From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 4 Jun 2016 19:43:05 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.72~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afcadf8474d7f51d44a9383ab4e541e569cc3ff0;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	pipe-fix-buffer-offset-after-partially-failed-read.patch
	rtlwifi-fix-logic-error-in-enter-exit-power-save-mode.patch
---

diff --git a/queue-3.14/pipe-fix-buffer-offset-after-partially-failed-read.patch b/queue-3.14/pipe-fix-buffer-offset-after-partially-failed-read.patch
new file mode 100644
index 00000000000..82ca8b4e59d
--- /dev/null
+++ b/queue-3.14/pipe-fix-buffer-offset-after-partially-failed-read.patch
@@ -0,0 +1,61 @@
+From feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 13 Feb 2016 02:34:52 +0000
+Subject: pipe: Fix buffer offset after partially failed read
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
+
+Quoting the RHEL advisory:
+
+> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
+> offset and buffer length in sync on a failed atomic read, potentially
+> resulting in a pipe buffer state corruption. A local, unprivileged user
+> could use this flaw to crash the system or leak kernel memory to user
+> space. (CVE-2016-0774, Moderate)
+
+The same flawed fix was applied to stable branches from 2.6.32.y to
+3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
+We need to give pipe_iov_copy_to_user() a separate offset variable
+and only update the buffer offset if it succeeds.
+
+References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/pipe.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const stru
+ 			void *addr;
+ 			size_t chars = buf->len, remaining;
+ 			int error, atomic;
++			int offset;
+ 
+ 			if (chars > total_len)
+ 				chars = total_len;
+@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const stru
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
+ 			remaining = chars;
++			offset = buf->offset;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++			error = pipe_iov_copy_to_user(iov, addr, &offset,
+ 						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+@@ -432,6 +434,7 @@ redo:
+ 				break;
+ 			}
+ 			ret += chars;
++			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
diff --git a/queue-3.14/rtlwifi-fix-logic-error-in-enter-exit-power-save-mode.patch b/queue-3.14/rtlwifi-fix-logic-error-in-enter-exit-power-save-mode.patch
new file mode 100644
index 00000000000..bd348d5fc65
--- /dev/null
+++ b/queue-3.14/rtlwifi-fix-logic-error-in-enter-exit-power-save-mode.patch
@@ -0,0 +1,38 @@
+From 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 Mon Sep 17 00:00:00 2001
+From: wang yanqing <udknight@gmail.com>
+Date: Tue, 3 May 2016 00:38:36 +0800
+Subject: rtlwifi: Fix logic error in enter/exit power-save mode
+
+From: wang yanqing <udknight@gmail.com>
+
+commit 873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 upstream.
+
+In commit a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and
+rtl_lps_enter() to use work queue"), the tests for enter/exit
+power-save mode were inverted. With this change applied, the
+wifi connection becomes much more stable.
+
+Fixes: a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and rtl_lps_enter() to use work queue")
+Signed-off-by: Wang YanQing <udknight@gmail.com>
+Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/base.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rtlwifi/base.c
++++ b/drivers/net/wireless/rtlwifi/base.c
+@@ -1401,9 +1401,9 @@ void rtl_watchdog_wq_callback(void *data
+ 		if (((rtlpriv->link_info.num_rx_inperiod +
+ 		      rtlpriv->link_info.num_tx_inperiod) > 8) ||
+ 		    (rtlpriv->link_info.num_rx_inperiod > 2))
+-			rtlpriv->enter_ps = true;
+-		else
+ 			rtlpriv->enter_ps = false;
++		else
++			rtlpriv->enter_ps = true;
+ 
+ 		/* LeisurePS only work in infra mode. */
+ 		schedule_work(&rtlpriv->works.lps_change_work);
diff --git a/queue-3.14/series b/queue-3.14/series
index 268c3b37e9c..1c99e75dd51 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -7,3 +7,5 @@ aacraid-relinquish-cpu-during-timeout-wait.patch
 aacraid-fix-for-aac_command_thread-hang.patch
 cpuidle-indicate-when-a-device-has-been-unregistered.patch
 pci-disable-all-bar-sizing-for-devices-with-non-compliant-bars.patch
+rtlwifi-fix-logic-error-in-enter-exit-power-save-mode.patch
+pipe-fix-buffer-offset-after-partially-failed-read.patch