4.12-stable patches

added patches:
	brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
	brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

diff --git a/queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch b/queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
new file mode 100644 (file)
index 0000000..5768180
--- /dev/null
+++ b/queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
@@ -0,0 +1,40 @@
+From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Wed, 21 Jun 2017 07:45:53 +0200
+Subject: brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+commit 57c00f2fac512837f8de73474ec1f54020015bae upstream.
+
+If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
+handling path to free it in such a case.
+
+Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6855,7 +6855,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+       wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
+       if (!wiphy) {
+               brcmf_err("Could not allocate wiphy device\n");
+-              return NULL;
++              goto ops_out;
+       }
+       memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN);
+       set_wiphy_dev(wiphy, busdev);
+@@ -6998,6 +6998,7 @@ priv_out:
+       ifp->vif = NULL;
+ wiphy_out:
+       brcmf_free_wiphy(wiphy);
++ops_out:
+       kfree(ops);
+       return NULL;
+ }

diff --git a/queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
new file mode 100644 (file)
index 0000000..12e19fb
--- /dev/null
+++ b/queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
@@ -0,0 +1,58 @@
+From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+From: Peter S. Housel <housel@acm.org>
+
+commit 5ea59db8a375216e6c915c5586f556766673b5a7 upstream.
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -706,7 +706,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+                          struct sk_buff_head *pktq, uint totlen)
+ {
+-      struct sk_buff *glom_skb;
++      struct sk_buff *glom_skb = NULL;
+       struct sk_buff *skb;
+       u32 addr = sdiodev->sbwad;
+       int err = 0;
+@@ -727,10 +727,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+                       return -ENOMEM;
+               err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+                                        glom_skb);
+-              if (err) {
+-                      brcmu_pkt_buf_free_skb(glom_skb);
++              if (err)
+                       goto done;
+-              }
+ 
+               skb_queue_walk(pktq, skb) {
+                       memcpy(skb->data, glom_skb->data, skb->len);
+@@ -741,6 +739,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+                                           pktq);
+ 
+ done:
++      brcmu_pkt_buf_free_skb(glom_skb);
+       return err;
+ }
+ 

diff --git a/queue-4.12/series b/queue-4.12/series
index 7f337b1bcb475904367f546bed62731ad2fb1bd8..0bf293eca3147dd928ae0eefe04bc426451c34d3 100644 (file)
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -21,3 +21,5 @@ adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch
 sed-regex-in-makefile.build-requires-line-break-between-exported-symbols.patch
 adding-the-type-of-exported-symbols.patch
 sparc64-fix-gup_huge_pmd.patch
+brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
+brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch