4.4-stable patches

added patches:
	ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
	ebtables-arpreply-add-the-standard-target-sanity-check.patch

diff --git a/queue-4.4/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch b/queue-4.4/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
new file mode 100644 (file)
index 0000000..770a322
--- /dev/null
+++ b/queue-4.4/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
@@ -0,0 +1,61 @@
+From c8291988806407e02a01b4b15b4504eafbcc04e0 Mon Sep 17 00:00:00 2001
+From: Zhi Chen <zhichen@codeaurora.org>
+Date: Mon, 18 Jun 2018 17:00:39 +0300
+Subject: ath10k: fix scan crash due to incorrect length calculation
+
+From: Zhi Chen <zhichen@codeaurora.org>
+
+commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.
+
+Length of WMI scan message was not calculated correctly. The allocated
+buffer was smaller than what we expected. So WMI message corrupted
+skb_info, which is at the end of skb->data. This fix takes TLV header
+into account even if the element is zero-length.
+
+Crash log:
+  [49.629986] Unhandled kernel unaligned access[#1]:
+  [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
+  [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
+  [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
+  [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
+  [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
+  [49.662898] $12   : 33322037 000110f2 00000000 31203930
+  [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
+  [49.673757] $20   : 00000000 0000012c 00000040 80470000
+  [49.679186] $24   : 00000000 8024af7c
+  [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
+  [49.690046] Hi    : 00000000
+  [49.693022] Lo    : 453c0000
+  [49.696013] epc   : 800efae4 put_page+0x0/0x58
+  [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
+  [49.706184] Status: 1000fc03 KERNEL EXL IE
+  [49.710531] Cause : 00800010 (ExcCode 04)
+  [49.714669] BadVA : 45259e89
+  [49.717644] PrId  : 00019374 (MIPS 24Kc)
+
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -1459,10 +1459,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct
+       bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
+       ie_len = roundup(arg->ie_len, 4);
+       len = (sizeof(*tlv) + sizeof(*cmd)) +
+-            (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
+-            (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
+-            (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
+-            (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
++            sizeof(*tlv) + chan_len +
++            sizeof(*tlv) + ssid_len +
++            sizeof(*tlv) + bssid_len +
++            sizeof(*tlv) + ie_len;
+ 
+       skb = ath10k_wmi_alloc_skb(ar, len);
+       if (!skb)

diff --git a/queue-4.4/ebtables-arpreply-add-the-standard-target-sanity-check.patch b/queue-4.4/ebtables-arpreply-add-the-standard-target-sanity-check.patch
new file mode 100644 (file)
index 0000000..3c5265a
--- /dev/null
+++ b/queue-4.4/ebtables-arpreply-add-the-standard-target-sanity-check.patch
@@ -0,0 +1,55 @@
+From c953d63548207a085abcb12a15fefc8a11ffdf0a Mon Sep 17 00:00:00 2001
+From: Gao Feng <gfree.wind@vip.163.com>
+Date: Tue, 16 May 2017 09:30:18 +0800
+Subject: ebtables: arpreply: Add the standard target sanity check
+
+From: Gao Feng <gfree.wind@vip.163.com>
+
+commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream.
+
+The info->target comes from userspace and it would be used directly.
+So we need to add the sanity check to make sure it is a valid standard
+target, although the ebtables tool has already checked it. Kernel needs
+to validate anything coming from userspace.
+
+If the target is set as an evil value, it would break the ebtables
+and cause a panic. Because the non-standard target is treated as one
+offset.
+
+Now add one helper function ebt_invalid_target, and we would replace
+the macro INVALID_TARGET later.
+
+Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Loic <hackurx@opensec.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter_bridge/ebtables.h |    5 +++++
+ net/bridge/netfilter/ebt_arpreply.c       |    3 +++
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/netfilter_bridge/ebtables.h
++++ b/include/linux/netfilter_bridge/ebtables.h
+@@ -125,4 +125,9 @@ extern unsigned int ebt_do_table(struct
+ /* True if the target is not a standard target */
+ #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
+ 
++static inline bool ebt_invalid_target(int target)
++{
++      return (target < -NUM_STANDARD_TARGETS || target >= 0);
++}
++
+ #endif
+--- a/net/bridge/netfilter/ebt_arpreply.c
++++ b/net/bridge/netfilter/ebt_arpreply.c
+@@ -67,6 +67,9 @@ static int ebt_arpreply_tg_check(const s
+       if (e->ethproto != htons(ETH_P_ARP) ||
+           e->invflags & EBT_IPROTO)
+               return -EINVAL;
++      if (ebt_invalid_target(info->target))
++              return -EINVAL;
++
+       return 0;
+ }
+ 

diff --git a/queue-4.4/series b/queue-4.4/series
index 20189986b39435c77bd80fbd43e10e5c8f424a94..03882e9b33e9b3f9843c42b831f41a5e3e52e838 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -23,3 +23,5 @@ tcp-fix-a-stale-ooo_last_skb-after-a-replace.patch
 tcp-free-batches-of-packets-in-tcp_prune_ofo_queue.patch
 tcp-call-tcp_drop-from-tcp_data_queue_ofo.patch
 tcp-add-tcp_ooo_try_coalesce-helper.patch
+ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
+ebtables-arpreply-add-the-standard-target-sanity-check.patch