--- /dev/null
+From 455a1eb4654c24560eb9dfc634f29cba3d87601e Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Mon, 24 Apr 2017 12:40:50 +0100
+Subject: brcmfmac: Ensure pointer correctly set if skb data location changes
+
+From: James Hughes <james.hughes@raspberrypi.org>
+
+commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream.
+
+The incoming skb header may be resized if header space is
+insufficient, which might change the data adddress in the skb.
+Ensure that a cached pointer to that data is correctly set by
+moving assignment to after any possible changes.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm
+ int ret;
+ struct brcmf_if *ifp = netdev_priv(ndev);
+ struct brcmf_pub *drvr = ifp->drvr;
+- struct ethhdr *eh = (struct ethhdr *)(skb->data);
++ struct ethhdr *eh;
+
+ brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+
+@@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm
+ goto done;
+ }
+
++ eh = (struct ethhdr *)(skb->data);
++
+ if (eh->h_proto == htons(ETH_P_PAE))
+ atomic_inc(&ifp->pend_8021x_cnt);
+
--- /dev/null
+From 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Tue, 25 Apr 2017 10:15:06 +0100
+Subject: brcmfmac: Make skb header writable before use
+
+From: James Hughes <james.hughes@raspberrypi.org>
+
+commit 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 upstream.
+
+The driver was making changes to the skb_header without
+ensuring it was writable (i.e. uncloned).
+This patch also removes some boiler plate header size
+checking/adjustment code as that is also handled by the
+skb_cow_header function used to make header writable.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 19 ++++------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -211,22 +211,13 @@ static netdev_tx_t brcmf_netdev_start_xm
+ goto done;
+ }
+
+- /* Make sure there's enough room for any header */
+- if (skb_headroom(skb) < drvr->hdrlen) {
+- struct sk_buff *skb2;
+-
+- brcmf_dbg(INFO, "%s: insufficient headroom\n",
++ /* Make sure there's enough writable headroom*/
++ ret = skb_cow_head(skb, drvr->hdrlen);
++ if (ret < 0) {
++ brcmf_err("%s: skb_cow_head failed\n",
+ brcmf_ifname(ifp));
+- drvr->bus_if->tx_realloc++;
+- skb2 = skb_realloc_headroom(skb, drvr->hdrlen);
+ dev_kfree_skb(skb);
+- skb = skb2;
+- if (skb == NULL) {
+- brcmf_err("%s: skb_realloc_headroom failed\n",
+- brcmf_ifname(ifp));
+- ret = -ENOMEM;
+- goto done;
+- }
++ goto done;
+ }
+
+ /* validate length for ether packet */
--- /dev/null
+From bdd9968d35f7fcdb76089347d1529bf079534214 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+ <giedrius.statkevicius@gmail.com>
+Date: Sat, 25 Mar 2017 18:00:49 +0200
+Subject: power: supply: lp8788: prevent out of bounds array access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
+
+commit bdd9968d35f7fcdb76089347d1529bf079534214 upstream.
+
+val might become 7 in which case stime[7] (array of length 7) would be
+accessed during the scnprintf call later and that will cause issues.
+Obviously, string concatenation is not intended here so just a comma needs
+to be added to fix the issue.
+
+Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
+Signed-off-by: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
+Acked-by: Milo Kim <milo.kim@ti.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/supply/lp8788-charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/lp8788-charger.c
++++ b/drivers/power/supply/lp8788-charger.c
+@@ -651,7 +651,7 @@ static ssize_t lp8788_show_eoc_time(stru
+ {
+ struct lp8788_charger *pchg = dev_get_drvdata(dev);
+ char *stime[] = { "400ms", "5min", "10min", "15min",
+- "20min", "25min", "30min" "No timeout" };
++ "20min", "25min", "30min", "No timeout" };
+ u8 val;
+
+ lp8788_read_byte(pchg->lp, LP8788_CHG_EOC, &val);
dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch
drm-sti-fix-gdp-size-to-support-up-to-uhd-resolution.patch
+power-supply-lp8788-prevent-out-of-bounds-array-access.patch
+brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch
+brcmfmac-make-skb-header-writable-before-use.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
