From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 9 May 2017 09:18:05 +0000 (+0200)
Subject: 4.11-stable patches
X-Git-Tag: v4.4.68~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db16d46233a83831b2a467ddaeaaaeb9bfe0dbcf;p=thirdparty%2Fkernel%2Fstable-queue.git

4.11-stable patches

added patches:
	brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch
	brcmfmac-make-skb-header-writable-before-use.patch
	power-supply-lp8788-prevent-out-of-bounds-array-access.patch
---

diff --git a/queue-4.11/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch b/queue-4.11/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch
new file mode 100644
index 00000000000..f7927bd3157
--- /dev/null
+++ b/queue-4.11/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch
@@ -0,0 +1,44 @@
+From 455a1eb4654c24560eb9dfc634f29cba3d87601e Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Mon, 24 Apr 2017 12:40:50 +0100
+Subject: brcmfmac: Ensure pointer correctly set if skb data location changes
+
+From: James Hughes <james.hughes@raspberrypi.org>
+
+commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream.
+
+The incoming skb header may be resized if header space is
+insufficient, which might change the data adddress in the skb.
+Ensure that a cached pointer to that data is correctly set by
+moving assignment to after any possible changes.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 	int ret;
+ 	struct brcmf_if *ifp = netdev_priv(ndev);
+ 	struct brcmf_pub *drvr = ifp->drvr;
+-	struct ethhdr *eh = (struct ethhdr *)(skb->data);
++	struct ethhdr *eh;
+ 
+ 	brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+ 
+@@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
++	eh = (struct ethhdr *)(skb->data);
++
+ 	if (eh->h_proto == htons(ETH_P_PAE))
+ 		atomic_inc(&ifp->pend_8021x_cnt);
+ 
diff --git a/queue-4.11/brcmfmac-make-skb-header-writable-before-use.patch b/queue-4.11/brcmfmac-make-skb-header-writable-before-use.patch
new file mode 100644
index 00000000000..f19c7bc1983
--- /dev/null
+++ b/queue-4.11/brcmfmac-make-skb-header-writable-before-use.patch
@@ -0,0 +1,55 @@
+From 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 Mon Sep 17 00:00:00 2001
+From: James Hughes <james.hughes@raspberrypi.org>
+Date: Tue, 25 Apr 2017 10:15:06 +0100
+Subject: brcmfmac: Make skb header writable before use
+
+From: James Hughes <james.hughes@raspberrypi.org>
+
+commit 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 upstream.
+
+The driver was making changes to the skb_header without
+ensuring it was writable (i.e. uncloned).
+This patch also removes some boiler plate header size
+checking/adjustment code as that is also handled by the
+skb_cow_header function used to make header writable.
+
+Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c |   19 ++++------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -211,22 +211,13 @@ static netdev_tx_t brcmf_netdev_start_xm
+ 		goto done;
+ 	}
+ 
+-	/* Make sure there's enough room for any header */
+-	if (skb_headroom(skb) < drvr->hdrlen) {
+-		struct sk_buff *skb2;
+-
+-		brcmf_dbg(INFO, "%s: insufficient headroom\n",
++	/* Make sure there's enough writable headroom*/
++	ret = skb_cow_head(skb, drvr->hdrlen);
++	if (ret < 0) {
++		brcmf_err("%s: skb_cow_head failed\n",
+ 			  brcmf_ifname(ifp));
+-		drvr->bus_if->tx_realloc++;
+-		skb2 = skb_realloc_headroom(skb, drvr->hdrlen);
+ 		dev_kfree_skb(skb);
+-		skb = skb2;
+-		if (skb == NULL) {
+-			brcmf_err("%s: skb_realloc_headroom failed\n",
+-				  brcmf_ifname(ifp));
+-			ret = -ENOMEM;
+-			goto done;
+-		}
++		goto done;
+ 	}
+ 
+ 	/* validate length for ether packet */
diff --git a/queue-4.11/power-supply-lp8788-prevent-out-of-bounds-array-access.patch b/queue-4.11/power-supply-lp8788-prevent-out-of-bounds-array-access.patch
new file mode 100644
index 00000000000..a349c6652eb
--- /dev/null
+++ b/queue-4.11/power-supply-lp8788-prevent-out-of-bounds-array-access.patch
@@ -0,0 +1,39 @@
+From bdd9968d35f7fcdb76089347d1529bf079534214 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Giedrius=20Statkevi=C4=8Dius?=
+ <giedrius.statkevicius@gmail.com>
+Date: Sat, 25 Mar 2017 18:00:49 +0200
+Subject: power: supply: lp8788: prevent out of bounds array access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Giedrius StatkeviÄius <giedrius.statkevicius@gmail.com>
+
+commit bdd9968d35f7fcdb76089347d1529bf079534214 upstream.
+
+val might become 7 in which case stime[7] (array of length 7) would be
+accessed during the scnprintf call later and that will cause issues.
+Obviously, string concatenation is not intended here so just a comma needs
+to be added to fix the issue.
+
+Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
+Signed-off-by: Giedrius StatkeviÄius <giedrius.statkevicius@gmail.com>
+Acked-by: Milo Kim <milo.kim@ti.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/supply/lp8788-charger.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/lp8788-charger.c
++++ b/drivers/power/supply/lp8788-charger.c
+@@ -651,7 +651,7 @@ static ssize_t lp8788_show_eoc_time(stru
+ {
+ 	struct lp8788_charger *pchg = dev_get_drvdata(dev);
+ 	char *stime[] = { "400ms", "5min", "10min", "15min",
+-			"20min", "25min", "30min" "No timeout" };
++			"20min", "25min", "30min", "No timeout" };
+ 	u8 val;
+ 
+ 	lp8788_read_byte(pchg->lp, LP8788_CHG_EOC, &val);
diff --git a/queue-4.11/series b/queue-4.11/series
index cdf2f31fcb8..c5c06d6c91f 100644
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -1,2 +1,5 @@
 dm-ioctl-prevent-stack-leak-in-dm-ioctl-call.patch
 drm-sti-fix-gdp-size-to-support-up-to-uhd-resolution.patch
+power-supply-lp8788-prevent-out-of-bounds-array-access.patch
+brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch
+brcmfmac-make-skb-header-writable-before-use.patch