From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 8 Jun 2020 16:48:38 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.7.2~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=073f976f2350ec30f4312be957cbfbafaebefc0f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch
	vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index d4a98423ed1..50c29d17688 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -24,3 +24,5 @@ l2tp-do-not-use-inet_hash-inet_unhash.patch
 usb-serial-qcserial-add-dw5816e-qdl-support.patch
 usb-serial-usb_wwan-do-not-resubmit-rx-urb-on-fatal-errors.patch
 usb-serial-option-add-telit-le910c1-eux-compositions.patch
+vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch
+staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch
diff --git a/queue-4.4/staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch b/queue-4.4/staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch
new file mode 100644
index 00000000000..f01156362aa
--- /dev/null
+++ b/queue-4.4/staging-rtl8712-fix-ieee80211_addba_param_buf_size_mask.patch
@@ -0,0 +1,51 @@
+From 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f Mon Sep 17 00:00:00 2001
+From: Pascal Terjan <pterjan@google.com>
+Date: Sat, 23 May 2020 22:12:47 +0100
+Subject: staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK
+
+From: Pascal Terjan <pterjan@google.com>
+
+commit 15ea976a1f12b5fd76b1bd6ff3eb5132fd28047f upstream.
+
+The value in shared headers was fixed 9 years ago in commit 8d661f1e462d
+("ieee80211: correct IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK macro") and
+while looking at using shared headers for other duplicated constants
+I noticed this driver uses the old value.
+
+The macros are also defined twice in this file so I am deleting the
+second definition.
+
+Signed-off-by: Pascal Terjan <pterjan@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200523211247.23262-1-pterjan@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/wifi.h |    9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/drivers/staging/rtl8712/wifi.h
++++ b/drivers/staging/rtl8712/wifi.h
+@@ -466,7 +466,7 @@ static inline unsigned char *get_hdr_bss
+ /* block-ack parameters */
+ #define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+ #define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0
++#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFC0
+ #define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+ #define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+ 
+@@ -560,13 +560,6 @@ struct ieee80211_ht_addt_info {
+ #define IEEE80211_HT_IE_NON_GF_STA_PRSNT	0x0004
+ #define IEEE80211_HT_IE_NON_HT_STA_PRSNT	0x0010
+ 
+-/* block-ack parameters */
+-#define IEEE80211_ADDBA_PARAM_POLICY_MASK 0x0002
+-#define IEEE80211_ADDBA_PARAM_TID_MASK 0x003C
+-#define IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK 0xFFA0
+-#define IEEE80211_DELBA_PARAM_TID_MASK 0xF000
+-#define IEEE80211_DELBA_PARAM_INITIATOR_MASK 0x0800
+-
+ /*
+  * A-PMDU buffer sizes
+  * According to IEEE802.11n spec size varies from 8K to 64K (in powers of 2)
diff --git a/queue-4.4/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch b/queue-4.4/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch
new file mode 100644
index 00000000000..ca837489634
--- /dev/null
+++ b/queue-4.4/vt-keyboard-avoid-signed-integer-overflow-in-k_ascii.patch
@@ -0,0 +1,101 @@
+From b86dab054059b970111b5516ae548efaae5b3aae Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Mon, 25 May 2020 16:27:40 -0700
+Subject: vt: keyboard: avoid signed integer overflow in k_ascii
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit b86dab054059b970111b5516ae548efaae5b3aae upstream.
+
+When k_ascii is invoked several times in a row there is a potential for
+signed integer overflow:
+
+UBSAN: Undefined behaviour in drivers/tty/vt/keyboard.c:888:19 signed integer overflow:
+10 * 1111111111 cannot be represented in type 'int'
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.11 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ ubsan_epilogue+0xe/0x30 lib/ubsan.c:154
+ handle_overflow+0xdc/0xf0 lib/ubsan.c:184
+ __ubsan_handle_mul_overflow+0x2a/0x40 lib/ubsan.c:205
+ k_ascii+0xbf/0xd0 drivers/tty/vt/keyboard.c:888
+ kbd_keycode drivers/tty/vt/keyboard.c:1477 [inline]
+ kbd_event+0x888/0x3be0 drivers/tty/vt/keyboard.c:1495
+
+While it can be worked around by using check_mul_overflow()/
+check_add_overflow(), it is better to introduce a separate flag to
+signal that number pad is being used to compose a symbol, and
+change type of the accumulator from signed to unsigned, thus
+avoiding undefined behavior when it overflows.
+
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200525232740.GA262061@dtor-ws
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/keyboard.c |   26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/drivers/tty/vt/keyboard.c
++++ b/drivers/tty/vt/keyboard.c
+@@ -125,7 +125,11 @@ static DEFINE_SPINLOCK(func_buf_lock); /
+ static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)];	/* keyboard key bitmap */
+ static unsigned char shift_down[NR_SHIFT];		/* shift state counters.. */
+ static bool dead_key_next;
+-static int npadch = -1;					/* -1 or number assembled on pad */
++
++/* Handles a number being assembled on the number pad */
++static bool npadch_active;
++static unsigned int npadch_value;
++
+ static unsigned int diacr;
+ static char rep;					/* flag telling character repeat */
+ 
+@@ -815,12 +819,12 @@ static void k_shift(struct vc_data *vc,
+ 		shift_state &= ~(1 << value);
+ 
+ 	/* kludge */
+-	if (up_flag && shift_state != old_state && npadch != -1) {
++	if (up_flag && shift_state != old_state && npadch_active) {
+ 		if (kbd->kbdmode == VC_UNICODE)
+-			to_utf8(vc, npadch);
++			to_utf8(vc, npadch_value);
+ 		else
+-			put_queue(vc, npadch & 0xff);
+-		npadch = -1;
++			put_queue(vc, npadch_value & 0xff);
++		npadch_active = false;
+ 	}
+ }
+ 
+@@ -838,7 +842,7 @@ static void k_meta(struct vc_data *vc, u
+ 
+ static void k_ascii(struct vc_data *vc, unsigned char value, char up_flag)
+ {
+-	int base;
++	unsigned int base;
+ 
+ 	if (up_flag)
+ 		return;
+@@ -852,10 +856,12 @@ static void k_ascii(struct vc_data *vc,
+ 		base = 16;
+ 	}
+ 
+-	if (npadch == -1)
+-		npadch = value;
+-	else
+-		npadch = npadch * base + value;
++	if (!npadch_active) {
++		npadch_value = 0;
++		npadch_active = true;
++	}
++
++	npadch_value = npadch_value * base + value;
+ }
+ 
+ static void k_lock(struct vc_data *vc, unsigned char value, char up_flag)