From: Greg Kroah-Hartman Date: Wed, 14 Aug 2019 16:33:16 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.2.9~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74a25cdb8a15d433063b1af65c99857726f8254a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-firewire-fix-a-memory-leak-bug.patch can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch smb3-send-cap_dfs-capability-during-session-setup.patch --- diff --git a/queue-4.4/alsa-firewire-fix-a-memory-leak-bug.patch b/queue-4.4/alsa-firewire-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..05ca846644c --- /dev/null +++ b/queue-4.4/alsa-firewire-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From 1be3c1fae6c1e1f5bb982b255d2034034454527a Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 8 Aug 2019 00:50:58 -0500 +Subject: ALSA: firewire: fix a memory leak bug + +From: Wenwen Wang + +commit 1be3c1fae6c1e1f5bb982b255d2034034454527a upstream. + +In iso_packets_buffer_init(), 'b->packets' is allocated through +kmalloc_array(). Then, the aligned packet size is checked. If it is +larger than PAGE_SIZE, -EINVAL will be returned to indicate the error. +However, the allocated 'b->packets' is not deallocated on this path, +leading to a memory leak. + +To fix the above issue, free 'b->packets' before returning the error code. + +Fixes: 31ef9134eb52 ("ALSA: add LaCie FireWire Speakers/Griffin FireWave Surround driver") +Signed-off-by: Wenwen Wang +Reviewed-by: Takashi Sakamoto +Cc: # v2.6.39+ +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/packets-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/packets-buffer.c ++++ b/sound/firewire/packets-buffer.c +@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_p + packets_per_page = PAGE_SIZE / packet_size; + if (WARN_ON(!packets_per_page)) { + err = -EINVAL; +- goto error; ++ goto err_packets; + } + pages = DIV_ROUND_UP(count, packets_per_page); + diff --git a/queue-4.4/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch b/queue-4.4/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..ee07119f360 --- /dev/null +++ b/queue-4.4/can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From 30a8beeb3042f49d0537b7050fd21b490166a3d9 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit 30a8beeb3042f49d0537b7050fd21b490166a3d9 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+513e4d0985298538bf9b@syzkaller.appspotmail.com +Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c +@@ -851,7 +851,7 @@ static int pcan_usb_fd_init(struct peak_ + goto err_out; + + /* allocate command buffer once for all for the interface */ +- pdev->cmd_buffer_addr = kmalloc(PCAN_UFD_CMD_BUFFER_SIZE, ++ pdev->cmd_buffer_addr = kzalloc(PCAN_UFD_CMD_BUFFER_SIZE, + GFP_KERNEL); + if (!pdev->cmd_buffer_addr) + goto err_out_1; diff --git a/queue-4.4/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch b/queue-4.4/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch new file mode 100644 index 00000000000..0de45982150 --- /dev/null +++ b/queue-4.4/can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch @@ -0,0 +1,35 @@ +From ead16e53c2f0ed946d82d4037c630e2f60f4ab69 Mon Sep 17 00:00:00 2001 +From: Tomas Bortoli +Date: Wed, 31 Jul 2019 10:54:47 -0400 +Subject: can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices + +From: Tomas Bortoli + +commit ead16e53c2f0ed946d82d4037c630e2f60f4ab69 upstream. + +Uninitialized Kernel memory can leak to USB devices. + +Fix by using kzalloc() instead of kmalloc() on the affected buffers. + +Signed-off-by: Tomas Bortoli +Reported-by: syzbot+d6a5a1a3657b596ef132@syzkaller.appspotmail.com +Fixes: f14e22435a27 ("net: can: peak_usb: Do not do dma on the stack") +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/usb/peak_usb/pcan_usb_pro.c ++++ b/drivers/net/can/usb/peak_usb/pcan_usb_pro.c +@@ -500,7 +500,7 @@ static int pcan_usb_pro_drv_loaded(struc + u8 *buffer; + int err; + +- buffer = kmalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); ++ buffer = kzalloc(PCAN_USBPRO_FCT_DRVLD_REQ_LEN, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + diff --git a/queue-4.4/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch b/queue-4.4/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch new file mode 100644 index 00000000000..b46483cfbd3 --- /dev/null +++ b/queue-4.4/hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch @@ -0,0 +1,56 @@ +From 38ada2f406a9b81fb1249c5c9227fa657e7d5671 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 26 Jul 2019 08:00:49 -0700 +Subject: hwmon: (nct7802) Fix wrong detection of in4 presence + +From: Guenter Roeck + +commit 38ada2f406a9b81fb1249c5c9227fa657e7d5671 upstream. + +The code to detect if in4 is present is wrong; if in4 is not present, +the in4_input sysfs attribute is still present. + +In detail: + +- Ihen RTD3_MD=11 (VSEN3 present), everything is as expected (no bug). +- If we have RTD3_MD!=11 (no VSEN3), we unexpectedly have a in4_input + file under /sys and the "sensors" command displays in4_input. + But as expected, we have no in4_min, in4_max, in4_alarm, in4_beep. + +Fix is_visible function to detect and report in4_input visibility +as expected. + +Reported-by: Gilles Buloz +Cc: Gilles Buloz +Cc: stable@vger.kernel.org +Fixes: 3434f37835804 ("hwmon: Driver for Nuvoton NCT7802Y") +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/nct7802.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/nct7802.c ++++ b/drivers/hwmon/nct7802.c +@@ -768,7 +768,7 @@ static struct attribute *nct7802_in_attr + &sensor_dev_attr_in3_alarm.dev_attr.attr, + &sensor_dev_attr_in3_beep.dev_attr.attr, + +- &sensor_dev_attr_in4_input.dev_attr.attr, /* 17 */ ++ &sensor_dev_attr_in4_input.dev_attr.attr, /* 16 */ + &sensor_dev_attr_in4_min.dev_attr.attr, + &sensor_dev_attr_in4_max.dev_attr.attr, + &sensor_dev_attr_in4_alarm.dev_attr.attr, +@@ -794,9 +794,9 @@ static umode_t nct7802_in_is_visible(str + + if (index >= 6 && index < 11 && (reg & 0x03) != 0x03) /* VSEN1 */ + return 0; +- if (index >= 11 && index < 17 && (reg & 0x0c) != 0x0c) /* VSEN2 */ ++ if (index >= 11 && index < 16 && (reg & 0x0c) != 0x0c) /* VSEN2 */ + return 0; +- if (index >= 17 && (reg & 0x30) != 0x30) /* VSEN3 */ ++ if (index >= 16 && (reg & 0x30) != 0x30) /* VSEN3 */ + return 0; + + return attr->mode; diff --git a/queue-4.4/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch b/queue-4.4/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch new file mode 100644 index 00000000000..797747d264f --- /dev/null +++ b/queue-4.4/mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch @@ -0,0 +1,53 @@ +From 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 26 Jul 2019 15:47:58 -0700 +Subject: mac80211: don't WARN on short WMM parameters from AP + +From: Brian Norris + +commit 05aaa5c97dce4c10a9e7eae2f1569a684e0c5ced upstream. + +In a very similar spirit to commit c470bdc1aaf3 ("mac80211: don't WARN +on bad WMM parameters from buggy APs"), an AP may not transmit a +fully-formed WMM IE. For example, it may miss or repeat an Access +Category. The above loop won't catch that and will instead leave one of +the four ACs zeroed out. This triggers the following warning in +drv_conf_tx() + + wlan0: invalid CW_min/CW_max: 0/0 + +and it may leave one of the hardware queues unconfigured. If we detect +such a case, let's just print a warning and fall back to the defaults. + +Tested with a hacked version of hostapd, intentionally corrupting the +IEs in hostapd_eid_wmm(). + +Cc: stable@vger.kernel.org +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190726224758.210953-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1892,6 +1892,16 @@ static bool ieee80211_sta_wmm_params(str + } + } + ++ /* WMM specification requires all 4 ACIs. */ ++ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { ++ if (params[ac].cw_min == 0) { ++ sdata_info(sdata, ++ "AP has invalid WMM params (missing AC %d), using defaults\n", ++ ac); ++ return false; ++ } ++ } ++ + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { + mlme_dbg(sdata, + "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n", diff --git a/queue-4.4/series b/queue-4.4/series index f3a32fb8e58..d3b673fb039 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -22,3 +22,10 @@ scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch perf-core-fix-creating-kernel-counters-for-pmus-that.patch +can-peak_usb-pcan_usb_pro-fix-info-leaks-to-usb-devices.patch +can-peak_usb-pcan_usb_fd-fix-info-leaks-to-usb-devices.patch +hwmon-nct7802-fix-wrong-detection-of-in4-presence.patch +alsa-firewire-fix-a-memory-leak-bug.patch +mac80211-don-t-warn-on-short-wmm-parameters-from-ap.patch +smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch +smb3-send-cap_dfs-capability-during-session-setup.patch diff --git a/queue-4.4/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch b/queue-4.4/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch new file mode 100644 index 00000000000..0f5beabda5c --- /dev/null +++ b/queue-4.4/smb3-fix-deadlock-in-validate-negotiate-hits-reconnect.patch @@ -0,0 +1,38 @@ +From e99c63e4d86d3a94818693147b469fa70de6f945 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Mon, 22 Jul 2019 11:34:59 -0700 +Subject: SMB3: Fix deadlock in validate negotiate hits reconnect + +From: Pavel Shilovsky + +commit e99c63e4d86d3a94818693147b469fa70de6f945 upstream. + +Currently we skip SMB2_TREE_CONNECT command when checking during +reconnect because Tree Connect happens when establishing +an SMB session. For SMB 3.0 protocol version the code also calls +validate negotiate which results in SMB2_IOCL command being sent +over the wire. This may deadlock on trying to acquire a mutex when +checking for reconnect. Fix this by skipping SMB2_IOCL command +when doing the reconnect check. + +Signed-off-by: Pavel Shilovsky +Signed-off-by: Steve French +Reviewed-by: Ronnie Sahlberg +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -171,7 +171,7 @@ smb2_reconnect(__le16 smb2_command, stru + if (tcon == NULL) + return 0; + +- if (smb2_command == SMB2_TREE_CONNECT) ++ if (smb2_command == SMB2_TREE_CONNECT || smb2_command == SMB2_IOCTL) + return 0; + + if (tcon->tidStatus == CifsExiting) { diff --git a/queue-4.4/smb3-send-cap_dfs-capability-during-session-setup.patch b/queue-4.4/smb3-send-cap_dfs-capability-during-session-setup.patch new file mode 100644 index 00000000000..f2b88e2743c --- /dev/null +++ b/queue-4.4/smb3-send-cap_dfs-capability-during-session-setup.patch @@ -0,0 +1,40 @@ +From 8d33096a460d5b9bd13300f01615df5bb454db10 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Thu, 25 Jul 2019 18:13:10 -0500 +Subject: smb3: send CAP_DFS capability during session setup + +From: Steve French + +commit 8d33096a460d5b9bd13300f01615df5bb454db10 upstream. + +We had a report of a server which did not do a DFS referral +because the session setup Capabilities field was set to 0 +(unlike negotiate protocol where we set CAP_DFS). Better to +send it session setup in the capabilities as well (this also +more closely matches Windows client behavior). + +Signed-off-by: Steve French +Reviewed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -677,7 +677,12 @@ ssetup_ntlmssp_authenticate: + else + req->SecurityMode = 0; + ++#ifdef CONFIG_CIFS_DFS_UPCALL ++ req->Capabilities = cpu_to_le32(SMB2_GLOBAL_CAP_DFS); ++#else + req->Capabilities = 0; ++#endif /* DFS_UPCALL */ ++ + req->Channel = 0; /* MBZ */ + + iov[0].iov_base = (char *)req;