From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 Oct 2018 15:07:51 +0000 (+0200)
Subject: 4.18-stable patches
X-Git-Tag: v3.18.124~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f9c32f58f79e7346e8371999227113dbf3692acd;p=thirdparty%2Fkernel%2Fstable-queue.git

4.18-stable patches

added patches:
	ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
	rds-rds_ib_recv_alloc_cache-should-call-alloc_percpu_gfp-instead.patch
---

diff --git a/queue-4.18/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch b/queue-4.18/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
new file mode 100644
index 00000000000..533ad080bd4
--- /dev/null
+++ b/queue-4.18/ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch
@@ -0,0 +1,61 @@
+From c8291988806407e02a01b4b15b4504eafbcc04e0 Mon Sep 17 00:00:00 2001
+From: Zhi Chen <zhichen@codeaurora.org>
+Date: Mon, 18 Jun 2018 17:00:39 +0300
+Subject: ath10k: fix scan crash due to incorrect length calculation
+
+From: Zhi Chen <zhichen@codeaurora.org>
+
+commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.
+
+Length of WMI scan message was not calculated correctly. The allocated
+buffer was smaller than what we expected. So WMI message corrupted
+skb_info, which is at the end of skb->data. This fix takes TLV header
+into account even if the element is zero-length.
+
+Crash log:
+  [49.629986] Unhandled kernel unaligned access[#1]:
+  [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
+  [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
+  [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
+  [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
+  [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
+  [49.662898] $12   : 33322037 000110f2 00000000 31203930
+  [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
+  [49.673757] $20   : 00000000 0000012c 00000040 80470000
+  [49.679186] $24   : 00000000 8024af7c
+  [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
+  [49.690046] Hi    : 00000000
+  [49.693022] Lo    : 453c0000
+  [49.696013] epc   : 800efae4 put_page+0x0/0x58
+  [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
+  [49.706184] Status: 1000fc03 KERNEL EXL IE
+  [49.710531] Cause : 00800010 (ExcCode 04)
+  [49.714669] BadVA : 45259e89
+  [49.717644] PrId  : 00019374 (MIPS 24Kc)
+
+Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -1619,10 +1619,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct
+ 	bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
+ 	ie_len = roundup(arg->ie_len, 4);
+ 	len = (sizeof(*tlv) + sizeof(*cmd)) +
+-	      (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
+-	      (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
+-	      (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
+-	      (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
++	      sizeof(*tlv) + chan_len +
++	      sizeof(*tlv) + ssid_len +
++	      sizeof(*tlv) + bssid_len +
++	      sizeof(*tlv) + ie_len;
+ 
+ 	skb = ath10k_wmi_alloc_skb(ar, len);
+ 	if (!skb)
diff --git a/queue-4.18/rds-rds_ib_recv_alloc_cache-should-call-alloc_percpu_gfp-instead.patch b/queue-4.18/rds-rds_ib_recv_alloc_cache-should-call-alloc_percpu_gfp-instead.patch
new file mode 100644
index 00000000000..aa57db8889d
--- /dev/null
+++ b/queue-4.18/rds-rds_ib_recv_alloc_cache-should-call-alloc_percpu_gfp-instead.patch
@@ -0,0 +1,83 @@
+From f394ad28feffbeebab77c8bf9a203bd49b957c9a Mon Sep 17 00:00:00 2001
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Date: Mon, 30 Jul 2018 22:48:41 -0700
+Subject: rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead
+
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+
+commit f394ad28feffbeebab77c8bf9a203bd49b957c9a upstream.
+
+Currently, rds_ib_conn_alloc() calls rds_ib_recv_alloc_caches()
+without passing along the gfp_t flag.  But rds_ib_recv_alloc_caches()
+and rds_ib_recv_alloc_cache() should take a gfp_t parameter so that
+rds_ib_recv_alloc_cache() can call alloc_percpu_gfp() using the
+correct flag instead of calling alloc_percpu().
+
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/rds/ib.h      |    2 +-
+ net/rds/ib_cm.c   |    2 +-
+ net/rds/ib_recv.c |   10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/rds/ib.h
++++ b/net/rds/ib.h
+@@ -371,7 +371,7 @@ void rds_ib_mr_cqe_handler(struct rds_ib
+ int rds_ib_recv_init(void);
+ void rds_ib_recv_exit(void);
+ int rds_ib_recv_path(struct rds_conn_path *conn);
+-int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic);
++int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic, gfp_t gfp);
+ void rds_ib_recv_free_caches(struct rds_ib_connection *ic);
+ void rds_ib_recv_refill(struct rds_connection *conn, int prefill, gfp_t gfp);
+ void rds_ib_inc_free(struct rds_incoming *inc);
+--- a/net/rds/ib_cm.c
++++ b/net/rds/ib_cm.c
+@@ -949,7 +949,7 @@ int rds_ib_conn_alloc(struct rds_connect
+ 	if (!ic)
+ 		return -ENOMEM;
+ 
+-	ret = rds_ib_recv_alloc_caches(ic);
++	ret = rds_ib_recv_alloc_caches(ic, gfp);
+ 	if (ret) {
+ 		kfree(ic);
+ 		return ret;
+--- a/net/rds/ib_recv.c
++++ b/net/rds/ib_recv.c
+@@ -98,12 +98,12 @@ static void rds_ib_cache_xfer_to_ready(s
+ 	}
+ }
+ 
+-static int rds_ib_recv_alloc_cache(struct rds_ib_refill_cache *cache)
++static int rds_ib_recv_alloc_cache(struct rds_ib_refill_cache *cache, gfp_t gfp)
+ {
+ 	struct rds_ib_cache_head *head;
+ 	int cpu;
+ 
+-	cache->percpu = alloc_percpu(struct rds_ib_cache_head);
++	cache->percpu = alloc_percpu_gfp(struct rds_ib_cache_head, gfp);
+ 	if (!cache->percpu)
+ 	       return -ENOMEM;
+ 
+@@ -118,13 +118,13 @@ static int rds_ib_recv_alloc_cache(struc
+ 	return 0;
+ }
+ 
+-int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic)
++int rds_ib_recv_alloc_caches(struct rds_ib_connection *ic, gfp_t gfp)
+ {
+ 	int ret;
+ 
+-	ret = rds_ib_recv_alloc_cache(&ic->i_cache_incs);
++	ret = rds_ib_recv_alloc_cache(&ic->i_cache_incs, gfp);
+ 	if (!ret) {
+-		ret = rds_ib_recv_alloc_cache(&ic->i_cache_frags);
++		ret = rds_ib_recv_alloc_cache(&ic->i_cache_frags, gfp);
+ 		if (ret)
+ 			free_percpu(ic->i_cache_incs.percpu);
+ 	}
diff --git a/queue-4.18/series b/queue-4.18/series
index 3a30fe6de8d..8586efdf97c 100644
--- a/queue-4.18/series
+++ b/queue-4.18/series
@@ -40,3 +40,5 @@ f2fs-fix-invalid-memory-access.patch
 tipc-call-start-and-done-ops-directly-in-__tipc_nl_compat_dumpit.patch
 ucma-fix-a-use-after-free-in-ucma_resolve_ip.patch
 ubifs-check-for-name-being-null-while-mounting.patch
+rds-rds_ib_recv_alloc_cache-should-call-alloc_percpu_gfp-instead.patch
+ath10k-fix-scan-crash-due-to-incorrect-length-calculation.patch