4.11-stable patches

added patches:
	brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
	brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

diff --git a/queue-4.11/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch b/queue-4.11/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
new file mode 100644 (file)
index 0000000..e80f534
--- /dev/null
+++ b/queue-4.11/brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
@@ -0,0 +1,40 @@
+From 57c00f2fac512837f8de73474ec1f54020015bae Mon Sep 17 00:00:00 2001
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+Date: Wed, 21 Jun 2017 07:45:53 +0200
+Subject: brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach'
+
+From: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
+
+commit 57c00f2fac512837f8de73474ec1f54020015bae upstream.
+
+If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
+handling path to free it in such a case.
+
+Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6827,7 +6827,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+       wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
+       if (!wiphy) {
+               brcmf_err("Could not allocate wiphy device\n");
+-              return NULL;
++              goto ops_out;
+       }
+       memcpy(wiphy->perm_addr, drvr->mac, ETH_ALEN);
+       set_wiphy_dev(wiphy, busdev);
+@@ -6970,6 +6970,7 @@ priv_out:
+       ifp->vif = NULL;
+ wiphy_out:
+       brcmf_free_wiphy(wiphy);
++ops_out:
+       kfree(ops);
+       return NULL;
+ }

diff --git a/queue-4.11/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/queue-4.11/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
new file mode 100644 (file)
index 0000000..6bfe5e3
--- /dev/null
+++ b/queue-4.11/brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch
@@ -0,0 +1,58 @@
+From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
+From: "Peter S. Housel" <housel@acm.org>
+Date: Mon, 12 Jun 2017 11:46:22 +0100
+Subject: brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
+
+From: Peter S. Housel <housel@acm.org>
+
+commit 5ea59db8a375216e6c915c5586f556766673b5a7 upstream.
+
+An earlier change to this function (3bdae810721b) fixed a leak in the
+case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
+glom_skb buffer, used for emulating a scattering read, is never used
+or referenced after its contents are copied into the destination
+buffers, and therefore always needs to be freed by the end of the
+function.
+
+Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
+Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
+Signed-off-by: Peter S. Housel <housel@acm.org>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -705,7 +705,7 @@ done:
+ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
+                          struct sk_buff_head *pktq, uint totlen)
+ {
+-      struct sk_buff *glom_skb;
++      struct sk_buff *glom_skb = NULL;
+       struct sk_buff *skb;
+       u32 addr = sdiodev->sbwad;
+       int err = 0;
+@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+                       return -ENOMEM;
+               err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
+                                        glom_skb);
+-              if (err) {
+-                      brcmu_pkt_buf_free_skb(glom_skb);
++              if (err)
+                       goto done;
+-              }
+ 
+               skb_queue_walk(pktq, skb) {
+                       memcpy(skb->data, glom_skb->data, skb->len);
+@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
+                                           pktq);
+ 
+ done:
++      brcmu_pkt_buf_free_skb(glom_skb);
+       return err;
+ }
+ 

diff --git a/queue-4.11/series b/queue-4.11/series
index f4f7616d9c2f8122e05f71305a63f34cc92c35c3..294021c9b0cbda9e6a3f40a05f0e0c3961ab20ef 100644 (file)
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -33,3 +33,5 @@ sed-regex-in-makefile.build-requires-line-break-between-exported-symbols.patch
 adding-the-type-of-exported-symbols.patch
 sparc64-fix-gup_huge_pmd.patch
 block-fix-a-blk_exit_rl-regression.patch
+brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch
+brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch