--- /dev/null
+From 20c40794eb85ea29852d7bc37c55713802a543d6 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Date: Fri, 12 Feb 2021 22:26:58 +0300
+Subject: misc: fastrpc: restrict user apps from sending kernel RPC messages
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+commit 20c40794eb85ea29852d7bc37c55713802a543d6 upstream.
+
+Verify that user applications are not using the kernel RPC message
+handle to restrict them from directly attaching to guest OS on the
+remote subsystem. This is a port of CVE-2019-2308 fix.
+
+Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Jonathan Marek <jonathan@marek.ca>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210212192658.3476137-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -924,6 +924,11 @@ static int fastrpc_internal_invoke(struc
+ if (!fl->cctx->rpdev)
+ return -EPIPE;
+
++ if (handle == FASTRPC_INIT_HANDLE && !kernel) {
++ dev_warn_ratelimited(fl->sctx->dev, "user app trying to send a kernel RPC message (%d)\n", handle);
++ return -EPERM;
++ }
++
+ ctx = fastrpc_context_alloc(fl, kernel, sc, args);
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
--- /dev/null
+From 65527a51c66f4edfa28602643d7dd4fa366eb826 Mon Sep 17 00:00:00 2001
+From: Shile Zhang <shile.zhang@linux.alibaba.com>
+Date: Thu, 18 Feb 2021 20:31:16 +0800
+Subject: misc/pvpanic: Export module FDT device table
+
+From: Shile Zhang <shile.zhang@linux.alibaba.com>
+
+commit 65527a51c66f4edfa28602643d7dd4fa366eb826 upstream.
+
+Export the module FDT device table to ensure the FDT compatible strings
+are listed in the module alias. This help the pvpanic driver can be
+loaded on boot automatically not only the ACPI device, but also the FDT
+device.
+
+Fixes: 46f934c9a12fc ("misc/pvpanic: add support to get pvpanic device info FDT")
+Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20210218123116.207751-1-shile.zhang@linux.alibaba.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/pvpanic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/misc/pvpanic.c
++++ b/drivers/misc/pvpanic.c
+@@ -166,6 +166,7 @@ static const struct of_device_id pvpanic
+ { .compatible = "qemu,pvpanic-mmio", },
+ {}
+ };
++MODULE_DEVICE_TABLE(of, pvpanic_mmio_match);
+
+ static struct platform_driver pvpanic_mmio_driver = {
+ .driver = {
usbip-fix-stub_dev-usbip_sockfd_store-races-leading-to-gpf.patch
usbip-fix-vhci_hcd-attach_store-races-leading-to-gpf.patch
usbip-fix-vudc-usbip_sockfd_store-races-leading-to-gpf.patch
+misc-pvpanic-export-module-fdt-device-table.patch
+misc-fastrpc-restrict-user-apps-from-sending-kernel-rpc-messages.patch
+staging-rtl8192u-fix-ssid-overflow-in-r8192_wx_set_scan.patch
+staging-rtl8188eu-prevent-ssid-overflow-in-rtw_wx_set_scan.patch
+staging-rtl8712-unterminated-string-leads-to-read-overflow.patch
+staging-rtl8188eu-fix-potential-memory-corruption-in-rtw_check_beacon_data.patch
+staging-ks7010-prevent-buffer-overflow-in-ks_wlan_set_scan.patch
+staging-rtl8712-fix-possible-buffer-overflow-in-r8712_sitesurvey_cmd.patch
+staging-rtl8192e-fix-possible-buffer-overflow-in-_rtl92e_wx_set_scan.patch
+staging-comedi-addi_apci_1032-fix-endian-problem-for-cos-sample.patch
+staging-comedi-addi_apci_1500-fix-endian-problem-for-command-sample.patch
+staging-comedi-adv_pci1710-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-das6402-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-das800-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-dmm32at-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-me4000-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-pcl711-fix-endian-problem-for-ai-command-data.patch
+staging-comedi-pcl818-fix-endian-problem-for-ai-command-data.patch
--- /dev/null
+From 25317f428a78fde71b2bf3f24d05850f08a73a52 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:42 +0000
+Subject: staging: comedi: addi_apci_1032: Fix endian problem for COS sample
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 25317f428a78fde71b2bf3f24d05850f08a73a52 upstream.
+
+The Change-Of-State (COS) subdevice supports Comedi asynchronous
+commands to read 16-bit change-of-state values. However, the interrupt
+handler is calling `comedi_buf_write_samples()` with the address of a
+32-bit integer `&s->state`. On bigendian architectures, it will copy 2
+bytes from the wrong end of the 32-bit integer. Fix it by transferring
+the value via a 16-bit integer.
+
+Fixes: 6bb45f2b0c86 ("staging: comedi: addi_apci_1032: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-2-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/addi_apci_1032.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/addi_apci_1032.c
++++ b/drivers/staging/comedi/drivers/addi_apci_1032.c
+@@ -260,6 +260,7 @@ static irqreturn_t apci1032_interrupt(in
+ struct apci1032_private *devpriv = dev->private;
+ struct comedi_subdevice *s = dev->read_subdev;
+ unsigned int ctrl;
++ unsigned short val;
+
+ /* check interrupt is from this device */
+ if ((inl(devpriv->amcc_iobase + AMCC_OP_REG_INTCSR) &
+@@ -275,7 +276,8 @@ static irqreturn_t apci1032_interrupt(in
+ outl(ctrl & ~APCI1032_CTRL_INT_ENA, dev->iobase + APCI1032_CTRL_REG);
+
+ s->state = inl(dev->iobase + APCI1032_STATUS_REG) & 0xffff;
+- comedi_buf_write_samples(s, &s->state, 1);
++ val = s->state;
++ comedi_buf_write_samples(s, &val, 1);
+ comedi_handle_events(dev, s);
+
+ /* enable the interrupt */
--- /dev/null
+From ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:43 +0000
+Subject: staging: comedi: addi_apci_1500: Fix endian problem for command sample
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit ac0bbf55ed3be75fde1f8907e91ecd2fd589bde3 upstream.
+
+The digital input subdevice supports Comedi asynchronous commands that
+read interrupt status information. This uses 16-bit Comedi samples (of
+which only the bottom 8 bits contain status information). However, the
+interrupt handler is calling `comedi_buf_write_samples()` with the
+address of a 32-bit variable `unsigned int status`. On a bigendian
+machine, this will copy 2 bytes from the wrong end of the variable. Fix
+it by changing the type of the variable to `unsigned short`.
+
+Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
+Cc: <stable@vger.kernel.org> #4.0+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-3-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/addi_apci_1500.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/addi_apci_1500.c
++++ b/drivers/staging/comedi/drivers/addi_apci_1500.c
+@@ -208,7 +208,7 @@ static irqreturn_t apci1500_interrupt(in
+ struct comedi_device *dev = d;
+ struct apci1500_private *devpriv = dev->private;
+ struct comedi_subdevice *s = dev->read_subdev;
+- unsigned int status = 0;
++ unsigned short status = 0;
+ unsigned int val;
+
+ val = inl(devpriv->amcc + AMCC_OP_REG_INTCSR);
+@@ -238,14 +238,14 @@ static irqreturn_t apci1500_interrupt(in
+ *
+ * Mask Meaning
+ * ---------- ------------------------------------------
+- * 0x00000001 Event 1 has occurred
+- * 0x00000010 Event 2 has occurred
+- * 0x00000100 Counter/timer 1 has run down (not implemented)
+- * 0x00001000 Counter/timer 2 has run down (not implemented)
+- * 0x00010000 Counter 3 has run down (not implemented)
+- * 0x00100000 Watchdog has run down (not implemented)
+- * 0x01000000 Voltage error
+- * 0x10000000 Short-circuit error
++ * 0b00000001 Event 1 has occurred
++ * 0b00000010 Event 2 has occurred
++ * 0b00000100 Counter/timer 1 has run down (not implemented)
++ * 0b00001000 Counter/timer 2 has run down (not implemented)
++ * 0b00010000 Counter 3 has run down (not implemented)
++ * 0b00100000 Watchdog has run down (not implemented)
++ * 0b01000000 Voltage error
++ * 0b10000000 Short-circuit error
+ */
+ comedi_buf_write_samples(s, &status, 1);
+ comedi_handle_events(dev, s);
--- /dev/null
+From b2e78630f733a76508b53ba680528ca39c890e82 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:44 +0000
+Subject: staging: comedi: adv_pci1710: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b2e78630f733a76508b53ba680528ca39c890e82 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the calls to
+`comedi_buf_write_samples()` are passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variables
+holding the sample value to `unsigned short`. The type of the `val`
+parameter of `pci1710_ai_read_sample()` is changed to `unsigned short *`
+accordingly. The type of the `val` variable in `pci1710_ai_insn_read()`
+is also changed to `unsigned short` since its address is passed to
+`pci1710_ai_read_sample()`.
+
+Fixes: a9c3a015c12f ("staging: comedi: adv_pci1710: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 4.0+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-4-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/adv_pci1710.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/adv_pci1710.c
++++ b/drivers/staging/comedi/drivers/adv_pci1710.c
+@@ -300,11 +300,11 @@ static int pci1710_ai_eoc(struct comedi_
+ static int pci1710_ai_read_sample(struct comedi_device *dev,
+ struct comedi_subdevice *s,
+ unsigned int cur_chan,
+- unsigned int *val)
++ unsigned short *val)
+ {
+ const struct boardtype *board = dev->board_ptr;
+ struct pci1710_private *devpriv = dev->private;
+- unsigned int sample;
++ unsigned short sample;
+ unsigned int chan;
+
+ sample = inw(dev->iobase + PCI171X_AD_DATA_REG);
+@@ -345,7 +345,7 @@ static int pci1710_ai_insn_read(struct c
+ pci1710_ai_setup_chanlist(dev, s, &insn->chanspec, 1, 1);
+
+ for (i = 0; i < insn->n; i++) {
+- unsigned int val;
++ unsigned short val;
+
+ /* start conversion */
+ outw(0, dev->iobase + PCI171X_SOFTTRG_REG);
+@@ -395,7 +395,7 @@ static void pci1710_handle_every_sample(
+ {
+ struct comedi_cmd *cmd = &s->async->cmd;
+ unsigned int status;
+- unsigned int val;
++ unsigned short val;
+ int ret;
+
+ status = inw(dev->iobase + PCI171X_STATUS_REG);
+@@ -455,7 +455,7 @@ static void pci1710_handle_fifo(struct c
+ }
+
+ for (i = 0; i < devpriv->max_samples; i++) {
+- unsigned int val;
++ unsigned short val;
+ int ret;
+
+ ret = pci1710_ai_read_sample(dev, s, s->async->cur_chan, &val);
--- /dev/null
+From 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:45 +0000
+Subject: staging: comedi: das6402: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 1c0f20b78781b9ca50dc3ecfd396d0db5b141890 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: d1d24cb65ee3 ("staging: comedi: das6402: read analog input samples in interrupt handler")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-5-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/das6402.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/das6402.c
++++ b/drivers/staging/comedi/drivers/das6402.c
+@@ -186,7 +186,7 @@ static irqreturn_t das6402_interrupt(int
+ if (status & DAS6402_STATUS_FFULL) {
+ async->events |= COMEDI_CB_OVERFLOW;
+ } else if (status & DAS6402_STATUS_FFNE) {
+- unsigned int val;
++ unsigned short val;
+
+ val = das6402_ai_read_sample(dev, s);
+ comedi_buf_write_samples(s, &val, 1);
--- /dev/null
+From 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:46 +0000
+Subject: staging: comedi: das800: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 459b1e8c8fe97fcba0bd1b623471713dce2c5eaf upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: ad9eb43c93d8 ("staging: comedi: das800: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-6-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/das800.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/das800.c
++++ b/drivers/staging/comedi/drivers/das800.c
+@@ -427,7 +427,7 @@ static irqreturn_t das800_interrupt(int
+ struct comedi_cmd *cmd;
+ unsigned long irq_flags;
+ unsigned int status;
+- unsigned int val;
++ unsigned short val;
+ bool fifo_empty;
+ bool fifo_overflow;
+ int i;
--- /dev/null
+From 54999c0d94b3c26625f896f8e3460bc029821578 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:47 +0000
+Subject: staging: comedi: dmm32at: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 54999c0d94b3c26625f896f8e3460bc029821578 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+[Note: the bug was introduced in commit 1700529b24cc ("staging: comedi:
+dmm32at: use comedi_buf_write_samples()") but the patch applies better
+to the later (but in the same kernel release) commit 0c0eadadcbe6e
+("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()").]
+
+Fixes: 0c0eadadcbe6e ("staging: comedi: dmm32at: introduce dmm32_ai_get_sample()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-7-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/dmm32at.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/dmm32at.c
++++ b/drivers/staging/comedi/drivers/dmm32at.c
+@@ -404,7 +404,7 @@ static irqreturn_t dmm32at_isr(int irq,
+ {
+ struct comedi_device *dev = d;
+ unsigned char intstat;
+- unsigned int val;
++ unsigned short val;
+ int i;
+
+ if (!dev->attached) {
--- /dev/null
+From b39dfcced399d31e7c4b7341693b18e01c8f655e Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:48 +0000
+Subject: staging: comedi: me4000: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b39dfcced399d31e7c4b7341693b18e01c8f655e upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the calls to
+`comedi_buf_write_samples()` are passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: de88924f67d1 ("staging: comedi: me4000: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-8-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/me4000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/me4000.c
++++ b/drivers/staging/comedi/drivers/me4000.c
+@@ -924,7 +924,7 @@ static irqreturn_t me4000_ai_isr(int irq
+ struct comedi_subdevice *s = dev->read_subdev;
+ int i;
+ int c = 0;
+- unsigned int lval;
++ unsigned short lval;
+
+ if (!dev->attached)
+ return IRQ_NONE;
--- /dev/null
+From a084303a645896e834883f2c5170d044410dfdb3 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:49 +0000
+Subject: staging: comedi: pcl711: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit a084303a645896e834883f2c5170d044410dfdb3 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+variable. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the variable
+holding the sample value to `unsigned short`.
+
+Fixes: 1f44c034de2e ("staging: comedi: pcl711: use comedi_buf_write_samples()")
+Cc: <stable@vger.kernel.org> # 3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-9-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/pcl711.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/pcl711.c
++++ b/drivers/staging/comedi/drivers/pcl711.c
+@@ -184,7 +184,7 @@ static irqreturn_t pcl711_interrupt(int
+ struct comedi_device *dev = d;
+ struct comedi_subdevice *s = dev->read_subdev;
+ struct comedi_cmd *cmd = &s->async->cmd;
+- unsigned int data;
++ unsigned short data;
+
+ if (!dev->attached) {
+ dev_err(dev->class_dev, "spurious interrupt\n");
--- /dev/null
+From 148e34fd33d53740642db523724226de14ee5281 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 23 Feb 2021 14:30:50 +0000
+Subject: staging: comedi: pcl818: Fix endian problem for AI command data
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 148e34fd33d53740642db523724226de14ee5281 upstream.
+
+The analog input subdevice supports Comedi asynchronous commands that
+use Comedi's 16-bit sample format. However, the call to
+`comedi_buf_write_samples()` is passing the address of a 32-bit integer
+parameter. On bigendian machines, this will copy 2 bytes from the wrong
+end of the 32-bit value. Fix it by changing the type of the parameter
+holding the sample value to `unsigned short`.
+
+[Note: the bug was introduced in commit edf4537bcbf5 ("staging: comedi:
+pcl818: use comedi_buf_write_samples()") but the patch applies better to
+commit d615416de615 ("staging: comedi: pcl818: introduce
+pcl818_ai_write_sample()").]
+
+Fixes: d615416de615 ("staging: comedi: pcl818: introduce pcl818_ai_write_sample()")
+Cc: <stable@vger.kernel.org> # 4.0+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20210223143055.257402-10-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/pcl818.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/pcl818.c
++++ b/drivers/staging/comedi/drivers/pcl818.c
+@@ -423,7 +423,7 @@ static int pcl818_ai_eoc(struct comedi_d
+
+ static bool pcl818_ai_write_sample(struct comedi_device *dev,
+ struct comedi_subdevice *s,
+- unsigned int chan, unsigned int val)
++ unsigned int chan, unsigned short val)
+ {
+ struct pcl818_private *devpriv = dev->private;
+ struct comedi_cmd *cmd = &s->async->cmd;
--- /dev/null
+From e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 2 Mar 2021 14:19:39 +0300
+Subject: staging: ks7010: prevent buffer overflow in ks_wlan_set_scan()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e163b9823a0b08c3bb8dc4f5b4b5c221c24ec3e5 upstream.
+
+The user can specify a "req->essid_len" of up to 255 but if it's
+over IW_ESSID_MAX_SIZE (32) that can lead to memory corruption.
+
+Fixes: 13a9930d15b4 ("staging: ks7010: add driver from Nanonote extra-repository")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YD4fS8+HmM/Qmrw6@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/ks7010/ks_wlan_net.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/ks7010/ks_wlan_net.c
++++ b/drivers/staging/ks7010/ks_wlan_net.c
+@@ -1120,6 +1120,7 @@ static int ks_wlan_set_scan(struct net_d
+ {
+ struct ks_wlan_private *priv = netdev_priv(dev);
+ struct iw_scan_req *req = NULL;
++ int len;
+
+ if (priv->sleep_mode == SLP_SLEEP)
+ return -EPERM;
+@@ -1129,8 +1130,9 @@ static int ks_wlan_set_scan(struct net_d
+ if (wrqu->data.length == sizeof(struct iw_scan_req) &&
+ wrqu->data.flags & IW_SCAN_THIS_ESSID) {
+ req = (struct iw_scan_req *)extra;
+- priv->scan_ssid_len = req->essid_len;
+- memcpy(priv->scan_ssid, req->essid, priv->scan_ssid_len);
++ len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
++ priv->scan_ssid_len = len;
++ memcpy(priv->scan_ssid, req->essid, len);
+ } else {
+ priv->scan_ssid_len = 0;
+ }
--- /dev/null
+From d4ac640322b06095128a5c45ba4a1e80929fe7f3 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Mar 2021 11:56:32 +0300
+Subject: staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d4ac640322b06095128a5c45ba4a1e80929fe7f3 upstream.
+
+The "ie_len" is a value in the 1-255 range that comes from the user. We
+have to cap it to ensure that it's not too large or it could lead to
+memory corruption.
+
+Fixes: 9a7fe54ddc3a ("staging: r8188eu: Add source files for new driver - part 1")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YEHyQCrFZKTXyT7J@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/core/rtw_ap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
++++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
+@@ -784,6 +784,7 @@ int rtw_check_beacon_data(struct adapter
+ /* SSID */
+ p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _SSID_IE_, &ie_len, (pbss_network->ie_length - _BEACON_IE_OFFSET_));
+ if (p && ie_len > 0) {
++ ie_len = min_t(int, ie_len, sizeof(pbss_network->ssid.ssid));
+ memset(&pbss_network->ssid, 0, sizeof(struct ndis_802_11_ssid));
+ memcpy(pbss_network->ssid.ssid, (p + 2), ie_len);
+ pbss_network->ssid.ssid_length = ie_len;
+@@ -802,6 +803,7 @@ int rtw_check_beacon_data(struct adapter
+ /* get supported rates */
+ p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _SUPPORTEDRATES_IE_, &ie_len, (pbss_network->ie_length - _BEACON_IE_OFFSET_));
+ if (p) {
++ ie_len = min_t(int, ie_len, NDIS_802_11_LENGTH_RATES_EX);
+ memcpy(supportRate, p + 2, ie_len);
+ supportRateNum = ie_len;
+ }
+@@ -809,6 +811,8 @@ int rtw_check_beacon_data(struct adapter
+ /* get ext_supported rates */
+ p = rtw_get_ie(ie + _BEACON_IE_OFFSET_, _EXT_SUPPORTEDRATES_IE_, &ie_len, pbss_network->ie_length - _BEACON_IE_OFFSET_);
+ if (p) {
++ ie_len = min_t(int, ie_len,
++ NDIS_802_11_LENGTH_RATES_EX - supportRateNum);
+ memcpy(supportRate + supportRateNum, p + 2, ie_len);
+ supportRateNum += ie_len;
+ }
+@@ -922,6 +926,7 @@ int rtw_check_beacon_data(struct adapter
+
+ pht_cap->mcs.rx_mask[0] = 0xff;
+ pht_cap->mcs.rx_mask[1] = 0x0;
++ ie_len = min_t(int, ie_len, sizeof(pmlmepriv->htpriv.ht_cap));
+ memcpy(&pmlmepriv->htpriv.ht_cap, p + 2, ie_len);
+ }
+
--- /dev/null
+From 74b6b20df8cfe90ada777d621b54c32e69e27cd7 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Mar 2021 11:58:03 +0300
+Subject: staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 74b6b20df8cfe90ada777d621b54c32e69e27cd7 upstream.
+
+This code has a check to prevent read overflow but it needs another
+check to prevent writing beyond the end of the ->ssid[] array.
+
+Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YEHymwsnHewzoam7@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
++++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+@@ -1160,9 +1160,11 @@ static int rtw_wx_set_scan(struct net_de
+ break;
+ }
+ sec_len = *(pos++); len -= 1;
+- if (sec_len > 0 && sec_len <= len) {
++ if (sec_len > 0 &&
++ sec_len <= len &&
++ sec_len <= 32) {
+ ssid[ssid_index].ssid_length = sec_len;
+- memcpy(ssid[ssid_index].ssid, pos, ssid[ssid_index].ssid_length);
++ memcpy(ssid[ssid_index].ssid, pos, sec_len);
+ ssid_index++;
+ }
+ pos += sec_len;
--- /dev/null
+From 8687bf9ef9551bcf93897e33364d121667b1aadf Mon Sep 17 00:00:00 2001
+From: Lee Gibson <leegib@gmail.com>
+Date: Fri, 26 Feb 2021 14:51:57 +0000
+Subject: staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan
+
+From: Lee Gibson <leegib@gmail.com>
+
+commit 8687bf9ef9551bcf93897e33364d121667b1aadf upstream.
+
+Function _rtl92e_wx_set_scan calls memcpy without checking the length.
+A user could control that length and trigger a buffer overflow.
+Fix by checking the length is within the maximum allowed size.
+
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210226145157.424065-1-leegib@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtl8192e/rtl_wx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_wx.c
+@@ -406,9 +406,10 @@ static int _rtl92e_wx_set_scan(struct ne
+ struct iw_scan_req *req = (struct iw_scan_req *)b;
+
+ if (req->essid_len) {
+- ieee->current_network.ssid_len = req->essid_len;
+- memcpy(ieee->current_network.ssid, req->essid,
+- req->essid_len);
++ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
++
++ ieee->current_network.ssid_len = len;
++ memcpy(ieee->current_network.ssid, req->essid, len);
+ }
+ }
+
--- /dev/null
+From 87107518d7a93fec6cdb2559588862afeee800fb Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 5 Mar 2021 11:12:49 +0300
+Subject: staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 87107518d7a93fec6cdb2559588862afeee800fb upstream.
+
+We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption.
+This can be controlled by the user via the ioctl.
+
+Fixes: 5f53d8ca3d5d ("Staging: add rtl8192SU wireless usb driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192u/r8192U_wx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8192u/r8192U_wx.c
++++ b/drivers/staging/rtl8192u/r8192U_wx.c
+@@ -333,8 +333,10 @@ static int r8192_wx_set_scan(struct net_
+ struct iw_scan_req *req = (struct iw_scan_req *)b;
+
+ if (req->essid_len) {
+- ieee->current_network.ssid_len = req->essid_len;
+- memcpy(ieee->current_network.ssid, req->essid, req->essid_len);
++ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
++
++ ieee->current_network.ssid_len = len;
++ memcpy(ieee->current_network.ssid, req->essid, len);
+ }
+ }
+
--- /dev/null
+From b93c1e3981af19527beee1c10a2bef67a228c48c Mon Sep 17 00:00:00 2001
+From: Lee Gibson <leegib@gmail.com>
+Date: Mon, 1 Mar 2021 13:26:48 +0000
+Subject: staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
+
+From: Lee Gibson <leegib@gmail.com>
+
+commit b93c1e3981af19527beee1c10a2bef67a228c48c upstream.
+
+Function r8712_sitesurvey_cmd calls memcpy without checking the length.
+A user could control that length and trigger a buffer overflow.
+Fix by checking the length is within the maximum allowed size.
+
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Link: https://lore.kernel.org/r/20210301132648.420296-1-leegib@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8712/rtl871x_cmd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/rtl8712/rtl871x_cmd.c
++++ b/drivers/staging/rtl8712/rtl871x_cmd.c
+@@ -197,8 +197,10 @@ u8 r8712_sitesurvey_cmd(struct _adapter
+ psurveyPara->ss_ssidlen = 0;
+ memset(psurveyPara->ss_ssid, 0, IW_ESSID_MAX_SIZE + 1);
+ if ((pssid != NULL) && (pssid->SsidLength)) {
+- memcpy(psurveyPara->ss_ssid, pssid->Ssid, pssid->SsidLength);
+- psurveyPara->ss_ssidlen = cpu_to_le32(pssid->SsidLength);
++ int len = min_t(int, pssid->SsidLength, IW_ESSID_MAX_SIZE);
++
++ memcpy(psurveyPara->ss_ssid, pssid->Ssid, len);
++ psurveyPara->ss_ssidlen = cpu_to_le32(len);
+ }
+ set_fwstate(pmlmepriv, _FW_UNDER_SURVEY);
+ r8712_enqueue_cmd(pcmdpriv, ph2c);
--- /dev/null
+From d660f4f42ccea50262c6ee90c8e7ad19a69fb225 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 24 Feb 2021 11:45:59 +0300
+Subject: staging: rtl8712: unterminated string leads to read overflow
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d660f4f42ccea50262c6ee90c8e7ad19a69fb225 upstream.
+
+The memdup_user() function does not necessarily return a NUL terminated
+string so this can lead to a read overflow. Switch from memdup_user()
+to strndup_user() to fix this bug.
+
+Fixes: c6dc001f2add ("staging: r8712u: Merging Realtek's latest (v2.6.6). Various fixes.")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YDYSR+1rj26NRhvb@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
++++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+@@ -928,7 +928,7 @@ static int r871x_wx_set_priv(struct net_
+ struct iw_point *dwrq = (struct iw_point *)awrq;
+
+ len = dwrq->length;
+- ext = memdup_user(dwrq->pointer, len);
++ ext = strndup_user(dwrq->pointer, len);
+ if (IS_ERR(ext))
+ return PTR_ERR(ext);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
