ cfg80211_send_layer2_update(sta->sdata->dev,
++ sta->sta.addr);
++ }
+ }
+
+ err = sta_apply_parameters(local, sta, params);
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1906,6 +1906,10 @@ int sta_info_move_state(struct sta_info
+ ieee80211_check_fast_xmit(sta);
+ ieee80211_check_fast_rx(sta);
+ }
++ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
++ sta->sdata->vif.type == NL80211_IFTYPE_AP)
++ cfg80211_send_layer2_update(sta->sdata->dev,
++ sta->sta.addr);
+ break;
+ default:
+ break;
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Vandana BN <bnvandana@gmail.com>
+Date: Wed, 22 May 2019 04:34:15 -0400
+Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
+
+From: Vandana BN <bnvandana@gmail.com>
+
+commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream.
+
+SyzKaller hit the null pointer deref while reading from uninitialized
+udev->product in zr364xx_vidioc_querycap().
+
+==================================================================
+BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
+include/linux/compiler.h:274
+Read of size 1 at addr 0000000000000000 by task v4l_id/5287
+
+CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
+ read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
+ strscpy+0x8a/0x280 lib/string.c:207
+ zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
+ v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
+ __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
+ video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
+ v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
+ ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f3b56d8b347
+Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
+ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
+RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
+RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
+R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
+==================================================================
+
+For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
+
+The fix is to check for NULL before strscpy() and copy empty string, if
+product is NULL
+
+Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
+Signed-off-by: Vandana BN <bnvandana@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+[bwh: Backported to 4.19: This function uses strlcpy() instead of strscpy()]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -703,7 +703,8 @@ static int zr364xx_vidioc_querycap(struc
+ struct zr364xx_camera *cam = video_drvdata(file);
+
+ strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
+- strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
++ if (cam->udev->product)
++ strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
+ strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
+ sizeof(cap->bus_info));
+ cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:48:42 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 17:21:19 -0500
+Subject: RDMA: Fix goto target to release the allocated memory
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 4a9d46a9fe14401f21df69cea97c62396d5fb053 upstream.
+
+In bnxt_re_create_srq(), when ib_copy_to_udata() fails allocated memory
+should be released by goto fail.
+
+Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters")
+Link: https://lore.kernel.org/r/20190910222120.16517-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1446,7 +1446,7 @@ struct ib_srq *bnxt_re_create_srq(struct
+ dev_err(rdev_to_dev(rdev), "SRQ copy to udata failed!");
+ bnxt_qplib_destroy_srq(&rdev->qplib_res,
+ &srq->qplib_srq);
+- goto exit;
++ goto fail;
+ }
+ }
+ if (nq)
hid-hidraw-uhid-always-report-epollout.patch
ethtool-reduce-stack-usage-with-clang.patch
fs-select-avoid-clang-stack-usage-warning.patch
+cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
+mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
+f2fs-move-err-variable-to-function-scope-in-f2fs_fill_dentries.patch
+f2fs-check-memory-boundary-by-insane-namelen.patch
+f2fs-check-if-file-namelen-exceeds-max-value.patch
+media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
+iwlwifi-dbg_ini-fix-memory-leak-in-alloc_sgtable.patch
+iwlwifi-pcie-fix-memory-leaks-in-iwl_pcie_ctxt_info_gen3_init.patch
+rdma-fix-goto-target-to-release-the-allocated-memory.patch
+dccp-fix-memleak-in-__feat_register_sp.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
