--- /dev/null
+From c2d2013e2b0aac89215220b002994c14fa143991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Aug 2019 20:29:04 -0400
+Subject: ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
+
+From: Hui Peng <benquike@gmail.com>
+
+[ Upstream commit 39d170b3cb62ba98567f5c4f40c27b5864b304e5 ]
+
+The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
+are initialized to point to the containing `ath6kl_usb` object
+according to endpoint descriptors read from the device side, as shown
+below in `ath6kl_usb_setup_pipe_resources`:
+
+for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ endpoint = &iface_desc->endpoint[i].desc;
+
+ // get the address from endpoint descriptor
+ pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb,
+ endpoint->bEndpointAddress,
+ &urbcount);
+ ......
+ // select the pipe object
+ pipe = &ar_usb->pipes[pipe_num];
+
+ // initialize the ar_usb field
+ pipe->ar_usb = ar_usb;
+}
+
+The driver assumes that the addresses reported in endpoint
+descriptors from device side to be complete. If a device is
+malicious and does not report complete addresses, it may trigger
+NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
+`ath6kl_usb_free_urb_to_pipe`.
+
+This patch fixes the bug by preventing potential NULL-ptr-deref
+(CVE-2019-15098).
+
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/usb.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/usb.c b/drivers/net/wireless/ath/ath6kl/usb.c
+index 9da3594fd010d..fc22c5f479276 100644
+--- a/drivers/net/wireless/ath/ath6kl/usb.c
++++ b/drivers/net/wireless/ath/ath6kl/usb.c
+@@ -132,6 +132,10 @@ ath6kl_usb_alloc_urb_from_pipe(struct ath6kl_usb_pipe *pipe)
+ struct ath6kl_urb_context *urb_context = NULL;
+ unsigned long flags;
+
++ /* bail if this pipe is not initialized */
++ if (!pipe->ar_usb)
++ return NULL;
++
+ spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
+ if (!list_empty(&pipe->urb_list_head)) {
+ urb_context =
+@@ -150,6 +154,10 @@ static void ath6kl_usb_free_urb_to_pipe(struct ath6kl_usb_pipe *pipe,
+ {
+ unsigned long flags;
+
++ /* bail if this pipe is not initialized */
++ if (!pipe->ar_usb)
++ return;
++
+ spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
+ pipe->urb_cnt++;
+
+--
+2.20.1
+
--- /dev/null
+From ad06c3471d62d327507512f50232ee44e2f9d943 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jul 2018 08:46:07 +0300
+Subject: thunderbolt: Use 32-bit writes when writing ring producer/consumer
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 943795219d3cb9f8ce6ce51cad3ffe1f61e95c6b ]
+
+The register access should be using 32-bit reads/writes according to the
+datasheet. With the previous generation hardware 16-bit writes have been
+working but starting with ICL this is not the case anymore so fix
+producer/consumer register update to use correct width register address.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Yehezkel Bernat <YehezkelShB@gmail.com>
+Tested-by: Mario Limonciello <mario.limonciello@dell.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/nhi.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
+index 6713fd1958e73..3a39d7d0175ab 100644
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -94,9 +94,20 @@ static void __iomem *ring_options_base(struct tb_ring *ring)
+ return io;
+ }
+
+-static void ring_iowrite16desc(struct tb_ring *ring, u32 value, u32 offset)
++static void ring_iowrite_cons(struct tb_ring *ring, u16 cons)
+ {
+- iowrite16(value, ring_desc_base(ring) + offset);
++ /*
++ * The other 16-bits in the register is read-only and writes to it
++ * are ignored by the hardware so we can save one ioread32() by
++ * filling the read-only bits with zeroes.
++ */
++ iowrite32(cons, ring_desc_base(ring) + 8);
++}
++
++static void ring_iowrite_prod(struct tb_ring *ring, u16 prod)
++{
++ /* See ring_iowrite_cons() above for explanation */
++ iowrite32(prod << 16, ring_desc_base(ring) + 8);
+ }
+
+ static void ring_iowrite32desc(struct tb_ring *ring, u32 value, u32 offset)
+@@ -148,7 +159,10 @@ static void ring_write_descriptors(struct tb_ring *ring)
+ descriptor->sof = frame->sof;
+ }
+ ring->head = (ring->head + 1) % ring->size;
+- ring_iowrite16desc(ring, ring->head, ring->is_tx ? 10 : 8);
++ if (ring->is_tx)
++ ring_iowrite_prod(ring, ring->head);
++ else
++ ring_iowrite_cons(ring, ring->head);
+ }
+ }
+
+@@ -368,7 +382,7 @@ void ring_stop(struct tb_ring *ring)
+
+ ring_iowrite32options(ring, 0, 0);
+ ring_iowrite64desc(ring, 0, 0);
+- ring_iowrite16desc(ring, 0, ring->is_tx ? 10 : 8);
++ ring_iowrite32desc(ring, 0, 8);
+ ring_iowrite32desc(ring, 0, 12);
+ ring->head = 0;
+ ring->tail = 0;
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
