--- /dev/null
+From c8291988806407e02a01b4b15b4504eafbcc04e0 Mon Sep 17 00:00:00 2001
+From: Zhi Chen <zhichen@codeaurora.org>
+Date: Mon, 18 Jun 2018 17:00:39 +0300
+Subject: ath10k: fix scan crash due to incorrect length calculation
+
+From: Zhi Chen <zhichen@codeaurora.org>
+
+commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.
+
+Length of WMI scan message was not calculated correctly. The allocated
+buffer was smaller than what we expected. So WMI message corrupted
+skb_info, which is at the end of skb->data. This fix takes TLV header
+into account even if the element is zero-length.
+
+Crash log:
+ [49.629986] Unhandled kernel unaligned access[#1]:
+ [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
+ [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
+ [49.646608] $ 0 : 00000000 00000001 80984a80 00000000
+ [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
+ [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
+ [49.662898] $12 : 33322037 000110f2 00000000 31203930
+ [49.668327] $16 : 82792b40 80984a80 00000001 804207fc
+ [49.673757] $20 : 00000000 0000012c 00000040 80470000
+ [49.679186] $24 : 00000000 8024af7c
+ [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
+ [49.690046] Hi : 00000000
+ [49.693022] Lo : 453c0000
+ [49.696013] epc : 800efae4 put_page+0x0/0x58
+ [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
+ [49.706184] Status: 1000fc03 KERNEL EXL IE
+ [49.710531] Cause : 00800010 (ExcCode 04)
+ [49.714669] BadVA : 45259e89
+ [49.717644] PrId : 00019374 (MIPS 24Kc)
+
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -1619,10 +1619,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct
+ bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
+ ie_len = roundup(arg->ie_len, 4);
+ len = (sizeof(*tlv) + sizeof(*cmd)) +
+- (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
+- (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
+- (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
+- (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
++ sizeof(*tlv) + chan_len +
++ sizeof(*tlv) + ssid_len +
++ sizeof(*tlv) + bssid_len +
++ sizeof(*tlv) + ie_len;
+
+ skb = ath10k_wmi_alloc_skb(ar, len);
+ if (!skb)
--- /dev/null
+From f394ad28feffbeebab77c8bf9a203bd49b957c9a Mon Sep 17 00:00:00 2001
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Date: Mon, 30 Jul 2018 22:48:41 -0700
+Subject: rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead
+
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+
+commit f394ad28feffbeebab77c8bf9a203bd49b957c9a upstream.
+
+Currently, rds_ib_conn_alloc() calls rds_ib_recv_alloc_caches()
+without passing along the gfp_t flag. But rds_ib_recv_alloc_caches()
+and rds_ib_recv_alloc_cache() should take a gfp_t parameter so that
+rds_ib_recv_alloc_cache() can call alloc_percpu_gfp() using the
+correct flag instead of calling alloc_percpu().
+
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/ib.h | 2 +-
+ net/rds/ib_cm.c | 2 +-
+ net/rds/ib_recv.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/rds/ib.h
++++ b/net/rds/ib.h
+@@ -371,7 +371,7 @@ void rds_ib_mr_cqe_handler(struct rds_ib
+ int rds_ib_recv_init(void);
+ void rds_ib_recv_exit(void);
+ int rds_ib_recv_path(struct rds_conn_path *conn);
+-int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic);
++int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic, gfp_t gfp);
+ void rds_ib_recv_free_caches(struct rds_ib_connection *ic);
+ void rds_ib_recv_refill(struct rds_connection *conn, int prefill, gfp_t gfp);
+ void rds_ib_inc_free(struct rds_incoming *inc);
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -949,7 +949,7 @@ int rds_ib_conn_alloc(struct rds_connect
+ if (!ic)
+ return -ENOMEM;
+
+- ret = rds_ib_recv_alloc_caches(ic);
++ ret = rds_ib_recv_alloc_caches(ic, gfp);
+ if (ret) {
+ kfree(ic);
+ return ret;
+--- a/net/rds/ib_recv.c
++++ b/net/rds/ib_recv.c
+@@ -98,12 +98,12 @@ static void rds_ib_cache_xfer_to_ready(s
+ }
+ }
+
+-static int rds_ib_recv_alloc_cache(struct rds_ib_refill_cache *cache)
++static int rds_ib_recv_alloc_cache(struct rds_ib_refill_cache *cache, gfp_t gfp)
+ {
+ struct rds_ib_cache_head *head;
+ int cpu;
+
+- cache->percpu = alloc_percpu(struct rds_ib_cache_head);
++ cache->percpu = alloc_percpu_gfp(struct rds_ib_cache_head, gfp);
+ if (!cache->percpu)
+ return -ENOMEM;
+
+@@ -118,13 +118,13 @@ static int rds_ib_recv_alloc_cache(struc
+ return 0;
+ }
+
+-int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic)
++int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic, gfp_t gfp)
+ {
+ int ret;
+
+- ret = rds_ib_recv_alloc_cache(&ic->i_cache_incs);
++ ret = rds_ib_recv_alloc_cache(&ic->i_cache_incs, gfp);
+ if (!ret) {
+- ret = rds_ib_recv_alloc_cache(&ic->i_cache_frags);
++ ret = rds_ib_recv_alloc_cache(&ic->i_cache_frags, gfp);
+ if (ret)
+ free_percpu(ic->i_cache_incs.percpu);
+ }
tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch
ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
ubifs-check-for-name-being-null-while-mounting.patch
+rds-rds_ib_recv_alloc_cache-should-call-alloc_percpu_gfp-instead.patch
+ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
