From 3ac93eab2fd2a16ae066e248704fe94242239a8e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 19 Jul 2018 18:41:28 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	net-cxgb3_main-fix-potential-spectre-v1.patch
	net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
	rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch
---
 ...-cxgb3_main-fix-potential-spectre-v1.patch | 53 ++++++++++++++++++
 ...e-in-tx-pending-skb-size-calculation.patch | 55 +++++++++++++++++++
 ...1ae-fix-firmware-is-not-ready-to-run.patch | 41 ++++++++++++++
 queue-4.9/series                              |  3 +
 4 files changed, 152 insertions(+)
 create mode 100644 queue-4.9/net-cxgb3_main-fix-potential-spectre-v1.patch
 create mode 100644 queue-4.9/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
 create mode 100644 queue-4.9/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch

diff --git a/queue-4.9/net-cxgb3_main-fix-potential-spectre-v1.patch b/queue-4.9/net-cxgb3_main-fix-potential-spectre-v1.patch
new file mode 100644
index 00000000000..404daf32fa2
--- /dev/null
+++ b/queue-4.9/net-cxgb3_main-fix-potential-spectre-v1.patch
@@ -0,0 +1,53 @@
+From 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 16 Jul 2018 20:59:58 -0500
+Subject: net: cxgb3_main: fix potential Spectre v1
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream.
+
+t.qset_idx can be indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
+warn: potential spectre issue 'adapter->msix_info'
+
+Fix this by sanitizing t.qset_idx before using it to index
+adapter->msix_info
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+@@ -50,6 +50,7 @@
+ #include <linux/stringify.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
++#include <linux/nospec.h>
+ #include <asm/uaccess.h>
+ 
+ #include "common.h"
+@@ -2259,6 +2260,7 @@ static int cxgb_extension_ioctl(struct n
+ 
+ 		if (t.qset_idx >= nqsets)
+ 			return -EINVAL;
++		t.qset_idx = array_index_nospec(t.qset_idx, nqsets);
+ 
+ 		q = &adapter->params.sge.qset[q1 + t.qset_idx];
+ 		t.rspq_size = q->rspq_size;
diff --git a/queue-4.9/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch b/queue-4.9/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
new file mode 100644
index 00000000000..dff5ffc838c
--- /dev/null
+++ b/queue-4.9/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
@@ -0,0 +1,55 @@
+From dea39aca1d7aef1e2b95b07edeacf04cc8863a2e Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Sun, 15 Jul 2018 21:53:20 +0200
+Subject: net: lan78xx: Fix race in tx pending skb size calculation
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+commit dea39aca1d7aef1e2b95b07edeacf04cc8863a2e upstream.
+
+The skb size calculation in lan78xx_tx_bh is in race with the start_xmit,
+which could lead to rare kernel oopses. So protect the whole skb walk with
+a spin lock. As a benefit we can unlink the skb directly.
+
+This patch was tested on Raspberry Pi 3B+
+
+Link: https://github.com/raspberrypi/linux/issues/2608
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/lan78xx.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2964,6 +2964,7 @@ static void lan78xx_tx_bh(struct lan78xx
+ 	pkt_cnt = 0;
+ 	count = 0;
+ 	length = 0;
++	spin_lock_irqsave(&tqp->lock, flags);
+ 	for (skb = tqp->next; pkt_cnt < tqp->qlen; skb = skb->next) {
+ 		if (skb_is_gso(skb)) {
+ 			if (pkt_cnt) {
+@@ -2972,7 +2973,8 @@ static void lan78xx_tx_bh(struct lan78xx
+ 			}
+ 			count = 1;
+ 			length = skb->len - TX_OVERHEAD;
+-			skb2 = skb_dequeue(tqp);
++			__skb_unlink(skb, tqp);
++			spin_unlock_irqrestore(&tqp->lock, flags);
+ 			goto gso_skb;
+ 		}
+ 
+@@ -2981,6 +2983,7 @@ static void lan78xx_tx_bh(struct lan78xx
+ 		skb_totallen = skb->len + roundup(skb_totallen, sizeof(u32));
+ 		pkt_cnt++;
+ 	}
++	spin_unlock_irqrestore(&tqp->lock, flags);
+ 
+ 	/* copy to a single skb */
+ 	skb = alloc_skb(skb_totallen, GFP_ATOMIC);
diff --git a/queue-4.9/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch b/queue-4.9/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch
new file mode 100644
index 00000000000..f990ef547a8
--- /dev/null
+++ b/queue-4.9/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch
@@ -0,0 +1,41 @@
+From 9a98302de19991d51e067b88750585203b2a3ab6 Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Thu, 28 Jun 2018 10:02:27 +0800
+Subject: rtlwifi: rtl8821ae: fix firmware is not ready to run
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit 9a98302de19991d51e067b88750585203b2a3ab6 upstream.
+
+Without this patch, firmware will not run properly on rtl8821ae, and it
+causes bad user experience. For example, bad connection performance with
+low rate, higher power consumption, and so on.
+
+rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and
+each firmware has firmware data buffer and size individually. Original
+code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and
+this mismatch causes firmware checksum error, then firmware can't start.
+
+In this situation, driver gives message "Firmware is not ready to run!".
+
+Fixes: fe89707f0afa ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Cc: Stable <stable@vger.kernel.org> # 4.0+
+Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/core.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/core.c
++++ b/drivers/net/wireless/realtek/rtlwifi/core.c
+@@ -131,7 +131,6 @@ found_alt:
+ 		       firmware->size);
+ 		rtlpriv->rtlhal.wowlan_fwsize = firmware->size;
+ 	}
+-	rtlpriv->rtlhal.fwsize = firmware->size;
+ 	release_firmware(firmware);
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index d7fc4f4468c..1aa6c08e3b5 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -31,3 +31,6 @@ tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch
 vhost_net-validate-sock-before-trying-to-put-its-fd.patch
 net-packet-fix-use-after-free.patch
 net-mlx5-fix-command-interface-race-in-polling-mode.patch
+net-cxgb3_main-fix-potential-spectre-v1.patch
+rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch
+net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch
-- 
2.47.3