From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 26 Nov 2019 09:46:42 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.204~72
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=23f778df1358f5f0cf8c5341910b84571e3da201;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch
	ath9k_hw-fix-uninitialized-variable-data.patch
---

diff --git a/queue-4.14/ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch b/queue-4.14/ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch
new file mode 100644
index 00000000000..221c80252de
--- /dev/null
+++ b/queue-4.14/ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch
@@ -0,0 +1,74 @@
+From bfd6e6e6c5d2ee43a3d9902b36e01fc7527ebb27 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Sat, 19 Oct 2019 14:42:23 +0300
+Subject: ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
+
+From: Hui Peng <benquike@gmail.com>
+
+commit bfd6e6e6c5d2ee43a3d9902b36e01fc7527ebb27 upstream.
+
+The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
+are initialized to point to the containing `ath10k_usb` object
+according to endpoint descriptors read from the device side, as shown
+below in `ath10k_usb_setup_pipe_resources`:
+
+for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+        endpoint = &iface_desc->endpoint[i].desc;
+
+        // get the address from endpoint descriptor
+        pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
+                                                endpoint->bEndpointAddress,
+                                                &urbcount);
+        ......
+        // select the pipe object
+        pipe = &ar_usb->pipes[pipe_num];
+
+        // initialize the ar_usb field
+        pipe->ar_usb = ar_usb;
+}
+
+The driver assumes that the addresses reported in endpoint
+descriptors from device side  to be complete. If a device is
+malicious and does not report complete addresses, it may trigger
+NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
+`ath10k_usb_free_urb_to_pipe`.
+
+This patch fixes the bug by preventing potential NULL-ptr-deref.
+
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[groeck: Add driver tag to subject, fix build warning]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/usb.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/usb.c
++++ b/drivers/net/wireless/ath/ath10k/usb.c
+@@ -49,6 +49,10 @@ ath10k_usb_alloc_urb_from_pipe(struct at
+ 	struct ath10k_urb_context *urb_context = NULL;
+ 	unsigned long flags;
+ 
++	/* bail if this pipe is not initialized */
++	if (!pipe->ar_usb)
++		return NULL;
++
+ 	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
+ 	if (!list_empty(&pipe->urb_list_head)) {
+ 		urb_context = list_first_entry(&pipe->urb_list_head,
+@@ -66,6 +70,10 @@ static void ath10k_usb_free_urb_to_pipe(
+ {
+ 	unsigned long flags;
+ 
++	/* bail if this pipe is not initialized */
++	if (!pipe->ar_usb)
++		return;
++
+ 	spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
+ 
+ 	pipe->urb_cnt++;
diff --git a/queue-4.14/ath9k_hw-fix-uninitialized-variable-data.patch b/queue-4.14/ath9k_hw-fix-uninitialized-variable-data.patch
new file mode 100644
index 00000000000..2022d5b8c49
--- /dev/null
+++ b/queue-4.14/ath9k_hw-fix-uninitialized-variable-data.patch
@@ -0,0 +1,39 @@
+From 80e84f36412e0c5172447b6947068dca0d04ee82 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Fri, 27 Sep 2019 01:56:04 +0300
+Subject: ath9k_hw: fix uninitialized variable data
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream.
+
+Currently, data variable in ar9003_hw_thermo_cal_apply() could be
+uninitialized if ar9300_otp_read_word() will fail to read the value.
+Initialize data variable with 0 to prevent an undefined behavior. This
+will be enough to handle error case when ar9300_otp_read_word() fails.
+
+Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462")
+Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
+Cc: John W. Linville <linville@tuxdriver.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -4116,7 +4116,7 @@ static void ar9003_hw_thermometer_apply(
+ 
+ static void ar9003_hw_thermo_cal_apply(struct ath_hw *ah)
+ {
+-	u32 data, ko, kg;
++	u32 data = 0, ko, kg;
+ 
+ 	if (!AR_SREV_9462_20_OR_LATER(ah))
+ 		return;
diff --git a/queue-4.14/series b/queue-4.14/series
index 10ece462331..3280fc88adf 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -163,3 +163,5 @@ ipv6-fix-handling-of-lla-with-vrf-and-sockets-bound-.patch
 cfg80211-call-disconnect_wk-when-ap-stops.patch
 bluetooth-fix-invalid-free-in-bcsp_close.patch
 kvm-mmu-do-not-treat-zone_device-pages-as-being-reserved.patch
+ath10k-fix-a-null-ptr-deref-bug-in-ath10k_usb_alloc_urb_from_pipe.patch
+ath9k_hw-fix-uninitialized-variable-data.patch