From b8e53821e9488a674f786ab8a2e36e8fb3b8a6c8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 14 Jan 2020 09:24:32 +0100 Subject: [PATCH] 5.4-stable patches added patches: ath10k-fix-memory-leak.patch mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch rpmsg-char-release-allocated-memory.patch rtl8xxxu-prevent-leaking-urb.patch scsi-bfa-release-allocated-memory-in-case-of-error.patch staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch --- queue-5.4/ath10k-fix-memory-leak.patch | 31 ++++++++++ ...erflow-in-mwifiex_process_country_ie.patch | 62 +++++++++++++++++++ ...eak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch | 37 +++++++++++ .../rpmsg-char-release-allocated-memory.patch | 36 +++++++++++ queue-5.4/rtl8xxxu-prevent-leaking-urb.patch | 32 ++++++++++ ...se-allocated-memory-in-case-of-error.patch | 36 +++++++++++ queue-5.4/series | 7 +++ ...ove-bool-from-vnt_radio_power_on-ret.patch | 30 +++++++++ 8 files changed, 271 insertions(+) create mode 100644 queue-5.4/ath10k-fix-memory-leak.patch create mode 100644 queue-5.4/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch create mode 100644 queue-5.4/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch create mode 100644 queue-5.4/rpmsg-char-release-allocated-memory.patch create mode 100644 queue-5.4/rtl8xxxu-prevent-leaking-urb.patch create mode 100644 queue-5.4/scsi-bfa-release-allocated-memory-in-case-of-error.patch create mode 100644 queue-5.4/staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch diff --git a/queue-5.4/ath10k-fix-memory-leak.patch b/queue-5.4/ath10k-fix-memory-leak.patch new file mode 100644 index 00000000000..ceb3a268d8f --- /dev/null +++ b/queue-5.4/ath10k-fix-memory-leak.patch @@ -0,0 +1,31 @@ +From b8d17e7d93d2beb89e4f34c59996376b8b544792 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 20:36:26 -0500 +Subject: ath10k: fix memory leak + +From: Navid Emamdoost + +commit b8d17e7d93d2beb89e4f34c59996376b8b544792 upstream. + +In ath10k_usb_hif_tx_sg the allocated urb should be released if +usb_submit_urb fails. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -443,6 +443,7 @@ static int ath10k_usb_hif_tx_sg(struct a + ath10k_dbg(ar, ATH10K_DBG_USB_BULK, + "usb bulk transmit failed: %d\n", ret); + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + ret = -EINVAL; + goto err_free_urb_to_pipe; + } diff --git a/queue-5.4/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch b/queue-5.4/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch new file mode 100644 index 00000000000..a4a29edcb61 --- /dev/null +++ b/queue-5.4/mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch @@ -0,0 +1,62 @@ +From 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b Mon Sep 17 00:00:00 2001 +From: Ganapathi Bhat +Date: Thu, 21 Nov 2019 21:34:38 +0530 +Subject: mwifiex: fix possible heap overflow in mwifiex_process_country_ie() + +From: Ganapathi Bhat + +commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream. + +mwifiex_process_country_ie() function parse elements of bss +descriptor in beacon packet. When processing WLAN_EID_COUNTRY +element, there is no upper limit check for country_ie_len before +calling memcpy. The destination buffer domain_info->triplet is an +array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote +attacker can build a fake AP with the same ssid as real AP, and +send malicous beacon packet with long WLAN_EID_COUNTRY elemen +(country_ie_len > 83). Attacker can force STA connect to fake AP +on a different channel. When the victim STA connects to fake AP, +will trigger the heap buffer overflow. Fix this by checking for +length and if found invalid, don not connect to the AP. + +This fix addresses CVE-2019-14895. + +Reported-by: huangwen +Signed-off-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -229,6 +229,14 @@ static int mwifiex_process_country_ie(st + "11D: skip setting domain info in FW\n"); + return 0; + } ++ ++ if (country_ie_len > ++ (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { ++ mwifiex_dbg(priv->adapter, ERROR, ++ "11D: country_ie_len overflow!, deauth AP\n"); ++ return -EINVAL; ++ } ++ + memcpy(priv->adapter->country_code, &country_ie[2], 2); + + domain_info->country_code[0] = country_ie[2]; +@@ -272,8 +280,9 @@ int mwifiex_bss_start(struct mwifiex_pri + priv->scan_block = false; + + if (bss) { +- if (adapter->region_code == 0x00) +- mwifiex_process_country_ie(priv, bss); ++ if (adapter->region_code == 0x00 && ++ mwifiex_process_country_ie(priv, bss)) ++ return -EINVAL; + + /* Allocate and fill new bss descriptor */ + bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor), diff --git a/queue-5.4/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch b/queue-5.4/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch new file mode 100644 index 00000000000..8390268bcec --- /dev/null +++ b/queue-5.4/mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch @@ -0,0 +1,37 @@ +From db8fd2cde93227e566a412cf53173ffa227998bc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Fri, 4 Oct 2019 15:08:52 -0500 +Subject: mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf + +From: Navid Emamdoost + +commit db8fd2cde93227e566a412cf53173ffa227998bc upstream. + +In mwifiex_pcie_alloc_cmdrsp_buf, a new skb is allocated which should be +released if mwifiex_map_pci_memory() fails. The release is added. + +Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe") +Signed-off-by: Navid Emamdoost +Acked-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -1032,8 +1032,10 @@ static int mwifiex_pcie_alloc_cmdrsp_buf + } + skb_put(skb, MWIFIEX_UPLD_SIZE); + if (mwifiex_map_pci_memory(adapter, skb, MWIFIEX_UPLD_SIZE, +- PCI_DMA_FROMDEVICE)) ++ PCI_DMA_FROMDEVICE)) { ++ kfree_skb(skb); + return -1; ++ } + + card->cmdrsp_buf = skb; + diff --git a/queue-5.4/rpmsg-char-release-allocated-memory.patch b/queue-5.4/rpmsg-char-release-allocated-memory.patch new file mode 100644 index 00000000000..eb9a3ff8bbd --- /dev/null +++ b/queue-5.4/rpmsg-char-release-allocated-memory.patch @@ -0,0 +1,36 @@ +From bbe692e349e2a1edf3fe0a29a0e05899c9c94d51 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Mon, 16 Sep 2019 22:31:23 -0500 +Subject: rpmsg: char: release allocated memory + +From: Navid Emamdoost + +commit bbe692e349e2a1edf3fe0a29a0e05899c9c94d51 upstream. + +In rpmsg_eptdev_write_iter, if copy_from_iter_full fails the allocated +buffer needs to be released. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Bjorn Andersson +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rpmsg/rpmsg_char.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -227,8 +227,10 @@ static ssize_t rpmsg_eptdev_write_iter(s + if (!kbuf) + return -ENOMEM; + +- if (!copy_from_iter_full(kbuf, len, from)) +- return -EFAULT; ++ if (!copy_from_iter_full(kbuf, len, from)) { ++ ret = -EFAULT; ++ goto free_kbuf; ++ } + + if (mutex_lock_interruptible(&eptdev->ept_lock)) { + ret = -ERESTARTSYS; diff --git a/queue-5.4/rtl8xxxu-prevent-leaking-urb.patch b/queue-5.4/rtl8xxxu-prevent-leaking-urb.patch new file mode 100644 index 00000000000..8fa9f34598e --- /dev/null +++ b/queue-5.4/rtl8xxxu-prevent-leaking-urb.patch @@ -0,0 +1,32 @@ +From a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Thu, 19 Sep 2019 22:00:41 -0500 +Subject: rtl8xxxu: prevent leaking urb + +From: Navid Emamdoost + +commit a2cdd07488e666aa93a49a3fc9c9b1299e27ef3c upstream. + +In rtl8xxxu_submit_int_urb if usb_submit_urb fails the allocated urb +should be released. + +Signed-off-by: Navid Emamdoost +Reviewed-by: Chris Chiu +Signed-off-by: Kalle Valo +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5447,6 +5447,7 @@ static int rtl8xxxu_submit_int_urb(struc + ret = usb_submit_urb(urb, GFP_KERNEL); + if (ret) { + usb_unanchor_urb(urb); ++ usb_free_urb(urb); + goto error; + } + diff --git a/queue-5.4/scsi-bfa-release-allocated-memory-in-case-of-error.patch b/queue-5.4/scsi-bfa-release-allocated-memory-in-case-of-error.patch new file mode 100644 index 00000000000..169e2f52765 --- /dev/null +++ b/queue-5.4/scsi-bfa-release-allocated-memory-in-case-of-error.patch @@ -0,0 +1,36 @@ +From 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Tue, 10 Sep 2019 18:44:15 -0500 +Subject: scsi: bfa: release allocated memory in case of error + +From: Navid Emamdoost + +commit 0e62395da2bd5166d7c9e14cbc7503b256a34cb0 upstream. + +In bfad_im_get_stats if bfa_port_get_stats fails, allocated memory needs to +be released. + +Link: https://lore.kernel.org/r/20190910234417.22151-1-navid.emamdoost@gmail.com +Signed-off-by: Navid Emamdoost +Signed-off-by: Martin K. Petersen +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/bfa/bfad_attr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/bfa/bfad_attr.c ++++ b/drivers/scsi/bfa/bfad_attr.c +@@ -275,8 +275,10 @@ bfad_im_get_stats(struct Scsi_Host *shos + rc = bfa_port_get_stats(BFA_FCPORT(&bfad->bfa), + fcstats, bfad_hcb_comp, &fcomp); + spin_unlock_irqrestore(&bfad->bfad_lock, flags); +- if (rc != BFA_STATUS_OK) ++ if (rc != BFA_STATUS_OK) { ++ kfree(fcstats); + return NULL; ++ } + + wait_for_completion(&fcomp.comp); + diff --git a/queue-5.4/series b/queue-5.4/series index 8e3b6cfac50..9e259368a1b 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -62,3 +62,10 @@ riscv-implement-copy_thread_tls.patch xtensa-implement-copy_thread_tls.patch clone3-ensure-copy_thread_tls-is-implemented.patch um-implement-copy_thread_tls.patch +staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch +mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch +mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch +rpmsg-char-release-allocated-memory.patch +scsi-bfa-release-allocated-memory-in-case-of-error.patch +rtl8xxxu-prevent-leaking-urb.patch +ath10k-fix-memory-leak.patch diff --git a/queue-5.4/staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch b/queue-5.4/staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch new file mode 100644 index 00000000000..76e8e5f82b1 --- /dev/null +++ b/queue-5.4/staging-vt6656-remove-bool-from-vnt_radio_power_on-ret.patch @@ -0,0 +1,30 @@ +From 07f59f180ee083c48c32a1e69ae1d0091444d212 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Fri, 20 Dec 2019 21:15:33 +0000 +Subject: staging: vt6656: remove bool from vnt_radio_power_on ret + +From: Malcolm Priestley + +commit 07f59f180ee083c48c32a1e69ae1d0091444d212 upstream. + +The driver uses logical only error checking a bool true would flag error. + +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/cc52b67c-9ef8-3e57-815a-44d10701919e@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/card.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/vt6656/card.c ++++ b/drivers/staging/vt6656/card.c +@@ -719,7 +719,7 @@ end: + */ + int vnt_radio_power_on(struct vnt_private *priv) + { +- int ret = true; ++ int ret = 0; + + vnt_exit_deep_sleep(priv); + -- 2.47.3