From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 27 Jun 2017 12:11:32 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.59~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f24c608975067e6ef90825eb9ed900d0a4629d2;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	mac80211-wpa-use-constant-time-memory-comparison-for-macs.patch
	net-phy-fix-marvell-phy-status-reading.patch
	usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch
---

diff --git a/queue-3.18/mac80211-wpa-use-constant-time-memory-comparison-for-macs.patch b/queue-3.18/mac80211-wpa-use-constant-time-memory-comparison-for-macs.patch
new file mode 100644
index 00000000000..2cb814521e3
--- /dev/null
+++ b/queue-3.18/mac80211-wpa-use-constant-time-memory-comparison-for-macs.patch
@@ -0,0 +1,51 @@
+From 98c67d187db7808b1f3c95f2110dd4392d034182 Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Sat, 10 Jun 2017 04:59:12 +0200
+Subject: mac80211/wpa: use constant time memory comparison for MACs
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+commit 98c67d187db7808b1f3c95f2110dd4392d034182 upstream.
+
+Otherwise, we enable all sorts of forgeries via timing attack.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: linux-wireless@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/mac80211/wpa.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/wpa.c
++++ b/net/mac80211/wpa.c
+@@ -16,6 +16,7 @@
+ #include <asm/unaligned.h>
+ #include <net/mac80211.h>
+ #include <crypto/aes.h>
++#include <crypto/algapi.h>
+ 
+ #include "ieee80211_i.h"
+ #include "michael.h"
+@@ -150,7 +151,7 @@ ieee80211_rx_h_michael_mic_verify(struct
+ 	data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
+ 	key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
+ 	michael_mic(key, hdr, data, data_len, mic);
+-	if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
++	if (crypto_memneq(mic, data + data_len, MICHAEL_MIC_LEN))
+ 		goto mic_fail;
+ 
+ 	/* remove Michael MIC from payload */
+@@ -771,7 +772,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct
+ 		bip_aad(skb, aad);
+ 		ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
+ 				   skb->data + 24, skb->len - 24, mic);
+-		if (memcmp(mic, mmie->mic, sizeof(mmie->mic)) != 0) {
++		if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
+ 			key->u.aes_cmac.icverrors++;
+ 			return RX_DROP_UNUSABLE;
+ 		}
diff --git a/queue-3.18/net-phy-fix-marvell-phy-status-reading.patch b/queue-3.18/net-phy-fix-marvell-phy-status-reading.patch
new file mode 100644
index 00000000000..6fb79c231e3
--- /dev/null
+++ b/queue-3.18/net-phy-fix-marvell-phy-status-reading.patch
@@ -0,0 +1,40 @@
+From 898805e0cdf7fd860ec21bf661d3a0285a3defbd Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 30 May 2017 16:21:51 +0100
+Subject: net: phy: fix marvell phy status reading
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+commit 898805e0cdf7fd860ec21bf661d3a0285a3defbd upstream.
+
+The Marvell driver incorrectly provides phydev->lp_advertising as the
+logical and of the link partner's advert and our advert.  This is
+incorrect - this field is supposed to store the link parter's unmodified
+advertisment.
+
+This allows ethtool to report the correct link partner auto-negotiation
+status.
+
+Fixes: be937f1f89ca ("Marvell PHY m88e1111 driver fix")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/phy/marvell.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -737,8 +737,6 @@ static int marvell_read_status(struct ph
+ 		if (adv < 0)
+ 			return adv;
+ 
+-		lpa &= adv;
+-
+ 		if (status & MII_M1011_PHY_STATUS_FULLDUPLEX)
+ 			phydev->duplex = DUPLEX_FULL;
+ 		else
diff --git a/queue-3.18/series b/queue-3.18/series
index 271bb495419..005354f2039 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -11,3 +11,6 @@ rxrpc-fix-several-cases-where-a-padded-len-isn-t-checked-in-ticket-decode.patch
 of-add-check-to-of_scan_flat_dt-before-accessing-initial_boot_params.patch
 mtd-spi-nor-fix-spansion-quad-enable.patch
 powerpc-slb-force-a-full-slb-flush-when-we-insert-for-a-bad-ea.patch
+usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch
+net-phy-fix-marvell-phy-status-reading.patch
+mac80211-wpa-use-constant-time-memory-comparison-for-macs.patch
diff --git a/queue-3.18/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch b/queue-3.18/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch
new file mode 100644
index 00000000000..274f9113391
--- /dev/null
+++ b/queue-3.18/usb-gadget-f_fs-avoid-out-of-bounds-access-on-comp_desc.patch
@@ -0,0 +1,106 @@
+From b7f73850bb4fac1e2209a4dd5e636d39be92f42c Mon Sep 17 00:00:00 2001
+From: William Wu <william.wu@rock-chips.com>
+Date: Tue, 25 Apr 2017 17:45:48 +0800
+Subject: usb: gadget: f_fs: avoid out of bounds access on comp_desc
+
+From: William Wu <william.wu@rock-chips.com>
+
+commit b7f73850bb4fac1e2209a4dd5e636d39be92f42c upstream.
+
+Companion descriptor is only used for SuperSpeed endpoints,
+if the endpoints are HighSpeed or FullSpeed, the Companion
+descriptor will not allocated, so we can only access it if
+gadget is SuperSpeed.
+
+I can reproduce this issue on Rockchip platform rk3368 SoC
+which supports USB 2.0, and use functionfs for ADB. Kernel
+build with CONFIG_KASAN=y and CONFIG_SLUB_DEBUG=y report
+the following BUG:
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in ffs_func_set_alt+0x224/0x3a0 at addr ffffffc0601f6509
+Read of size 1 by task swapper/0/0
+============================================================================
+BUG kmalloc-256 (Not tainted): kasan: bad access detected
+----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in ffs_func_bind+0x52c/0x99c age=1275 cpu=0 pid=1
+alloc_debug_processing+0x128/0x17c
+___slab_alloc.constprop.58+0x50c/0x610
+__slab_alloc.isra.55.constprop.57+0x24/0x34
+__kmalloc+0xe0/0x250
+ffs_func_bind+0x52c/0x99c
+usb_add_function+0xd8/0x1d4
+configfs_composite_bind+0x48c/0x570
+udc_bind_to_driver+0x6c/0x170
+usb_udc_attach_driver+0xa4/0xd0
+gadget_dev_desc_UDC_store+0xcc/0x118
+configfs_write_file+0x1a0/0x1f8
+__vfs_write+0x64/0x174
+vfs_write+0xe4/0x200
+SyS_write+0x68/0xc8
+el0_svc_naked+0x24/0x28
+INFO: Freed in inode_doinit_with_dentry+0x3f0/0x7c4 age=1275 cpu=7 pid=247
+...
+Call trace:
+[<ffffff900808aab4>] dump_backtrace+0x0/0x230
+[<ffffff900808acf8>] show_stack+0x14/0x1c
+[<ffffff90084ad420>] dump_stack+0xa0/0xc8
+[<ffffff90082157cc>] print_trailer+0x188/0x198
+[<ffffff9008215948>] object_err+0x3c/0x4c
+[<ffffff900821b5ac>] kasan_report+0x324/0x4dc
+[<ffffff900821aa38>] __asan_load1+0x24/0x50
+[<ffffff90089eb750>] ffs_func_set_alt+0x224/0x3a0
+[<ffffff90089d3760>] composite_setup+0xdcc/0x1ac8
+[<ffffff90089d7394>] android_setup+0x124/0x1a0
+[<ffffff90089acd18>] _setup+0x54/0x74
+[<ffffff90089b6b98>] handle_ep0+0x3288/0x4390
+[<ffffff90089b9b44>] dwc_otg_pcd_handle_out_ep_intr+0x14dc/0x2ae4
+[<ffffff90089be85c>] dwc_otg_pcd_handle_intr+0x1ec/0x298
+[<ffffff90089ad680>] dwc_otg_pcd_irq+0x10/0x20
+[<ffffff9008116328>] handle_irq_event_percpu+0x124/0x3ac
+[<ffffff9008116610>] handle_irq_event+0x60/0xa0
+[<ffffff900811af30>] handle_fasteoi_irq+0x10c/0x1d4
+[<ffffff9008115568>] generic_handle_irq+0x30/0x40
+[<ffffff90081159b4>] __handle_domain_irq+0xac/0xdc
+[<ffffff9008080e9c>] gic_handle_irq+0x64/0xa4
+...
+Memory state around the buggy address:
+  ffffffc0601f6400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  ffffffc0601f6480: 00 00 00 00 00 00 00 00 00 00 06 fc fc fc fc fc
+ >ffffffc0601f6500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                       ^
+  ffffffc0601f6580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+  ffffffc0601f6600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: William Wu <william.wu@rock-chips.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: Jerry Zhang <zhangjerry@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1674,12 +1674,12 @@ static int ffs_func_eps_enable(struct ff
+ 		ep->ep->driver_data = ep;
+ 		ep->ep->desc = ds;
+ 
+-		comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
+-				USB_DT_ENDPOINT_SIZE);
+-		ep->ep->maxburst = comp_desc->bMaxBurst + 1;
+-
+-		if (needs_comp_desc)
++		if (needs_comp_desc) {
++			comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds +
++					USB_DT_ENDPOINT_SIZE);
++			ep->ep->maxburst = comp_desc->bMaxBurst + 1;
+ 			ep->ep->comp_desc = comp_desc;
++		}
+ 
+ 		ret = usb_ep_enable(ep->ep);
+ 		if (likely(!ret)) {