--- /dev/null
+From 98c67d187db7808b1f3c95f2110dd4392d034182 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 10 Jun 2017 04:59:12 +0200
+Subject: mac80211/wpa: use constant time memory comparison for MACs
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 98c67d187db7808b1f3c95f2110dd4392d034182 upstream.
+
+Otherwise, we enable all sorts of forgeries via timing attack.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: linux-wireless@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/mac80211/wpa.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -16,6 +16,7 @@
+ #include <asm/unaligned.h>
+ #include <net/mac80211.h>
+ #include <crypto/aes.h>
++#include <crypto/algapi.h>
+
+ #include "ieee80211_i.h"
+ #include "michael.h"
+@@ -150,7 +151,7 @@ ieee80211_rx_h_michael_mic_verify(struct
+ data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
+ key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
+ michael_mic(key, hdr, data, data_len, mic);
+- if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
++ if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
+ goto mic_fail;
+
+ /* remove Michael MIC from payload */
+@@ -771,7 +772,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct
+ bip_aad(skb, aad);
+ ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mic);
+- if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
++ if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
+ key->u.aes_cmac.icverrors++;
+ return RX_DROP_UNUSABLE;
+ }
--- /dev/null
+From 898805e0cdf7fd860ec21bf661d3a0285a3defbd Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 30 May 2017 16:21:51 +0100
+Subject: net: phy: fix marvell phy status reading
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream.
+
+The Marvell driver incorrectly provides phydev->lp_advertising as the
+logical and of the link partner's advert and our advert. This is
+incorrect - this field is supposed to store the link parter's unmodified
+advertisment.
+
+This allows ethtool to report the correct link partner auto-negotiation
+status.
+
+Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/phy/marvell.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -737,8 +737,6 @@ static int marvell_read_status(struct ph
+ if (adv < 0)
+ return adv;
+
+- lpa &= adv;
+-
+ if (status & MII_M1011_PHY_STATUS_FULLDUPLEX)
+ phydev->duplex = DUPLEX_FULL;
+ else
--- /dev/null
+From b7f73850bb4fac1e2209a4dd5e636d39be92f42c Mon Sep 17 00:00:00 2001
+From: William Wu <william.wu@rock-chips.com>
+Date: Tue, 25 Apr 2017 17:45:48 +0800
+Subject: usb: gadget: f_fs: avoid out of bounds access on comp_desc
+
+From: William Wu <william.wu@rock-chips.com>
+
+commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream.
+
+Companion descriptor is only used for SuperSpeed endpoints,
+if the endpoints are HighSpeed or FullSpeed, the Companion
+descriptor will not allocated, so we can only access it if
+gadget is SuperSpeed.
+
+I can reproduce this issue on Rockchip platform rk3368 SoC
+which supports USB 2.0, and use functionfs for ADB. Kernel
+build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
+the following BUG:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
+Read of size 1 by task swapper/0/0
+============================================================================
+BUG kmalloc-256 (Not tainted): kasan: bad access detected
+----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
+alloc_debug_processing+0x128/0x17c
+___slab_alloc.constprop.58+0x50c/0x610
+__slab_alloc.isra.55.constprop.57+0x24/0x34
+__kmalloc+0xe0/0x250
+ffs_func_bind+0x52c/0x99c
+usb_add_function+0xd8/0x1d4
+configfs_composite_bind+0x48c/0x570
+udc_bind_to_driver+0x6c/0x170
+usb_udc_attach_driver+0xa4/0xd0
+gadget_dev_desc_UDC_store+0xcc/0x118
+configfs_write_file+0x1a0/0x1f8
+__vfs_write+0x64/0x174
+vfs_write+0xe4/0x200
+SyS_write+0x68/0xc8
+el0_svc_naked+0x24/0x28
+INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
+...
+Call trace:
+[<ffffff900808aab4>] dump_backtrace+0x0/0x230
+[<ffffff900808acf8>] show_stack+0x14/0x1c
+[<ffffff90084ad420>] dump_stack+0xa0/0xc8
+[<ffffff90082157cc>] print_trailer+0x188/0x198
+[<ffffff9008215948>] object_err+0x3c/0x4c
+[<ffffff900821b5ac>] kasan_report+0x324/0x4dc
+[<ffffff900821aa38>] __asan_load1+0x24/0x50
+[<ffffff90089eb750>] ffs_func_set_alt+0x224/0x3a0
+[<ffffff90089d3760>] composite_setup+0xdcc/0x1ac8
+[<ffffff90089d7394>] android_setup+0x124/0x1a0
+[<ffffff90089acd18>] _setup+0x54/0x74
+[<ffffff90089b6b98>] handle_ep0+0x3288/0x4390
+[<ffffff90089b9b44>] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
+[<ffffff90089be85c>] dwc_otg_pcd_handle_intr+0x1ec/0x298
+[<ffffff90089ad680>] dwc_otg_pcd_irq+0x10/0x20
+[<ffffff9008116328>] handle_irq_event_percpu+0x124/0x3ac
+[<ffffff9008116610>] handle_irq_event+0x60/0xa0
+[<ffffff900811af30>] handle_fasteoi_irq+0x10c/0x1d4
+[<ffffff9008115568>] generic_handle_irq+0x30/0x40
+[<ffffff90081159b4>] __handle_domain_irq+0xac/0xdc
+[<ffffff9008080e9c>] gic_handle_irq+0x64/0xa4
+...
+Memory state around the buggy address:
+ ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
+ >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: William Wu <william.wu@rock-chips.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Jerry Zhang <zhangjerry@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1674,12 +1674,12 @@ static int ffs_func_eps_enable(struct ff
+ ep->ep->driver_data = ep;
+ ep->ep->desc = ds;
+
+- comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
+- USB_DT_ENDPOINT_SIZE);
+- ep->ep->maxburst = comp_desc->bMaxBurst + 1;
+-
+- if (needs_comp_desc)
++ if (needs_comp_desc) {
++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
++ USB_DT_ENDPOINT_SIZE);
++ ep->ep->maxburst = comp_desc->bMaxBurst + 1;
+ ep->ep->comp_desc = comp_desc;
++ }
+
+ ret = usb_ep_enable(ep->ep);
+ if (likely(!ret)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
