From 7002919c106be6f8ece083e98db45fdd0cbbb5cb Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Apr 2021 10:21:06 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	staging-rtl8192e-change-state-information-from-u16-to-u8.patch
	staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
---
 queue-4.4/series                              |  2 +
 ...nge-state-information-from-u16-to-u8.patch | 74 +++++++++++++++++++
 ...8192e-fix-incorrect-source-in-memcpy.patch | 67 +++++++++++++++++
 3 files changed, 143 insertions(+)
 create mode 100644 queue-4.4/staging-rtl8192e-change-state-information-from-u16-to-u8.patch
 create mode 100644 queue-4.4/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index 91d4bb4282a..23e1bdb0993 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -24,3 +24,5 @@ usb-quirks-ignore-remote-wake-up-on-fibocom-l850-gl-lte-modem.patch
 cdc-acm-fix-break-rx-code-path-adding-necessary-calls.patch
 usb-cdc-acm-downgrade-message-to-debug.patch
 usb-cdc-acm-fix-use-after-free-after-probe-failure.patch
+staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
+staging-rtl8192e-change-state-information-from-u16-to-u8.patch
diff --git a/queue-4.4/staging-rtl8192e-change-state-information-from-u16-to-u8.patch b/queue-4.4/staging-rtl8192e-change-state-information-from-u16-to-u8.patch
new file mode 100644
index 00000000000..bfec6380c2d
--- /dev/null
+++ b/queue-4.4/staging-rtl8192e-change-state-information-from-u16-to-u8.patch
@@ -0,0 +1,74 @@
+From e78836ae76d20f38eed8c8c67f21db97529949da Mon Sep 17 00:00:00 2001
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+Date: Tue, 23 Mar 2021 17:04:14 +0530
+Subject: staging: rtl8192e: Change state information from u16 to u8
+
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+
+commit e78836ae76d20f38eed8c8c67f21db97529949da upstream.
+
+The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4
+bytes in total while the operations performed on this array through-out
+the code base are only 2 bytes.
+
+The "CcxRmState" field is fed only 2 bytes of data using memcpy():
+
+(In rtllib_rx.c:1972)
+	memcpy(network->CcxRmState, &info_element->data[4], 2)
+
+With "info_element->data[]" being a u8 array, if 2 bytes are written
+into "CcxRmState" (whose one element is u16 size), then the 2 u8
+elements from "data[]" gets squashed and written into the first element
+("CcxRmState[0]") while the second element ("CcxRmState[1]") is never
+fed with any data.
+
+Same in file rtllib_rx.c:2522:
+	 memcpy(dst->CcxRmState, src->CcxRmState, 2);
+
+The above line duplicates "src" data to "dst" but only writes 2 bytes
+(and not 4, which is the actual size). Again, only 1st element gets the
+value while the 2nd element remains uninitialized.
+
+This later makes operations done with CcxRmState unpredictable in the
+following lines as the 1st element is having a squashed number while the
+2nd element is having an uninitialized random number.
+
+rtllib_rx.c:1973:    if (network->CcxRmState[0] != 0)
+rtllib_rx.c:1977:    network->MBssidMask = network->CcxRmState[1] & 0x07;
+
+network->MBssidMask is also of type u8 and not u16.
+
+Fix this by changing the type of "CcxRmState" from u16 to u8 so that the
+data written into this array and read from it make sense and are not
+random values.
+
+NOTE: The wrong initialization of "CcxRmState" can be seen in the
+following commit:
+
+commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
+
+The above commit created a file `rtl8192e/ieee80211.h` which used to
+have the faulty line. The file has been deleted (or possibly renamed)
+with the contents copied in to a new file `rtl8192e/rtllib.h` along with
+additional code in the commit 94a799425eee (tagged in Fixes).
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
+Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtllib.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtllib.h
++++ b/drivers/staging/rtl8192e/rtllib.h
+@@ -1160,7 +1160,7 @@ struct rtllib_network {
+ 	bool	bWithAironetIE;
+ 	bool	bCkipSupported;
+ 	bool	bCcxRmEnable;
+-	u16	CcxRmState[2];
++	u8	CcxRmState[2];
+ 	bool	bMBssidValid;
+ 	u8	MBssidMask;
+ 	u8	MBssid[ETH_ALEN];
diff --git a/queue-4.4/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch b/queue-4.4/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
new file mode 100644
index 00000000000..b5f71db9945
--- /dev/null
+++ b/queue-4.4/staging-rtl8192e-fix-incorrect-source-in-memcpy.patch
@@ -0,0 +1,67 @@
+From 72ad25fbbb78930f892b191637359ab5b94b3190 Mon Sep 17 00:00:00 2001
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+Date: Tue, 23 Mar 2021 17:04:12 +0530
+Subject: staging: rtl8192e: Fix incorrect source in memcpy()
+
+From: Atul Gopinathan <atulgopinathan@gmail.com>
+
+commit 72ad25fbbb78930f892b191637359ab5b94b3190 upstream.
+
+The variable "info_element" is of the following type:
+
+	struct rtllib_info_element *info_element
+
+defined in drivers/staging/rtl8192e/rtllib.h:
+
+	struct rtllib_info_element {
+		u8 id;
+		u8 len;
+		u8 data[];
+	} __packed;
+
+The "len" field defines the size of the "data[]" array. The code is
+supposed to check if "info_element->len" is greater than 4 and later
+equal to 6. If this is satisfied then, the last two bytes (the 4th and
+5th element of u8 "data[]" array) are copied into "network->CcxRmState".
+
+Right now the code uses "memcpy()" with the source as "&info_element[4]"
+which would copy in wrong and unintended information. The struct
+"rtllib_info_element" has a size of 2 bytes for "id" and "len",
+therefore indexing will be done in interval of 2 bytes. So,
+"info_element[4]" would point to data which is beyond the memory
+allocated for this pointer (that is, at x+8, while "info_element" has
+been allocated only from x to x+7 (2 + 6 => 8 bytes)).
+
+This patch rectifies this error by using "&info_element->data[4]" which
+correctly copies the last two bytes of "data[]".
+
+NOTE: The faulty line of code came from the following commit:
+
+commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver")
+
+The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c`
+which had the faulty line of code. This file has been deleted (or
+possibly renamed) with the contents copied in to a new file
+`rtl8192e/rtllib_rx.c` along with additional code in the commit
+94a799425eee (tagged in Fixes).
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Cc: stable@vger.kernel.org
+Signed-off-by: Atul Gopinathan <atulgopinathan@gmail.com>
+Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8192e/rtllib_rx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8192e/rtllib_rx.c
++++ b/drivers/staging/rtl8192e/rtllib_rx.c
+@@ -1988,7 +1988,7 @@ static void rtllib_parse_mife_generic(st
+ 	    info_element->data[2] == 0x96 &&
+ 	    info_element->data[3] == 0x01) {
+ 		if (info_element->len == 6) {
+-			memcpy(network->CcxRmState, &info_element[4], 2);
++			memcpy(network->CcxRmState, &info_element->data[4], 2);
+ 			if (network->CcxRmState[0] != 0)
+ 				network->bCcxRmEnable = true;
+ 			else
-- 
2.47.3