--- /dev/null
+From feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 13 Feb 2016 02:34:52 +0000
+Subject: pipe: Fix buffer offset after partially failed read
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
+
+Quoting the RHEL advisory:
+
+> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
+> offset and buffer length in sync on a failed atomic read, potentially
+> resulting in a pipe buffer state corruption. A local, unprivileged user
+> could use this flaw to crash the system or leak kernel memory to user
+> space. (CVE-2016-0774, Moderate)
+
+The same flawed fix was applied to stable branches from 2.6.32.y to
+3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
+We need to give pipe_iov_copy_to_user() a separate offset variable
+and only update the buffer offset if it succeeds.
+
+References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/pipe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const stru
+ void *addr;
+ size_t chars = buf->len, remaining;
+ int error, atomic;
++ int offset;
+
+ if (chars > total_len)
+ chars = total_len;
+@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const stru
+
+ atomic = !iov_fault_in_pages_write(iov, chars);
+ remaining = chars;
++ offset = buf->offset;
+ redo:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++ error = pipe_iov_copy_to_user(iov, addr, &offset,
+ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ if (unlikely(error)) {
+@@ -432,6 +434,7 @@ redo:
+ break;
+ }
+ ret += chars;
++ buf->offset += chars;
+ buf->len -= chars;
+
+ /* Was it a packet buffer? Clean up and exit */
--- /dev/null
+From 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 Mon Sep 17 00:00:00 2001
+From: wang yanqing <udknight@gmail.com>
+Date: Tue, 3 May 2016 00:38:36 +0800
+Subject: rtlwifi: Fix logic error in enter/exit power-save mode
+
+From: wang yanqing <udknight@gmail.com>
+
+commit 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 upstream.
+
+In commit a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and
+rtl_lps_enter() to use work queue"), the tests for enter/exit
+power-save mode were inverted. With this change applied, the
+wifi connection becomes much more stable.
+
+Fixes: a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and rtl_lps_enter() to use work queue")
+Signed-off-by: Wang YanQing <udknight@gmail.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/base.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/base.c
++++ b/drivers/net/wireless/rtlwifi/base.c
+@@ -1401,9 +1401,9 @@ void rtl_watchdog_wq_callback(void *data
+ if (((rtlpriv->link_info.num_rx_inperiod +
+ rtlpriv->link_info.num_tx_inperiod) > 8) ||
+ (rtlpriv->link_info.num_rx_inperiod > 2))
+- rtlpriv->enter_ps = true;
+- else
+ rtlpriv->enter_ps = false;
++ else
++ rtlpriv->enter_ps = true;
+
+ /* LeisurePS only work in infra mode. */
+ schedule_work(&rtlpriv->works.lps_change_work);
projects / thirdparty / kernel / stable-queue.git / commitdiff
