From: Sasha Levin Date: Mon, 28 Sep 2020 04:17:08 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.238~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13ffadd7d8875895a4ccae47096bc32260b7d9f6;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-asihpi-fix-iounmap-in-error-handler.patch b/queue-4.4/alsa-asihpi-fix-iounmap-in-error-handler.patch new file mode 100644 index 00000000000..28e24bad991 --- /dev/null +++ b/queue-4.4/alsa-asihpi-fix-iounmap-in-error-handler.patch @@ -0,0 +1,59 @@ +From ffab78558cc11fa4252f4ac55d4f21fe695bbed3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Sep 2020 09:52:30 -0700 +Subject: ALSA: asihpi: fix iounmap in error handler + +From: Tom Rix + +[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ] + +clang static analysis flags this problem +hpioctl.c:513:7: warning: Branch condition evaluates to + a garbage value + if (pci.ap_mem_base[idx]) { + ^~~~~~~~~~~~~~~~~~~~ + +If there is a failure in the middle of the memory space loop, +only some of the memory spaces need to be cleaned up. + +At the error handler, idx holds the number of successful +memory spaces mapped. So rework the handler loop to use the +old idx. + +There is a second problem, the memory space loop conditionally +iomaps()/sets the mem_base so it is necessay to initize pci. + +Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards") +Signed-off-by: Tom Rix +Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 7a32abbe0cef8..4bdcb7443b1f5 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -346,7 +346,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + struct hpi_message hm; + struct hpi_response hr; + struct hpi_adapter adapter; +- struct hpi_pci pci; ++ struct hpi_pci pci = { 0 }; + + memset(&adapter, 0, sizeof(adapter)); + +@@ -502,7 +502,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + return 0; + + err: +- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) { ++ while (--idx >= 0) { + if (pci.ap_mem_base[idx]) { + iounmap(pci.ap_mem_base[idx]); + pci.ap_mem_base[idx] = NULL; +-- +2.25.1 + diff --git a/queue-4.4/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch b/queue-4.4/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch new file mode 100644 index 00000000000..fdc1961f732 --- /dev/null +++ b/queue-4.4/atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch @@ -0,0 +1,36 @@ +From a1fa07f34a2b7f4c3468212f4e084d26701f55d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 10:51:03 +0800 +Subject: atm: eni: fix the missed pci_disable_device() for eni_init_one() + +From: Jing Xiangfeng + +[ Upstream commit c2b947879ca320ac5505c6c29a731ff17da5e805 ] + +eni_init_one() misses to call pci_disable_device() in an error path. +Jump to err_disable to fix it. + +Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api") +Signed-off-by: Jing Xiangfeng +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/atm/eni.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index ad591a2f7c822..340a1ee79d280 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -2242,7 +2242,7 @@ static int eni_init_one(struct pci_dev *pci_dev, + + rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32)); + if (rc < 0) +- goto out; ++ goto err_disable; + + rc = -ENOMEM; + eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL); +-- +2.25.1 + diff --git a/queue-4.4/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch b/queue-4.4/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch new file mode 100644 index 00000000000..87f2aa680be --- /dev/null +++ b/queue-4.4/batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch @@ -0,0 +1,54 @@ +From b47e26b17baed6d930e1f791b468785fc79f8eb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 17:34:48 +0200 +Subject: batman-adv: bla: fix type misuse for backbone_gw hash indexing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 097930e85f90f252c44dc0d084598265dd44ca48 ] + +It seems that due to a copy & paste error the void pointer +in batadv_choose_backbone_gw() is cast to the wrong type. + +Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct +batadv_bla_claim" which better matches the caller's side. + +For now it seems that we were lucky because the two structs both have +their orig/vid and addr/vid in the beginning. However I stumbled over +this issue when I was trying to add some debug variables in front of +"orig" in batadv_backbone_gw, which caused hash lookups to fail. + +Fixes: 07568d0369f9 ("batman-adv: don't rely on positions in struct for hashing") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Sasha Levin +--- + net/batman-adv/bridge_loop_avoidance.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c +index 9aa5daa551273..1267cbb1a329a 100644 +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -73,11 +73,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size) + /* return the index of the backbone gateway */ + static inline u32 batadv_choose_backbone_gw(const void *data, u32 size) + { +- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data; ++ const struct batadv_bla_backbone_gw *gw; + u32 hash = 0; + +- hash = jhash(&claim->addr, sizeof(claim->addr), hash); +- hash = jhash(&claim->vid, sizeof(claim->vid), hash); ++ gw = (struct batadv_bla_backbone_gw *)data; ++ hash = jhash(&gw->orig, sizeof(gw->orig), hash); ++ hash = jhash(&gw->vid, sizeof(gw->vid), hash); + + return hash % size; + } +-- +2.25.1 + diff --git a/queue-4.4/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch b/queue-4.4/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch new file mode 100644 index 00000000000..c93d3793184 --- /dev/null +++ b/queue-4.4/batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch @@ -0,0 +1,59 @@ +From acce5fd1287be398c49cbeaf096d5b829863c696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Sep 2020 20:28:00 +0200 +Subject: batman-adv: mcast/TT: fix wrongly dropped or rerouted packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 7dda5b3384121181c4e79f6eaeac2b94c0622c8d ] + +The unicast packet rerouting code makes several assumptions. For +instance it assumes that there is always exactly one destination in the +TT. This breaks for multicast frames in a unicast packets in several ways: + +For one thing if there is actually no TT entry and the destination node +was selected due to the multicast tvlv flags it announced. Then an +intermediate node will wrongly drop the packet. + +For another thing if there is a TT entry but the TTVN of this entry is +newer than the originally addressed destination node: Then the +intermediate node will wrongly redirect the packet, leading to +duplicated multicast packets at a multicast listener and missing +packets at other multicast listeners or multicast routers. + +Fixing this by not applying the unicast packet rerouting to batman-adv +unicast packets with a multicast payload. We are not able to detect a +roaming multicast listener at the moment and will just continue to send +the multicast frame to both the new and old destination for a while in +case of such a roaming multicast listener. + +Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +--- + net/batman-adv/routing.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c +index b3e8b0e3073c2..e470410abb44d 100644 +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -782,6 +782,10 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, + vid = batadv_get_vid(skb, hdr_len); + ethhdr = (struct ethhdr *)(skb->data + hdr_len); + ++ /* do not reroute multicast frames in a unicast header */ ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ return true; ++ + /* check if the destination client was served by this node and it is now + * roaming. In this case, it means that the node has got a ROAM_ADV + * message and that it knows the new destination in the mesh to re-route +-- +2.25.1 + diff --git a/queue-4.4/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch b/queue-4.4/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch new file mode 100644 index 00000000000..bb6f3d7cb5e --- /dev/null +++ b/queue-4.4/mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch @@ -0,0 +1,36 @@ +From 3cd4b11459e30aeb3f3afc848671efcf555826bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 14:53:12 +0800 +Subject: MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() + +From: Wei Li + +[ Upstream commit e393fbe6fa27af23f78df6e16a8fd2963578a8c4 ] + +Commit 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") split +1074K from the 74K as an unique CPU type, while it missed to add the +'CPU_1074K' in __get_cpu_type(). So let's add it back. + +Fixes: 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") +Signed-off-by: Wei Li +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/cpu-type.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h +index abee2bfd10dc1..cea0bbb71590f 100644 +--- a/arch/mips/include/asm/cpu-type.h ++++ b/arch/mips/include/asm/cpu-type.h +@@ -46,6 +46,7 @@ static inline int __pure __get_cpu_type(const int cpu_type) + case CPU_34K: + case CPU_1004K: + case CPU_74K: ++ case CPU_1074K: + case CPU_M14KC: + case CPU_M14KEC: + case CPU_INTERAPTIV: +-- +2.25.1 + diff --git a/queue-4.4/mwifiex-increase-aes-key-storage-size-to-256-bits.patch b/queue-4.4/mwifiex-increase-aes-key-storage-size-to-256-bits.patch new file mode 100644 index 00000000000..63da687c554 --- /dev/null +++ b/queue-4.4/mwifiex-increase-aes-key-storage-size-to-256-bits.patch @@ -0,0 +1,80 @@ +From 03098b7025f8c168a73b59f0a7ff4bf320014dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:38:29 +0200 +Subject: mwifiex: Increase AES key storage size to 256 bits + +From: Maximilian Luz + +[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ] + +Following commit e18696786548 ("mwifiex: Prevent memory corruption +handling keys") the mwifiex driver fails to authenticate with certain +networks, specifically networks with 256 bit keys, and repeatedly asks +for the password. The kernel log repeats the following lines (id and +bssid redacted): + + mwifiex_pcie 0000:01:00.0: info: trying to associate to '' bssid + mwifiex_pcie 0000:01:00.0: info: associated to bssid successfully + mwifiex_pcie 0000:01:00.0: crypto keys added + mwifiex_pcie 0000:01:00.0: info: successfully disconnected from : reason code 3 + +Tracking down this problem lead to the overflow check introduced by the +aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This +check fails on networks with 256 bit keys due to the current storage +size for AES keys in struct mwifiex_aes_param being only 128 bit. + +To fix this issue, increase the storage size for AES keys to 256 bit. + +Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys") +Signed-off-by: Maximilian Luz +Reported-by: Kaloyan Nikolov +Tested-by: Kaloyan Nikolov +Reviewed-by: Dan Carpenter +Reviewed-by: Brian Norris +Tested-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/fw.h | 2 +- + drivers/net/wireless/mwifiex/sta_cmdresp.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mwifiex/fw.h b/drivers/net/wireless/mwifiex/fw.h +index 9a5eb9ed89215..233af2292366d 100644 +--- a/drivers/net/wireless/mwifiex/fw.h ++++ b/drivers/net/wireless/mwifiex/fw.h +@@ -848,7 +848,7 @@ struct mwifiex_tkip_param { + struct mwifiex_aes_param { + u8 pn[WPA_PN_SIZE]; + __le16 key_len; +- u8 key[WLAN_KEY_LEN_CCMP]; ++ u8 key[WLAN_KEY_LEN_CCMP_256]; + } __packed; + + struct mwifiex_wapi_param { +diff --git a/drivers/net/wireless/mwifiex/sta_cmdresp.c b/drivers/net/wireless/mwifiex/sta_cmdresp.c +index 9e3853c8a22da..32b0b06b74f1d 100644 +--- a/drivers/net/wireless/mwifiex/sta_cmdresp.c ++++ b/drivers/net/wireless/mwifiex/sta_cmdresp.c +@@ -631,7 +631,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + key_v2 = &resp->params.key_material_v2; + + len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len); +- if (len > WLAN_KEY_LEN_CCMP) ++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key)) + return -EINVAL; + + if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) { +@@ -647,7 +647,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv, + return 0; + + memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0, +- WLAN_KEY_LEN_CCMP); ++ sizeof(key_v2->key_param_set.key_params.aes.key)); + priv->aes_key_v2.key_param_set.key_params.aes.key_len = + cpu_to_le16(len); + memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key, +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 5279467d38f..d6aabced642 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -74,3 +74,9 @@ x86-speculation-mds-mark-mds_user_clear_cpu_buffers-.patch vfio-pci-clear-error-and-request-eventfd-ctx-after-r.patch vfio-pci-fix-racy-on-error-and-request-eventfd-ctx.patch s390-init-add-missing-__init-annotations.patch +mwifiex-increase-aes-key-storage-size-to-256-bits.patch +batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch +atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch +batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch +alsa-asihpi-fix-iounmap-in-error-handler.patch +mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch