--- /dev/null
+From 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 16 Jul 2018 20:59:58 -0500
+Subject: net: cxgb3_main: fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream.
+
+t.qset_idx can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
+warn: potential spectre issue 'adapter->msix_info'
+
+Fix this by sanitizing t.qset_idx before using it to index
+adapter->msix_info
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -50,6 +50,7 @@
+ #include <linux/stringify.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <asm/uaccess.h>
+
+ #include "common.h"
+@@ -2259,6 +2260,7 @@ static int cxgb_extension_ioctl(struct n
+
+ if (t.qset_idx >= nqsets)
+ return -EINVAL;
++ t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
+
+ q = &adapter->params.sge.qset[q1 + t.qset_idx];
+ t.rspq_size = q->rspq_size;
--- /dev/null
+From dea39aca1d7aef1e2b95b07edeacf04cc8863a2e Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Sun, 15 Jul 2018 21:53:20 +0200
+Subject: net: lan78xx: Fix race in tx pending skb size calculation
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit dea39aca1d7aef1e2b95b07edeacf04cc8863a2e upstream.
+
+The skb size calculation in lan78xx_tx_bh is in race with the start_xmit,
+which could lead to rare kernel oopses. So protect the whole skb walk with
+a spin lock. As a benefit we can unlink the skb directly.
+
+This patch was tested on Raspberry Pi 3B+
+
+Link: https://github.com/raspberrypi/linux/issues/2608
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/lan78xx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2964,6 +2964,7 @@ static void lan78xx_tx_bh(struct lan78xx
+ pkt_cnt = 0;
+ count = 0;
+ length = 0;
++ spin_lock_irqsave(&tqp->lock, flags);
+ for (skb = tqp->next; pkt_cnt < tqp->qlen; skb = skb->next) {
+ if (skb_is_gso(skb)) {
+ if (pkt_cnt) {
+@@ -2972,7 +2973,8 @@ static void lan78xx_tx_bh(struct lan78xx
+ }
+ count = 1;
+ length = skb->len - TX_OVERHEAD;
+- skb2 = skb_dequeue(tqp);
++ __skb_unlink(skb, tqp);
++ spin_unlock_irqrestore(&tqp->lock, flags);
+ goto gso_skb;
+ }
+
+@@ -2981,6 +2983,7 @@ static void lan78xx_tx_bh(struct lan78xx
+ skb_totallen = skb->len + roundup(skb_totallen, sizeof(u32));
+ pkt_cnt++;
+ }
++ spin_unlock_irqrestore(&tqp->lock, flags);
+
+ /* copy to a single skb */
+ skb = alloc_skb(skb_totallen, GFP_ATOMIC);
--- /dev/null
+From 9a98302de19991d51e067b88750585203b2a3ab6 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Thu, 28 Jun 2018 10:02:27 +0800
+Subject: rtlwifi: rtl8821ae: fix firmware is not ready to run
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 9a98302de19991d51e067b88750585203b2a3ab6 upstream.
+
+Without this patch, firmware will not run properly on rtl8821ae, and it
+causes bad user experience. For example, bad connection performance with
+low rate, higher power consumption, and so on.
+
+rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and
+each firmware has firmware data buffer and size individually. Original
+code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and
+this mismatch causes firmware checksum error, then firmware can't start.
+
+In this situation, driver gives message "Firmware is not ready to run!".
+
+Fixes: fe89707f0afa ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Stable <stable@vger.kernel.org> # 4.0+
+Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/core.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/core.c
++++ b/drivers/net/wireless/realtek/rtlwifi/core.c
+@@ -131,7 +131,6 @@ found_alt:
+ firmware->size);
+ rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
+ }
+- rtlpriv->rtlhal.fwsize = firmware->size;
+ release_firmware(firmware);
+ }
+
vhost_net-validate-sock-before-trying-to-put-its-fd.patch
net-packet-fix-use-after-free.patch
net-mlx5-fix-command-interface-race-in-polling-mode.patch
+net-cxgb3_main-fix-potential-spectre-v1.patch
+rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch
+net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
