--- /dev/null
+From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:50:58 -0500
+Subject: ALSA: firewire: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream.
+
+In iso_packets_buffer_init(), 'b->packets' is allocated through
+kmalloc_array(). Then, the aligned packet size is checked. If it is
+larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
+However, the allocated 'b->packets' is not deallocated on this path,
+leading to a memory leak.
+
+To fix the above issue, free 'b->packets' before returning the error code.
+
+Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Cc: <stable@vger.kernel.org> # v2.6.39+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/packets-buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/firewire/packets-buffer.c
++++ b/sound/firewire/packets-buffer.c
+@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p
+ packets_per_page = PAGE_SIZE / packet_size;
+ if (WARN_ON(!packets_per_page)) {
+ err = -EINVAL;
+- goto error;
++ goto err_packets;
+ }
+ pages = DIV_ROUND_UP(count, packets_per_page);
+
--- /dev/null
+From c1c6c877b0c79fd7e05c931435aa42211eaeebaf Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 6 Aug 2019 14:03:56 +0200
+Subject: ALSA: hda - Don't override global PCM hw info flag
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c1c6c877b0c79fd7e05c931435aa42211eaeebaf upstream.
+
+The commit bfcba288b97f ("ALSA - hda: Add support for link audio time
+reporting") introduced the conditional PCM hw info setup, but it
+overwrites the global azx_pcm_hw object. This will cause a problem if
+any other HD-audio controller, as it'll inherit the same bit flag
+although another controller doesn't support that feature.
+
+Fix the bug by setting the PCM hw info flag locally.
+
+Fixes: bfcba288b97f ("ALSA - hda: Add support for link audio time reporting")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_controller.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/sound/pci/hda/hda_controller.c
++++ b/sound/pci/hda/hda_controller.c
+@@ -609,11 +609,9 @@ static int azx_pcm_open(struct snd_pcm_s
+ }
+ runtime->private_data = azx_dev;
+
+- if (chip->gts_present)
+- azx_pcm_hw.info = azx_pcm_hw.info |
+- SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
+-
+ runtime->hw = azx_pcm_hw;
++ if (chip->gts_present)
++ runtime->hw.info |= SNDRV_PCM_INFO_HAS_LINK_SYNCHRONIZED_ATIME;
+ runtime->hw.channels_min = hinfo->channels_min;
+ runtime->hw.channels_max = hinfo->channels_max;
+ runtime->hw.formats = hinfo->formats;
--- /dev/null
+From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Wed, 31 Jul 2019 10:54:47 -0400
+Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix by using kzalloc() instead of kmalloc() on the affected buffers.
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -851,7 +851,7 @@ static int pcan_usb_fd_init(struct peak_
+ goto err_out;
+
+ /* allocate command buffer once for all for the interface */
+- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE,
++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE,
+ GFP_KERNEL);
+ if (!pdev->cmd_buffer_addr)
+ goto err_out_1;
--- /dev/null
+From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+Date: Wed, 31 Jul 2019 10:54:47 -0400
+Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
+
+From: Tomas Bortoli <tomasbortoli@gmail.com>
+
+commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream.
+
+Uninitialized Kernel memory can leak to USB devices.
+
+Fix by using kzalloc() instead of kmalloc() on the affected buffers.
+
+Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
+Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com
+Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack")
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c
+@@ -500,7 +500,7 @@ static int pcan_usb_pro_drv_loaded(struc
+ u8 *buffer;
+ int err;
+
+- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
--- /dev/null
+From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 26 Jul 2019 08:00:49 -0700
+Subject: hwmon: (nct7802) Fix wrong detection of in4 presence
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream.
+
+The code to detect if in4 is present is wrong; if in4 is not present,
+the in4_input sysfs attribute is still present.
+
+In detail:
+
+- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug).
+- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input
+ file under /sys and the "sensors" command displays in4_input.
+ But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep.
+
+Fix is_visible function to detect and report in4_input visibility
+as expected.
+
+Reported-by: Gilles Buloz <Gilles.Buloz@kontron.com>
+Cc: Gilles Buloz <Gilles.Buloz@kontron.com>
+Cc: stable@vger.kernel.org
+Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/nct7802.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/hwmon/nct7802.c
++++ b/drivers/hwmon/nct7802.c
+@@ -768,7 +768,7 @@ static struct attribute *nct7802_in_attr
+ &sensor_dev_attr_in3_alarm.dev_attr.attr,
+ &sensor_dev_attr_in3_beep.dev_attr.attr,
+
+- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */
++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */
+ &sensor_dev_attr_in4_min.dev_attr.attr,
+ &sensor_dev_attr_in4_max.dev_attr.attr,
+ &sensor_dev_attr_in4_alarm.dev_attr.attr,
+@@ -794,9 +794,9 @@ static umode_t nct7802_in_is_visible(str
+
+ if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */
+ return 0;
+- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */
++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */
+ return 0;
+- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */
++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */
+ return 0;
+
+ return attr->mode;
--- /dev/null
+From 87e7e25aee6b59fef740856f4e86d4b60496c9e1 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 21 Jul 2019 14:02:27 +0300
+Subject: iwlwifi: don't unmap as page memory that was mapped as single
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 87e7e25aee6b59fef740856f4e86d4b60496c9e1 upstream.
+
+In order to remember how to unmap a memory (as single or
+as page), we maintain a bit per Transmit Buffer (TBs) in
+the meta data (structure iwl_cmd_meta).
+We maintain a bitmap: 1 bit per TB.
+If the TB is set, we will free the memory as a page.
+This bitmap was never cleared. Fix this.
+
+Cc: stable@vger.kernel.org
+Fixes: 3cd1980b0cdf ("iwlwifi: pcie: introduce new tfd and tb formats")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+@@ -439,6 +439,8 @@ static void iwl_pcie_tfd_unmap(struct iw
+ DMA_TO_DEVICE);
+ }
+
++ meta->tbs = 0;
++
+ if (trans->cfg->use_tfh) {
+ struct iwl_tfh_tfd *tfd_fh = (void *)tfd;
+
--- /dev/null
+From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Fri, 26 Jul 2019 15:47:58 -0700
+Subject: mac80211: don't WARN on short WMM parameters from AP
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream.
+
+In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN
+on bad WMM parameters from buggy APs"), an AP may not transmit a
+fully-formed WMM IE. For example, it may miss or repeat an Access
+Category. The above loop won't catch that and will instead leave one of
+the four ACs zeroed out. This triggers the following warning in
+drv_conf_tx()
+
+ wlan0: invalid CW_min/CW_max: 0/0
+
+and it may leave one of the hardware queues unconfigured. If we detect
+such a case, let's just print a warning and fall back to the defaults.
+
+Tested with a hacked version of hostapd, intentionally corrupting the
+IEs in hostapd_eid_wmm().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1873,6 +1873,16 @@ static bool ieee80211_sta_wmm_params(str
+ }
+ }
+
++ /* WMM specification requires all 4 ACIs. */
++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
++ if (params[ac].cw_min == 0) {
++ sdata_info(sdata,
++ "AP has invalid WMM params (missing AC %d), using defaults\n",
++ ac);
++ return false;
++ }
++ }
++
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ mlme_dbg(sdata,
+ "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
--- /dev/null
+From df612421fe2566654047769c6852ffae1a31df16 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@chromium.org>
+Date: Wed, 24 Jul 2019 12:46:34 -0700
+Subject: mwifiex: fix 802.11n/WPA detection
+
+From: Brian Norris <briannorris@chromium.org>
+
+commit df612421fe2566654047769c6852ffae1a31df16 upstream.
+
+Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant
+vendor IEs") adjusted the ieee_types_vendor_header struct, which
+inadvertently messed up the offsets used in
+mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring
+mwifiex_is_rsn_oui_present().
+
+As it stands, commit 63d7ef36103d breaks compatibility with WPA (not
+WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is
+not supported by AP" case in mwifiex_is_network_compatible().
+
+Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/main.h | 1 +
+ drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -120,6 +120,7 @@ enum {
+
+ #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S)
+
++#define WPA_GTK_OUI_OFFSET 2
+ #define RSN_GTK_OUI_OFFSET 2
+
+ #define MWIFIEX_OUI_NOT_PRESENT 0
+--- a/drivers/net/wireless/marvell/mwifiex/scan.c
++++ b/drivers/net/wireless/marvell/mwifiex/scan.c
+@@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifie
+ u8 ret = MWIFIEX_OUI_NOT_PRESENT;
+
+ if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) {
+- iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data;
++ iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data +
++ WPA_GTK_OUI_OFFSET);
+ oui = &mwifiex_wpa_oui[cipher][0];
+ ret = mwifiex_search_oui_in_ie(iebody, oui);
+ if (ret)
scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch
tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch
perf-core-fix-creating-kernel-counters-for-pmus-that.patch
+can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch
+can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch
+hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch
+alsa-firewire-fix-a-memory-leak-bug.patch
+alsa-hda-don-t-override-global-pcm-hw-info-flag.patch
+mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch
+smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch
+smb3-send-cap_dfs-capability-during-session-setup.patch
+mwifiex-fix-802.11n-wpa-detection.patch
+iwlwifi-don-t-unmap-as-page-memory-that-was-mapped-as-single.patch
--- /dev/null
+From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001
+From: Pavel Shilovsky <pshilov@microsoft.com>
+Date: Mon, 22 Jul 2019 11:34:59 -0700
+Subject: SMB3: Fix deadlock in validate negotiate hits reconnect
+
+From: Pavel Shilovsky <pshilov@microsoft.com>
+
+commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream.
+
+Currently we skip SMB2_TREE_CONNECT command when checking during
+reconnect because Tree Connect happens when establishing
+an SMB session. For SMB 3.0 protocol version the code also calls
+validate negotiate which results in SMB2_IOCL command being sent
+over the wire. This may deadlock on trying to acquire a mutex when
+checking for reconnect. Fix this by skipping SMB2_IOCL command
+when doing the reconnect check.
+
+Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -168,7 +168,7 @@ smb2_reconnect(__le16 smb2_command, stru
+ if (tcon == NULL)
+ return 0;
+
+- if (smb2_command == SMB2_TREE_CONNECT)
++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL)
+ return 0;
+
+ if (tcon->tidStatus == CifsExiting) {
--- /dev/null
+From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 25 Jul 2019 18:13:10 -0500
+Subject: smb3: send CAP_DFS capability during session setup
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream.
+
+We had a report of a server which did not do a DFS referral
+because the session setup Capabilities field was set to 0
+(unlike negotiate protocol where we set CAP_DFS). Better to
+send it session setup in the capabilities as well (this also
+more closely matches Windows client behavior).
+
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2pdu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -660,7 +660,12 @@ SMB2_sess_alloc_buffer(struct SMB2_sess_
+ else
+ req->SecurityMode = 0;
+
++#ifdef CONFIG_CIFS_DFS_UPCALL
++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS);
++#else
+ req->Capabilities = 0;
++#endif /* DFS_UPCALL */
++
+ req->Channel = 0; /* MBZ */
+
+ sess_data->iov[0].iov_base = (char *)req;
projects / thirdparty / kernel / stable-queue.git / commitdiff
