From 45b20bbb1f35fb20a07544d5826c754e9a68a29c Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 5 Jun 2020 15:53:09 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	airo-fix-read-overflows-sending-packets.patch
	scsi-ufs-release-clock-if-dma-map-fails.patch
---
 ...o-fix-read-overflows-sending-packets.patch | 62 +++++++++++++++++++
 ...i-ufs-release-clock-if-dma-map-fails.patch | 36 +++++++++++
 queue-4.14/series                             |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 queue-4.14/airo-fix-read-overflows-sending-packets.patch
 create mode 100644 queue-4.14/scsi-ufs-release-clock-if-dma-map-fails.patch

diff --git a/queue-4.14/airo-fix-read-overflows-sending-packets.patch b/queue-4.14/airo-fix-read-overflows-sending-packets.patch
new file mode 100644
index 00000000000..4cb60b4d945
--- /dev/null
+++ b/queue-4.14/airo-fix-read-overflows-sending-packets.patch
@@ -0,0 +1,62 @@
+From 11e7a91994c29da96d847f676be023da6a2c1359 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 27 May 2020 21:48:30 +0300
+Subject: airo: Fix read overflows sending packets
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 11e7a91994c29da96d847f676be023da6a2c1359 upstream.
+
+The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from
+skb->data even when skb->len is less than ETH_ZLEN so it leads to a read
+overflow.
+
+The fix is to pad skb->data to at least ETH_ZLEN bytes.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Hu Jiahui <kirin.say@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/cisco/airo.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/net/wireless/cisco/airo.c
++++ b/drivers/net/wireless/cisco/airo.c
+@@ -1928,6 +1928,10 @@ static netdev_tx_t mpi_start_xmit(struct
+ 		airo_print_err(dev->name, "%s: skb == NULL!",__func__);
+ 		return NETDEV_TX_OK;
+ 	}
++	if (skb_padto(skb, ETH_ZLEN)) {
++		dev->stats.tx_dropped++;
++		return NETDEV_TX_OK;
++	}
+ 	npacks = skb_queue_len (&ai->txq);
+ 
+ 	if (npacks >= MAXTXQ - 1) {
+@@ -2130,6 +2134,10 @@ static netdev_tx_t airo_start_xmit(struc
+ 		airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ 		return NETDEV_TX_OK;
+ 	}
++	if (skb_padto(skb, ETH_ZLEN)) {
++		dev->stats.tx_dropped++;
++		return NETDEV_TX_OK;
++	}
+ 
+ 	/* Find a vacant FID */
+ 	for( i = 0; i < MAX_FIDS / 2 && (fids[i] & 0xffff0000); i++ );
+@@ -2204,6 +2212,10 @@ static netdev_tx_t airo_start_xmit11(str
+ 		airo_print_err(dev->name, "%s: skb == NULL!", __func__);
+ 		return NETDEV_TX_OK;
+ 	}
++	if (skb_padto(skb, ETH_ZLEN)) {
++		dev->stats.tx_dropped++;
++		return NETDEV_TX_OK;
++	}
+ 
+ 	/* Find a vacant FID */
+ 	for( i = MAX_FIDS / 2; i < MAX_FIDS && (fids[i] & 0xffff0000); i++ );
diff --git a/queue-4.14/scsi-ufs-release-clock-if-dma-map-fails.patch b/queue-4.14/scsi-ufs-release-clock-if-dma-map-fails.patch
new file mode 100644
index 00000000000..b9319ddb73d
--- /dev/null
+++ b/queue-4.14/scsi-ufs-release-clock-if-dma-map-fails.patch
@@ -0,0 +1,36 @@
+From 17c7d35f141ef6158076adf3338f115f64fcf760 Mon Sep 17 00:00:00 2001
+From: Can Guo <cang@codeaurora.org>
+Date: Thu, 5 Dec 2019 02:14:33 +0000
+Subject: scsi: ufs: Release clock if DMA map fails
+
+From: Can Guo <cang@codeaurora.org>
+
+commit 17c7d35f141ef6158076adf3338f115f64fcf760 upstream.
+
+In queuecommand path, if DMA map fails, it bails out with clock held.  In
+this case, release the clock to keep its usage paired.
+
+[mkp: applied by hand]
+
+Link: https://lore.kernel.org/r/0101016ed3d66395-1b7e7fce-b74d-42ca-a88a-4db78b795d3b-000000@us-west-2.amazonses.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[EB: resolved cherry-pick conflict caused by newer kernels not having
+ the clear_bit_unlock() line]
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -2365,6 +2365,7 @@ static int ufshcd_queuecommand(struct Sc
+ 
+ 	err = ufshcd_map_sg(hba, lrbp);
+ 	if (err) {
++		ufshcd_release(hba);
+ 		lrbp->cmd = NULL;
+ 		clear_bit_unlock(tag, &hba->lrb_in_use);
+ 		goto out;
diff --git a/queue-4.14/series b/queue-4.14/series
index f5aff38abf9..95d39b4346b 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -18,3 +18,5 @@ hid-i2c-hid-add-schneider-scl142alm-to-descriptor-override.patch
 p54usb-add-airvast-usb-stick-device-id.patch
 kernel-relay.c-handle-alloc_percpu-returning-null-in-relay_open.patch
 mmc-fix-compilation-of-user-api.patch
+scsi-ufs-release-clock-if-dma-map-fails.patch
+airo-fix-read-overflows-sending-packets.patch
-- 
2.47.3