--- /dev/null
+From 11e7a91994c29da96d847f676be023da6a2c1359 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 27 May 2020 21:48:30 +0300
+Subject: airo: Fix read overflows sending packets
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 11e7a91994c29da96d847f676be023da6a2c1359 upstream.
+
+The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
+skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
+overflow.
+
+The fix is to pad skb->data to at least ETH_ZLEN bytes.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Hu Jiahui <kirin.say@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/cisco/airo.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -1928,6 +1928,10 @@ static netdev_tx_t mpi_start_xmit(struct
+ airo_print_err(dev->name, "%s: skb == NULL!",__func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+ npacks = skb_queue_len (&ai->txq);
+
+ if (npacks >= MAXTXQ - 1) {
+@@ -2130,6 +2134,10 @@ static netdev_tx_t airo_start_xmit(struc
+ airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+
+ /* Find a vacant FID */
+ for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
+@@ -2204,6 +2212,10 @@ static netdev_tx_t airo_start_xmit11(str
+ airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ return NETDEV_TX_OK;
+ }
++ if (skb_padto(skb, ETH_ZLEN)) {
++ dev->stats.tx_dropped++;
++ return NETDEV_TX_OK;
++ }
+
+ /* Find a vacant FID */
+ for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
--- /dev/null
+From 17c7d35f141ef6158076adf3338f115f64fcf760 Mon Sep 17 00:00:00 2001
+From: Can Guo <cang@codeaurora.org>
+Date: Thu, 5 Dec 2019 02:14:33 +0000
+Subject: scsi: ufs: Release clock if DMA map fails
+
+From: Can Guo <cang@codeaurora.org>
+
+commit 17c7d35f141ef6158076adf3338f115f64fcf760 upstream.
+
+In queuecommand path, if DMA map fails, it bails out with clock held. In
+this case, release the clock to keep its usage paired.
+
+[mkp: applied by hand]
+
+Link: https://lore.kernel.org/r/0101016ed3d66395-1b7e7fce-b74d-42ca-a88a-4db78b795d3b-000000@us-west-2.amazonses.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[EB: resolved cherry-pick conflict caused by newer kernels not having
+ the clear_bit_unlock() line]
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -2365,6 +2365,7 @@ static int ufshcd_queuecommand(struct Sc
+
+ err = ufshcd_map_sg(hba, lrbp);
+ if (err) {
++ ufshcd_release(hba);
+ lrbp->cmd = NULL;
+ clear_bit_unlock(tag, &hba->lrb_in_use);
+ goto out;
projects / thirdparty / kernel / stable-queue.git / commitdiff
