From c1ca47ee0fccc3840ddc786f083c8ea2342eb371 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Jul 2017 11:52:26 +0200
Subject: [PATCH] 4.12-stable patches

added patches:
	brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
	brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
---
 ...ndling-path-in-brcmf_cfg80211_attach.patch | 40 +++++++++++++
 ...m_skb-leak-in-brcmf_sdiod_recv_chain.patch | 58 +++++++++++++++++++
 queue-4.12/series                             |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
 create mode 100644 queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

diff --git a/queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch b/queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
new file mode 100644
index 00000000000..57681800b6d
--- /dev/null
+++ b/queue-4.12/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
@@ -0,0 +1,40 @@
+From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Wed, 21 Jun 2017 07:45:53 +0200
+Subject: brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+commit 57c00f2fac512837f8de73474ec1f54020015bae upstream.
+
+If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
+handling path to free it in such a case.
+
+Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6855,7 +6855,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+ 	wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
+ 	if (!wiphy) {
+ 		brcmf_err("Could not allocate wiphy device\n");
+-		return NULL;
++		goto ops_out;
+ 	}
+ 	memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN);
+ 	set_wiphy_dev(wiphy, busdev);
+@@ -6998,6 +6998,7 @@ priv_out:
+ 	ifp->vif = NULL;
+ wiphy_out:
+ 	brcmf_free_wiphy(wiphy);
++ops_out:
+ 	kfree(ops);
+ 	return NULL;
+ }
diff --git a/queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
new file mode 100644
index 00000000000..12e19fbf81c
--- /dev/null
+++ b/queue-4.12/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
@@ -0,0 +1,58 @@
+From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+From: Peter S. Housel <housel@acm.org>
+
+commit 5ea59db8a375216e6c915c5586f556766673b5a7 upstream.
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -706,7 +706,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+ 			   struct sk_buff_head *pktq, uint totlen)
+ {
+-	struct sk_buff *glom_skb;
++	struct sk_buff *glom_skb = NULL;
+ 	struct sk_buff *skb;
+ 	u32 addr = sdiodev->sbwad;
+ 	int err = 0;
+@@ -727,10 +727,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 			return -ENOMEM;
+ 		err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+ 					 glom_skb);
+-		if (err) {
+-			brcmu_pkt_buf_free_skb(glom_skb);
++		if (err)
+ 			goto done;
+-		}
+ 
+ 		skb_queue_walk(pktq, skb) {
+ 			memcpy(skb->data, glom_skb->data, skb->len);
+@@ -741,6 +739,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+ 					    pktq);
+ 
+ done:
++	brcmu_pkt_buf_free_skb(glom_skb);
+ 	return err;
+ }
+ 
diff --git a/queue-4.12/series b/queue-4.12/series
index 7f337b1bcb4..0bf293eca31 100644
--- a/queue-4.12/series
+++ b/queue-4.12/series
@@ -21,3 +21,5 @@ adding-asm-prototypes.h-for-genksyms-to-generate-crc.patch
 sed-regex-in-makefile.build-requires-line-break-between-exported-symbols.patch
 adding-the-type-of-exported-symbols.patch
 sparc64-fix-gup_huge_pmd.patch
+brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
+brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
-- 
2.47.3