--- /dev/null
+From 11e7a91994c29da96d847f676be023da6a2c1359 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 27 May 2020 21:48:30 +0300
+Subject: airo: Fix read overflows sending packets
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 11e7a91994c29da96d847f676be023da6a2c1359 upstream.
+
+The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
+skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
+overflow.
+
+The fix is to pad skb->data to at least ETH_ZLEN bytes.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Hu Jiahui <kirin.say@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/cisco/airo.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -1928,6 +1928,10 @@ static netdev_tx_t mpi_start_xmit(struct
+ airo_print_err(dev->name, "%s: skb == NULL!",__func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+ npacks = skb_queue_len (&ai->txq);
+
+ if (npacks >= MAXTXQ - 1) {
+@@ -2130,6 +2134,10 @@ static netdev_tx_t airo_start_xmit(struc
+ airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+
+ /* Find a vacant FID */
+ for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
+@@ -2204,6 +2212,10 @@ static netdev_tx_t airo_start_xmit11(str
+ airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+
+ /* Find a vacant FID */
+ for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
--- /dev/null
+From 17c7d35f141ef6158076adf3338f115f64fcf760 Mon Sep 17 00:00:00 2001
+From: Can Guo <cang@codeaurora.org>
+Date: Thu, 5 Dec 2019 02:14:33 +0000
+Subject: scsi: ufs: Release clock if DMA map fails
+
+From: Can Guo <cang@codeaurora.org>
+
+commit 17c7d35f141ef6158076adf3338f115f64fcf760 upstream.
+
+In queuecommand path, if DMA map fails, it bails out with clock held. In
+this case, release the clock to keep its usage paired.
+
+[mkp: applied by hand]
+
+Link: https://lore.kernel.org/r/0101016ed3d66395-1b7e7fce-b74d-42ca-a88a-4db78b795d3b-000000@us-west-2.amazonses.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[EB: resolved cherry-pick conflict caused by newer kernels not having
+ the clear_bit_unlock() line]
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -1512,6 +1512,7 @@ static int ufshcd_queuecommand(struct Sc
+
+ err = ufshcd_map_sg(hba, lrbp);
+ if (err) {
++ ufshcd_release(hba);
+ lrbp->cmd = NULL;
+ clear_bit_unlock(tag, &hba->lrb_in_use);
+ goto out;
p54usb-add-airvast-usb-stick-device-id.patch
kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch
mmc-fix-compilation-of-user-api.patch
+slcan-fix-double-free-on-slcan_open-error-path.patch
+slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch
+scsi-ufs-release-clock-if-dma-map-fails.patch
+airo-fix-read-overflows-sending-packets.patch
--- /dev/null
+From ben@decadent.org.uk Fri Jun 5 15:44:25 2020
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 2 Jun 2020 18:54:18 +0100
+Subject: slcan: Fix double-free on slcan_open() error path
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Cc: yangerkun <yangerkun@huawei.com>, stable@vger.kernel.org
+Message-ID: <20200602175418.GA53769@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+Commit 9ebd796e2400 ("can: slcan: Fix use-after-free Read in
+slcan_open") was incorrectly backported to 4.4 and 4.9 stable
+branches.
+
+Since they do not have commit cf124db566e6 ("net: Fix inconsistent
+teardown and release of private netdev state."), the destructor
+function slc_free_netdev() is already responsible for calling
+free_netdev() and slcan_open() must not call both of them.
+
+yangerkun previously fixed the same bug in slip.
+
+Fixes: ce624b2089ea ("can: slcan: Fix use-after-free Read in slcan_open") # 4.4
+Fixes: f59604a80fa4 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.4
+Fixes: 56635a1e6ffb ("can: slcan: Fix use-after-free Read in slcan_open") # 4.9
+Fixes: a1c9b23142ac ("slcan: not call free_netdev before rtnl_unlock ...") # 4.9
+Cc: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/slcan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -618,10 +618,9 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
+- slc_free_netdev(sl->dev);
+ /* do not call free_netdev before rtnl_unlock */
+ rtnl_unlock();
+- free_netdev(sl->dev);
++ slc_free_netdev(sl->dev);
+ return err;
+
+ err_exit:
--- /dev/null
+From f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Wed, 26 Feb 2020 11:54:35 +0800
+Subject: slip: not call free_netdev before rtnl_unlock in slip_open
+
+From: yangerkun <yangerkun@huawei.com>
+
+commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream.
+
+As the description before netdev_run_todo, we cannot call free_netdev
+before rtnl_unlock, fix it by reorder the code.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to <4.11: free_netdev() is called through sl_free_netdev()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -867,7 +867,10 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
++ /* do not call free_netdev before rtnl_unlock */
++ rtnl_unlock();
+ sl_free_netdev(sl->dev);
++ return err;
+
+ err_exit:
+ rtnl_unlock();
projects / thirdparty / kernel / stable-queue.git / commitdiff
