--- /dev/null
+From b8d17e7d93d2beb89e4f34c59996376b8b544792 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 19 Sep 2019 20:36:26 -0500
+Subject: ath10k: fix memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit b8d17e7d93d2beb89e4f34c59996376b8b544792 upstream.
+
+In ath10k_usb_hif_tx_sg the allocated urb should be released if
+usb_submit_urb fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath10k/usb.c
++++ b/drivers/net/wireless/ath/ath10k/usb.c
+@@ -443,6 +443,7 @@ static int ath10k_usb_hif_tx_sg(struct a
+ ath10k_dbg(ar, ATH10K_DBG_USB_BULK,
+ "usb bulk transmit failed: %d\n", ret);
+ usb_unanchor_urb(urb);
++ usb_free_urb(urb);
+ ret = -EINVAL;
+ goto err_free_urb_to_pipe;
+ }
--- /dev/null
+From 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b Mon Sep 17 00:00:00 2001
+From: Ganapathi Bhat <gbhat@marvell.com>
+Date: Thu, 21 Nov 2019 21:34:38 +0530
+Subject: mwifiex: fix possible heap overflow in mwifiex_process_country_ie()
+
+From: Ganapathi Bhat <gbhat@marvell.com>
+
+commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
+
+mwifiex_process_country_ie() function parse elements of bss
+descriptor in beacon packet. When processing WLAN_EID_COUNTRY
+element, there is no upper limit check for country_ie_len before
+calling memcpy. The destination buffer domain_info->triplet is an
+array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
+attacker can build a fake AP with the same ssid as real AP, and
+send malicous beacon packet with long WLAN_EID_COUNTRY elemen
+(country_ie_len > 83). Attacker can force STA connect to fake AP
+on a different channel. When the victim STA connects to fake AP,
+will trigger the heap buffer overflow. Fix this by checking for
+length and if found invalid, don not connect to the AP.
+
+This fix addresses CVE-2019-14895.
+
+Reported-by: huangwen <huangwenabc@gmail.com>
+Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(st
+ "11D: skip setting domain info in FW\n");
+ return 0;
+ }
++
++ if (country_ie_len >
++ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
++ mwifiex_dbg(priv->adapter, ERROR,
++ "11D: country_ie_len overflow!, deauth AP\n");
++ return -EINVAL;
++ }
++
+ memcpy(priv->adapter->country_code, &country_ie[2], 2);
+
+ domain_info->country_code[0] = country_ie[2];
+@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_pri
+ priv->scan_block = false;
+
+ if (bss) {
+- if (adapter->region_code == 0x00)
+- mwifiex_process_country_ie(priv, bss);
++ if (adapter->region_code == 0x00 &&
++ mwifiex_process_country_ie(priv, bss))
++ return -EINVAL;
+
+ /* Allocate and fill new bss descriptor */
+ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
--- /dev/null
+From db8fd2cde93227e566a412cf53173ffa227998bc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 4 Oct 2019 15:08:52 -0500
+Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit db8fd2cde93227e566a412cf53173ffa227998bc upstream.
+
+In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be
+released if mwifiex_map_pci_memory() fails. The release is added.
+
+Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Ganapathi Bhat <gbhat@marvell.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
+@@ -1032,8 +1032,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf
+ }
+ skb_put(skb, MWIFIEX_UPLD_SIZE);
+ if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE,
+- PCI_DMA_FROMDEVICE))
++ PCI_DMA_FROMDEVICE)) {
++ kfree_skb(skb);
+ return -1;
++ }
+
+ card->cmdrsp_buf = skb;
+
--- /dev/null
+From bbe692e349e2a1edf3fe0a29a0e05899c9c94d51 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Mon, 16 Sep 2019 22:31:23 -0500
+Subject: rpmsg: char: release allocated memory
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit bbe692e349e2a1edf3fe0a29a0e05899c9c94d51 upstream.
+
+In rpmsg_eptdev_write_iter, if copy_from_iter_full fails the allocated
+buffer needs to be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rpmsg/rpmsg_char.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/rpmsg/rpmsg_char.c
++++ b/drivers/rpmsg/rpmsg_char.c
+@@ -227,8 +227,10 @@ static ssize_t rpmsg_eptdev_write_iter(s
+ if (!kbuf)
+ return -ENOMEM;
+
+- if (!copy_from_iter_full(kbuf, len, from))
+- return -EFAULT;
++ if (!copy_from_iter_full(kbuf, len, from)) {
++ ret = -EFAULT;
++ goto free_kbuf;
++ }
+
+ if (mutex_lock_interruptible(&eptdev->ept_lock)) {
+ ret = -ERESTARTSYS;
--- /dev/null
+From a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Thu, 19 Sep 2019 22:00:41 -0500
+Subject: rtl8xxxu: prevent leaking urb
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c upstream.
+
+In rtl8xxxu_submit_int_urb if usb_submit_urb fails the allocated urb
+should be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5447,6 +5447,7 @@ static int rtl8xxxu_submit_int_urb(struc
+ ret = usb_submit_urb(urb, GFP_KERNEL);
+ if (ret) {
+ usb_unanchor_urb(urb);
++ usb_free_urb(urb);
+ goto error;
+ }
+
--- /dev/null
+From 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 18:44:15 -0500
+Subject: scsi: bfa: release allocated memory in case of error
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream.
+
+In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to
+be released.
+
+Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/bfa/bfad_attr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/bfa/bfad_attr.c
++++ b/drivers/scsi/bfa/bfad_attr.c
+@@ -275,8 +275,10 @@ bfad_im_get_stats(struct Scsi_Host *shos
+ rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa),
+ fcstats, bfad_hcb_comp, &fcomp);
+ spin_unlock_irqrestore(&bfad->bfad_lock, flags);
+- if (rc != BFA_STATUS_OK)
++ if (rc != BFA_STATUS_OK) {
++ kfree(fcstats);
+ return NULL;
++ }
+
+ wait_for_completion(&fcomp.comp);
+
xtensa-implement-copy_thread_tls.patch
clone3-ensure-copy_thread_tls-is-implemented.patch
um-implement-copy_thread_tls.patch
+staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch
+mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
+mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
+rpmsg-char-release-allocated-memory.patch
+scsi-bfa-release-allocated-memory-in-case-of-error.patch
+rtl8xxxu-prevent-leaking-urb.patch
+ath10k-fix-memory-leak.patch
--- /dev/null
+From 07f59f180ee083c48c32a1e69ae1d0091444d212 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Fri, 20 Dec 2019 21:15:33 +0000
+Subject: staging: vt6656: remove bool from vnt_radio_power_on ret
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 07f59f180ee083c48c32a1e69ae1d0091444d212 upstream.
+
+The driver uses logical only error checking a bool true would flag error.
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/cc52b67c-9ef8-3e57-815a-44d10701919e@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/card.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/vt6656/card.c
++++ b/drivers/staging/vt6656/card.c
+@@ -719,7 +719,7 @@ end:
+ */
+ int vnt_radio_power_on(struct vnt_private *priv)
+ {
+- int ret = true;
++ int ret = 0;
+
+ vnt_exit_deep_sleep(priv);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
