From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 4 Nov 2019 10:25:34 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.199~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb2e43733640f2b1a6add8b616c9c718ba4c0575;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch
	nl80211-fix-validation-of-mesh-path-nexthop.patch
	rtlwifi-fix-potential-overflow-on-p2p-code.patch
	s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
---

diff --git a/queue-4.9/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch b/queue-4.9/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch
new file mode 100644
index 00000000000..3a031ecac47
--- /dev/null
+++ b/queue-4.9/dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch
@@ -0,0 +1,74 @@
+From bacdcb6675e170bb2e8d3824da220e10274f42a7 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Wed, 23 Oct 2019 08:31:38 -0700
+Subject: dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit bacdcb6675e170bb2e8d3824da220e10274f42a7 upstream.
+
+Yegor Yefremov <yegorslists@googlemail.com> reported that musb and ftdi
+uart can fail for the first open of the uart unless connected using
+a hub.
+
+This is because the first dma call done by musb_ep_program() must wait
+if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues
+with other non-dma packets before the DMA transfer is started causing at
+least ftdi uarts to fail to receive data.
+
+Let's fix the issue by waking up cppi41 with PM runtime calls added to
+cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we
+have musb_ep_program() continue with PIO until cppi41 is awake.
+
+Fixes: fdea2d09b997 ("dmaengine: cppi41: Add basic PM runtime support")
+Reported-by: Yegor Yefremov <yegorslists@googlemail.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Cc: stable@vger.kernel.org # v4.9+
+Link: https://lore.kernel.org/r/20191023153138.23442-1-tony@atomide.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/cppi41.c |   21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/cppi41.c
++++ b/drivers/dma/cppi41.c
+@@ -586,9 +586,22 @@ static struct dma_async_tx_descriptor *c
+ 	enum dma_transfer_direction dir, unsigned long tx_flags, void *context)
+ {
+ 	struct cppi41_channel *c = to_cpp41_chan(chan);
++	struct dma_async_tx_descriptor *txd = NULL;
++	struct cppi41_dd *cdd = c->cdd;
+ 	struct cppi41_desc *d;
+ 	struct scatterlist *sg;
+ 	unsigned int i;
++	int error;
++
++	error = pm_runtime_get(cdd->ddev.dev);
++	if (error < 0) {
++		pm_runtime_put_noidle(cdd->ddev.dev);
++
++		return NULL;
++	}
++
++	if (cdd->is_suspended)
++		goto err_out_not_ready;
+ 
+ 	d = c->desc;
+ 	for_each_sg(sgl, sg, sg_len, i) {
+@@ -611,7 +624,13 @@ static struct dma_async_tx_descriptor *c
+ 		d++;
+ 	}
+ 
+-	return &c->txd;
++	txd = &c->txd;
++
++err_out_not_ready:
++	pm_runtime_mark_last_busy(cdd->ddev.dev);
++	pm_runtime_put_autosuspend(cdd->ddev.dev);
++
++	return txd;
+ }
+ 
+ static void cppi41_compute_td_desc(struct cppi41_desc *d)
diff --git a/queue-4.9/nl80211-fix-validation-of-mesh-path-nexthop.patch b/queue-4.9/nl80211-fix-validation-of-mesh-path-nexthop.patch
new file mode 100644
index 00000000000..af2ea57724b
--- /dev/null
+++ b/queue-4.9/nl80211-fix-validation-of-mesh-path-nexthop.patch
@@ -0,0 +1,35 @@
+From 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Tue, 29 Oct 2019 10:30:03 +0100
+Subject: nl80211: fix validation of mesh path nexthop
+
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+
+commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream.
+
+Mesh path nexthop should be a ethernet address, but current validation
+checks against 4 byte integers.
+
+Cc: stable@vger.kernel.org
+Fixes: 2ec600d672e74 ("nl80211/cfg80211: support for mesh, sta dumping")
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -295,7 +295,8 @@ static const struct nla_policy nl80211_p
+ 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
+ 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
+ 				   .len = IEEE80211_MAX_MESH_ID_LEN },
+-	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
++	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_BINARY,
++					  .len = ETH_ALEN },
+ 
+ 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
+ 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
diff --git a/queue-4.9/rtlwifi-fix-potential-overflow-on-p2p-code.patch b/queue-4.9/rtlwifi-fix-potential-overflow-on-p2p-code.patch
new file mode 100644
index 00000000000..bef47fdf071
--- /dev/null
+++ b/queue-4.9/rtlwifi-fix-potential-overflow-on-p2p-code.patch
@@ -0,0 +1,46 @@
+From 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Fri, 18 Oct 2019 07:43:21 -0400
+Subject: rtlwifi: Fix potential overflow on P2P code
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.
+
+Nicolas Waisman noticed that even though noa_len is checked for
+a compatible length it's still possible to overrun the buffers
+of p2pinfo since there's no check on the upper bound of noa_num.
+Bound noa_num against P2P_MAX_NOA_NUM.
+
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/ps.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
+@@ -770,6 +770,9 @@ static void rtl_p2p_noa_ie(struct ieee80
+ 				return;
+ 			} else {
+ 				noa_num = (noa_len - 2) / 13;
++				if (noa_num > P2P_MAX_NOA_NUM)
++					noa_num = P2P_MAX_NOA_NUM;
++
+ 			}
+ 			noa_index = ie[3];
+ 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
+@@ -864,6 +867,9 @@ static void rtl_p2p_action_ie(struct iee
+ 				return;
+ 			} else {
+ 				noa_num = (noa_len - 2) / 13;
++				if (noa_num > P2P_MAX_NOA_NUM)
++					noa_num = P2P_MAX_NOA_NUM;
++
+ 			}
+ 			noa_index = ie[3];
+ 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
diff --git a/queue-4.9/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch b/queue-4.9/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
new file mode 100644
index 00000000000..fcb9605b20b
--- /dev/null
+++ b/queue-4.9/s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
@@ -0,0 +1,66 @@
+From b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f Mon Sep 17 00:00:00 2001
+From: Yihui ZENG <yzeng56@asu.edu>
+Date: Fri, 25 Oct 2019 12:31:48 +0300
+Subject: s390/cmm: fix information leak in cmm_timeout_handler()
+
+From: Yihui ZENG <yzeng56@asu.edu>
+
+commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream.
+
+The problem is that we were putting the NUL terminator too far:
+
+	buf[sizeof(buf) - 1] = '\0';
+
+If the user input isn't NUL terminated and they haven't initialized the
+whole buffer then it leads to an info leak.  The NUL terminator should
+be:
+
+	buf[len - 1] = '\0';
+
+Signed-off-by: Yihui Zeng <yzeng56@asu.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+[heiko.carstens@de.ibm.com: keep semantics of how *lenp and *ppos are handled]
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/mm/cmm.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/s390/mm/cmm.c
++++ b/arch/s390/mm/cmm.c
+@@ -306,16 +306,16 @@ static int cmm_timeout_handler(struct ct
+ 	}
+ 
+ 	if (write) {
+-		len = *lenp;
+-		if (copy_from_user(buf, buffer,
+-				   len > sizeof(buf) ? sizeof(buf) : len))
++		len = min(*lenp, sizeof(buf));
++		if (copy_from_user(buf, buffer, len))
+ 			return -EFAULT;
+-		buf[sizeof(buf) - 1] = '\0';
++		buf[len - 1] = '\0';
+ 		cmm_skip_blanks(buf, &p);
+ 		nr = simple_strtoul(p, &p, 0);
+ 		cmm_skip_blanks(p, &p);
+ 		seconds = simple_strtoul(p, &p, 0);
+ 		cmm_set_timeout(nr, seconds);
++		*ppos += *lenp;
+ 	} else {
+ 		len = sprintf(buf, "%ld %ld\n",
+ 			      cmm_timeout_pages, cmm_timeout_seconds);
+@@ -323,9 +323,9 @@ static int cmm_timeout_handler(struct ct
+ 			len = *lenp;
+ 		if (copy_to_user(buffer, buf, len))
+ 			return -EFAULT;
++		*lenp = len;
++		*ppos += len;
+ 	}
+-	*lenp = len;
+-	*ppos += len;
+ 	return 0;
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index ab69ec30301..ada77bed57a 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -44,3 +44,7 @@ usb-serial-whiteheat-fix-line-speed-endianness.patch
 hid-i2c-hid-add-trekstor-primebook-c11b-to-descriptor-override.patch
 hid-fix-assumption-that-devices-have-inputs.patch
 hid-fix-error-message-in-hid_open_report.patch
+nl80211-fix-validation-of-mesh-path-nexthop.patch
+s390-cmm-fix-information-leak-in-cmm_timeout_handler.patch
+rtlwifi-fix-potential-overflow-on-p2p-code.patch
+dmaengine-cppi41-fix-cppi41_dma_prep_slave_sg-when-idle.patch