diff --git a/Buffer-overflow-read-checks-in-mwifiex.patch b/Buffer-overflow-read-checks-in-mwifiex.patch deleted file mode 100644 index 00ae1fa..0000000 --- a/Buffer-overflow-read-checks-in-mwifiex.patch +++ /dev/null @@ -1,238 +0,0 @@ -From patchwork Wed May 29 12:52:19 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Takashi Iwai -X-Patchwork-Id: 10967049 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org - [172.30.200.125]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3C6B01575 - for ; - Wed, 29 May 2019 12:52:41 +0000 (UTC) -Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FD42287D4 - for ; - Wed, 29 May 2019 12:52:41 +0000 (UTC) -Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) - id 2E25D2897A; Wed, 29 May 2019 12:52:41 +0000 (UTC) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on - pdx-wl-mail.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, - RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A60B52895F - for ; - Wed, 29 May 2019 12:52:40 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1727034AbfE2Mwk (ORCPT - ); - Wed, 29 May 2019 08:52:40 -0400 -Received: from mx2.suse.de ([195.135.220.15]:33780 "EHLO mx1.suse.de" - rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP - id S1725936AbfE2Mwj (ORCPT ); - Wed, 29 May 2019 08:52:39 -0400 -X-Virus-Scanned: by amavisd-new at test-mx.suse.de -Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx1.suse.de (Postfix) with ESMTP id EA4CCB00B; - Wed, 29 May 2019 12:52:37 +0000 (UTC) -From: Takashi Iwai -To: linux-wireless@vger.kernel.org -Cc: Amitkumar Karwar , - Nishant Sarmukadam , - Ganapathi Bhat , - Xinming Hu , - Kalle Valo , huangwen@venustech.com.cn, - Solar Designer , - Marcus Meissner -Subject: [PATCH 1/2] mwifiex: Fix possible buffer overflows at parsing bss - descriptor -Date: Wed, 29 May 2019 14:52:19 +0200 -Message-Id: <20190529125220.17066-2-tiwai@suse.de> -X-Mailer: git-send-email 2.16.4 -In-Reply-To: <20190529125220.17066-1-tiwai@suse.de> -References: <20190529125220.17066-1-tiwai@suse.de> -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org -X-Virus-Scanned: ClamAV using ClamSMTP - -mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in -a couple places without checking the destination size. Since the -source is given from user-space, this may trigger a heap buffer -overflow. - -Fix it by putting the length check before performing memcpy(). - -This fix addresses CVE-2019-3846. - -Reported-by: huangwen -Signed-off-by: Takashi Iwai ---- - drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c -index 935778ec9a1b..64ab6fe78c0d 100644 ---- a/drivers/net/wireless/marvell/mwifiex/scan.c -+++ b/drivers/net/wireless/marvell/mwifiex/scan.c -@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - } - switch (element_id) { - case WLAN_EID_SSID: -+ if (element_len > IEEE80211_MAX_SSID_LEN) -+ return -EINVAL; - bss_entry->ssid.ssid_len = element_len; - memcpy(bss_entry->ssid.ssid, (current_ptr + 2), - element_len); -@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_SUPP_RATES: -+ if (element_len > MWIFIEX_SUPPORTED_RATES) -+ return -EINVAL; - memcpy(bss_entry->data_rates, current_ptr + 2, - element_len); - memcpy(bss_entry->supported_rates, current_ptr + 2, - -From patchwork Wed May 29 12:52:20 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Takashi Iwai -X-Patchwork-Id: 10967047 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org - [172.30.200.125]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 05B0D92A - for ; - Wed, 29 May 2019 12:52:41 +0000 (UTC) -Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB3CC28972 - for ; - Wed, 29 May 2019 12:52:40 +0000 (UTC) -Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) - id DF23B28978; Wed, 29 May 2019 12:52:40 +0000 (UTC) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on - pdx-wl-mail.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, - RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8221B20121 - for ; - Wed, 29 May 2019 12:52:40 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1727023AbfE2Mwj (ORCPT - ); - Wed, 29 May 2019 08:52:39 -0400 -Received: from mx2.suse.de ([195.135.220.15]:33796 "EHLO mx1.suse.de" - rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP - id S1727017AbfE2Mwj (ORCPT ); - Wed, 29 May 2019 08:52:39 -0400 -X-Virus-Scanned: by amavisd-new at test-mx.suse.de -Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx1.suse.de (Postfix) with ESMTP id 06E82B010; - Wed, 29 May 2019 12:52:38 +0000 (UTC) -From: Takashi Iwai -To: linux-wireless@vger.kernel.org -Cc: Amitkumar Karwar , - Nishant Sarmukadam , - Ganapathi Bhat , - Xinming Hu , - Kalle Valo , huangwen@venustech.com.cn, - Solar Designer , - Marcus Meissner -Subject: [PATCH 2/2] mwifiex: Abort at too short BSS descriptor element -Date: Wed, 29 May 2019 14:52:20 +0200 -Message-Id: <20190529125220.17066-3-tiwai@suse.de> -X-Mailer: git-send-email 2.16.4 -In-Reply-To: <20190529125220.17066-1-tiwai@suse.de> -References: <20190529125220.17066-1-tiwai@suse.de> -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org -X-Virus-Scanned: ClamAV using ClamSMTP - -Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that -the source descriptor entries contain the enough size for each type -and performs copying without checking the source size. This may lead -to read over boundary. - -Fix this by putting the source size check in appropriate places. - -Signed-off-by: Takashi Iwai ---- - drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c -index 64ab6fe78c0d..c269a0de9413 100644 ---- a/drivers/net/wireless/marvell/mwifiex/scan.c -+++ b/drivers/net/wireless/marvell/mwifiex/scan.c -@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_FH_PARAMS: -+ if (element_len + 2 < sizeof(*fh_param_set)) -+ return -EINVAL; - fh_param_set = - (struct ieee_types_fh_param_set *) current_ptr; - memcpy(&bss_entry->phy_param_set.fh_param_set, -@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_DS_PARAMS: -+ if (element_len + 2 < sizeof(*ds_param_set)) -+ return -EINVAL; - ds_param_set = - (struct ieee_types_ds_param_set *) current_ptr; - -@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_CF_PARAMS: -+ if (element_len + 2 < sizeof(*cf_param_set)) -+ return -EINVAL; - cf_param_set = - (struct ieee_types_cf_param_set *) current_ptr; - memcpy(&bss_entry->ss_param_set.cf_param_set, -@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_IBSS_PARAMS: -+ if (element_len + 2 < sizeof(*ibss_param_set)) -+ return -EINVAL; - ibss_param_set = - (struct ieee_types_ibss_param_set *) - current_ptr; -@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_ERP_INFO: -+ if (!element_len) -+ return -EINVAL; - bss_entry->erp_flags = *(current_ptr + 2); - break; - - case WLAN_EID_PWR_CONSTRAINT: -+ if (!element_len) -+ return -EINVAL; - bss_entry->local_constraint = *(current_ptr + 2); - bss_entry->sensed_11h = true; - break; -@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter, - break; - - case WLAN_EID_VENDOR_SPECIFIC: -+ if (element_len + 2 < sizeof(vendor_ie->vend_hdr)) -+ return -EINVAL; -+ - vendor_ie = (struct ieee_types_vendor_specific *) - current_ptr; - diff --git a/bcm2835-vchiq-use-interruptible-waits.patch b/bcm2835-vchiq-use-interruptible-waits.patch index cc4afc6..d21cbe9 100644 --- a/bcm2835-vchiq-use-interruptible-waits.patch +++ b/bcm2835-vchiq-use-interruptible-waits.patch @@ -1,329 +1,3 @@ -From 0fa32f5500a1b4a81d6856ad389d654f1377f744 Mon Sep 17 00:00:00 2001 -From: Nicolas Saenz Julienne -Date: Thu, 9 May 2019 16:31:33 +0200 -Subject: [PATCH 1/4] staging: vchiq_2835_arm: revert "quit using custom - down_interruptible()" - -The killable version of down() is meant to be used on situations where -it should not fail at all costs, but still have the convenience of being -able to kill it if really necessary. VCHIQ doesn't fit this criteria, as -it's mainly used as an interface to V4L2 and ALSA devices. - -Fixes: ff5979ad8636 ("staging: vchiq_2835_arm: quit using custom down_interruptible()") -Signed-off-by: Nicolas Saenz Julienne -Acked-by: Stefan Wahren ---- - .../staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c -index a9cc01e8e6c5..833b28e9ba4b 100644 ---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c -+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c -@@ -553,7 +553,7 @@ create_pagelist(char __user *buf, size_t count, unsigned short type) - (g_cache_line_size - 1)))) { - char *fragments; - -- if (down_killable(&g_free_fragments_sema)) { -+ if (down_interruptible(&g_free_fragments_sema) != 0) { - cleanup_pagelistinfo(pagelistinfo); - return NULL; - } --- -2.21.0 - -From 7c73f359a4f269b611ebc00a910933d2d1926ebe Mon Sep 17 00:00:00 2001 -From: Peter Robinson -Date: Thu, 4 Jul 2019 17:31:38 +0100 -Subject: [PATCH 2/4] staging: vchiq: revert "switch to - wait_for_completion_killable" - -The killable version of wait_for_completion() is meant to be used on -situations where it should not fail at all costs, but still have the -convenience of being able to kill it if really necessary. VCHIQ doesn't -fit this criteria, as it's mainly used as an interface to V4L2 and ALSA -devices. - -Fixes: a772f116702e ("staging: vchiq: switch to wait_for_completion_killable") -Signed-off-by: Nicolas Saenz Julienne -Signed-off-by: Peter Robinson ---- - .../interface/vchiq_arm/vchiq_arm.c | 21 ++++++++++--------- - .../interface/vchiq_arm/vchiq_core.c | 21 ++++++++++--------- - .../interface/vchiq_arm/vchiq_util.c | 6 +++--- - 3 files changed, 25 insertions(+), 23 deletions(-) - -diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c -index 064d0db4c51e..ccfb8218b83c 100644 ---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c -+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c -@@ -560,7 +560,8 @@ add_completion(VCHIQ_INSTANCE_T instance, VCHIQ_REASON_T reason, - vchiq_log_trace(vchiq_arm_log_level, - "%s - completion queue full", __func__); - DEBUG_COUNT(COMPLETION_QUEUE_FULL_COUNT); -- if (wait_for_completion_killable( &instance->remove_event)) { -+ if (wait_for_completion_interruptible( -+ &instance->remove_event)) { - vchiq_log_info(vchiq_arm_log_level, - "service_callback interrupted"); - return VCHIQ_RETRY; -@@ -671,7 +672,7 @@ service_callback(VCHIQ_REASON_T reason, struct vchiq_header *header, - } - - DEBUG_TRACE(SERVICE_CALLBACK_LINE); -- if (wait_for_completion_killable( -+ if (wait_for_completion_interruptible( - &user_service->remove_event) - != 0) { - vchiq_log_info(vchiq_arm_log_level, -@@ -1006,7 +1007,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - has been closed until the client library calls the - CLOSE_DELIVERED ioctl, signalling close_event. */ - if (user_service->close_pending && -- wait_for_completion_killable( -+ wait_for_completion_interruptible( - &user_service->close_event)) - status = VCHIQ_RETRY; - break; -@@ -1182,7 +1183,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - - DEBUG_TRACE(AWAIT_COMPLETION_LINE); - mutex_unlock(&instance->completion_mutex); -- rc = wait_for_completion_killable( -+ rc = wait_for_completion_interruptible( - &instance->insert_event); - mutex_lock(&instance->completion_mutex); - if (rc != 0) { -@@ -1352,7 +1353,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - do { - spin_unlock(&msg_queue_spinlock); - DEBUG_TRACE(DEQUEUE_MESSAGE_LINE); -- if (wait_for_completion_killable( -+ if (wait_for_completion_interruptible( - &user_service->insert_event)) { - vchiq_log_info(vchiq_arm_log_level, - "DEQUEUE_MESSAGE interrupted"); -@@ -2360,7 +2361,7 @@ vchiq_keepalive_thread_func(void *v) - while (1) { - long rc = 0, uc = 0; - -- if (wait_for_completion_killable(&arm_state->ka_evt) -+ if (wait_for_completion_interruptible(&arm_state->ka_evt) - != 0) { - vchiq_log_error(vchiq_susp_log_level, - "%s interrupted", __func__); -@@ -2611,7 +2612,7 @@ block_resume(struct vchiq_arm_state *arm_state) - write_unlock_bh(&arm_state->susp_res_lock); - vchiq_log_info(vchiq_susp_log_level, "%s wait for previously " - "blocked clients", __func__); -- if (wait_for_completion_killable_timeout( -+ if (wait_for_completion_interruptible_timeout( - &arm_state->blocked_blocker, timeout_val) - <= 0) { - vchiq_log_error(vchiq_susp_log_level, "%s wait for " -@@ -2637,7 +2638,7 @@ block_resume(struct vchiq_arm_state *arm_state) - write_unlock_bh(&arm_state->susp_res_lock); - vchiq_log_info(vchiq_susp_log_level, "%s wait for resume", - __func__); -- if (wait_for_completion_killable_timeout( -+ if (wait_for_completion_interruptible_timeout( - &arm_state->vc_resume_complete, timeout_val) - <= 0) { - vchiq_log_error(vchiq_susp_log_level, "%s wait for " -@@ -2844,7 +2845,7 @@ vchiq_arm_force_suspend(struct vchiq_state *state) - do { - write_unlock_bh(&arm_state->susp_res_lock); - -- rc = wait_for_completion_killable_timeout( -+ rc = wait_for_completion_interruptible_timeout( - &arm_state->vc_suspend_complete, - msecs_to_jiffies(FORCE_SUSPEND_TIMEOUT_MS)); - -@@ -2940,7 +2941,7 @@ vchiq_arm_allow_resume(struct vchiq_state *state) - write_unlock_bh(&arm_state->susp_res_lock); - - if (resume) { -- if (wait_for_completion_killable( -+ if (wait_for_completion_interruptible( - &arm_state->vc_resume_complete) < 0) { - vchiq_log_error(vchiq_susp_log_level, - "%s interrupted", __func__); -diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c -index 819813e742d8..bc5661dde987 100644 ---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c -+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c -@@ -590,7 +590,7 @@ reserve_space(struct vchiq_state *state, size_t space, int is_blocking) - remote_event_signal(&state->remote->trigger); - - if (!is_blocking || -- (wait_for_completion_killable( -+ (wait_for_completion_interruptible( - &state->slot_available_event))) - return NULL; /* No space available */ - } -@@ -860,7 +860,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service, - spin_unlock("a_spinlock); - mutex_unlock(&state->slot_mutex); - -- if (wait_for_completion_killable( -+ if (wait_for_completion_interruptible( - &state->data_quota_event)) - return VCHIQ_RETRY; - -@@ -891,7 +891,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service, - service_quota->slot_use_count); - VCHIQ_SERVICE_STATS_INC(service, quota_stalls); - mutex_unlock(&state->slot_mutex); -- if (wait_for_completion_killable( -+ if (wait_for_completion_interruptible( - &service_quota->quota_event)) - return VCHIQ_RETRY; - if (service->closing) -@@ -1740,7 +1740,8 @@ parse_rx_slots(struct vchiq_state *state) - &service->bulk_rx : &service->bulk_tx; - - DEBUG_TRACE(PARSE_LINE); -- if (mutex_lock_killable(&service->bulk_mutex)) { -+ if (mutex_lock_killable( -+ &service->bulk_mutex) != 0) { - DEBUG_TRACE(PARSE_LINE); - goto bail_not_ready; - } -@@ -2458,7 +2459,7 @@ vchiq_open_service_internal(struct vchiq_service *service, int client_id) - QMFLAGS_IS_BLOCKING); - if (status == VCHIQ_SUCCESS) { - /* Wait for the ACK/NAK */ -- if (wait_for_completion_killable(&service->remove_event)) { -+ if (wait_for_completion_interruptible(&service->remove_event)) { - status = VCHIQ_RETRY; - vchiq_release_service_internal(service); - } else if ((service->srvstate != VCHIQ_SRVSTATE_OPEN) && -@@ -2825,7 +2826,7 @@ vchiq_connect_internal(struct vchiq_state *state, VCHIQ_INSTANCE_T instance) - } - - if (state->conn_state == VCHIQ_CONNSTATE_CONNECTING) { -- if (wait_for_completion_killable(&state->connect)) -+ if (wait_for_completion_interruptible(&state->connect)) - return VCHIQ_RETRY; - - vchiq_set_conn_state(state, VCHIQ_CONNSTATE_CONNECTED); -@@ -2924,7 +2925,7 @@ vchiq_close_service(VCHIQ_SERVICE_HANDLE_T handle) - } - - while (1) { -- if (wait_for_completion_killable(&service->remove_event)) { -+ if (wait_for_completion_interruptible(&service->remove_event)) { - status = VCHIQ_RETRY; - break; - } -@@ -2985,7 +2986,7 @@ vchiq_remove_service(VCHIQ_SERVICE_HANDLE_T handle) - request_poll(service->state, service, VCHIQ_POLL_REMOVE); - } - while (1) { -- if (wait_for_completion_killable(&service->remove_event)) { -+ if (wait_for_completion_interruptible(&service->remove_event)) { - status = VCHIQ_RETRY; - break; - } -@@ -3068,7 +3069,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle, - VCHIQ_SERVICE_STATS_INC(service, bulk_stalls); - do { - mutex_unlock(&service->bulk_mutex); -- if (wait_for_completion_killable( -+ if (wait_for_completion_interruptible( - &service->bulk_remove_event)) { - status = VCHIQ_RETRY; - goto error_exit; -@@ -3145,7 +3146,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle, - - if (bulk_waiter) { - bulk_waiter->bulk = bulk; -- if (wait_for_completion_killable(&bulk_waiter->event)) -+ if (wait_for_completion_interruptible(&bulk_waiter->event)) - status = VCHIQ_RETRY; - else if (bulk_waiter->actual == VCHIQ_BULK_ACTUAL_ABORTED) - status = VCHIQ_ERROR; -diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c -index 55c5fd82b911..30deea1b57f7 100644 ---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c -+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c -@@ -80,7 +80,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header) - return; - - while (queue->write == queue->read + queue->size) { -- if (wait_for_completion_killable(&queue->pop)) -+ if (wait_for_completion_interruptible(&queue->pop)) - flush_signals(current); - } - -@@ -93,7 +93,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header) - struct vchiq_header *vchiu_queue_peek(struct vchiu_queue *queue) - { - while (queue->write == queue->read) { -- if (wait_for_completion_killable(&queue->push)) -+ if (wait_for_completion_interruptible(&queue->push)) - flush_signals(current); - } - -@@ -107,7 +107,7 @@ struct vchiq_header *vchiu_queue_pop(struct vchiu_queue *queue) - struct vchiq_header *header; - - while (queue->write == queue->read) { -- if (wait_for_completion_killable(&queue->push)) -+ if (wait_for_completion_interruptible(&queue->push)) - flush_signals(current); - } - --- -2.21.0 - -From 4d0d97ce18dc90a3ca6296ee669c51b5a55a61c7 Mon Sep 17 00:00:00 2001 -From: Nicolas Saenz Julienne -Date: Thu, 9 May 2019 16:31:35 +0200 -Subject: [PATCH 3/4] staging: vchiq: make wait events interruptible - -The killable version of wait_event() is meant to be used on situations -where it should not fail at all costs, but still have the convenience of -being able to kill it if really necessary. Wait events in VCHIQ doesn't -fit this criteria, as it's mainly used as an interface to V4L2 and ALSA -devices. - -Fixes: 852b2876a8a8 ("staging: vchiq: rework remove_event handling") -Signed-off-by: Nicolas Saenz Julienne ---- - .../vc04_services/interface/vchiq_arm/vchiq_core.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c -index bc5661dde987..0958d86aebe6 100644 ---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c -+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c -@@ -425,13 +425,21 @@ remote_event_create(wait_queue_head_t *wq, struct remote_event *event) - init_waitqueue_head(wq); - } - -+/* -+ * All the event waiting routines in VCHIQ used a custom semaphore -+ * implementation that filtered most signals. This achieved a behaviour similar -+ * to the "killable" family of functions. While cleaning up this code all the -+ * routines where switched to the "interruptible" family of functions, as the -+ * former was deemed unjustified and the use "killable" set all VCHIQ's -+ * threads in D state. -+ */ - static inline int - remote_event_wait(wait_queue_head_t *wq, struct remote_event *event) - { - if (!event->fired) { - event->armed = 1; - dsb(sy); -- if (wait_event_killable(*wq, event->fired)) { -+ if (wait_event_interruptible(*wq, event->fired)) { - event->armed = 0; - return 0; - } --- -2.21.0 - From e4d9fccaaf6e61bbc7416d92d73cec5a5f0cb458 Mon Sep 17 00:00:00 2001 From: Nicolas Saenz Julienne Date: Thu, 9 May 2019 16:31:36 +0200 diff --git a/configs/fedora/generic/CONFIG_ASIX_PHY b/configs/fedora/generic/CONFIG_ASIX_PHY deleted file mode 100644 index 37bb545..0000000 --- a/configs/fedora/generic/CONFIG_ASIX_PHY +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_ASIX_PHY is not set diff --git a/configs/fedora/generic/CONFIG_AX88796B_PHY b/configs/fedora/generic/CONFIG_AX88796B_PHY new file mode 100644 index 0000000..ec30dfc --- /dev/null +++ b/configs/fedora/generic/CONFIG_AX88796B_PHY @@ -0,0 +1 @@ +# CONFIG_AX88796B_PHY is not set diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 59b11e9..3ee558d 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -370,7 +370,6 @@ CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_TIMER_SP804=y CONFIG_ARMV8_DEPRECATED=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -461,6 +460,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_AXP20X_ADC=m CONFIG_AXP20X_POWER=m CONFIG_AXP288_ADC=m diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 08834a8..9964d6d 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -370,7 +370,6 @@ CONFIG_ARM_TEGRA_DEVFREQ=m CONFIG_ARM_TIMER_SP804=y CONFIG_ARMV8_DEPRECATED=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -461,6 +460,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_AXP20X_ADC=m CONFIG_AXP20X_POWER=m CONFIG_AXP288_ADC=m diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 7956bea..d0d81b8 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -368,7 +368,6 @@ CONFIG_ARM_VIRT_EXT=y CONFIG_ARM=y CONFIG_ARM_ZYNQ_CPUIDLE=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -462,6 +461,7 @@ CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m CONFIG_AX88796_93CX6=y +# CONFIG_AX88796B_PHY is not set CONFIG_AX88796=m CONFIG_AXI_DMAC=m CONFIG_AXP20X_ADC=m diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index cfdc49b..1350ca8 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -355,7 +355,6 @@ CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=m CONFIG_ARM_VIRT_EXT=y CONFIG_ARM=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -449,6 +448,7 @@ CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m CONFIG_AX88796_93CX6=y +# CONFIG_AX88796B_PHY is not set CONFIG_AX88796=m CONFIG_AXP20X_ADC=m CONFIG_AXP20X_POWER=m diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 8a8424c..72ec631 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -355,7 +355,6 @@ CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=m CONFIG_ARM_VIRT_EXT=y CONFIG_ARM=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -449,6 +448,7 @@ CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m CONFIG_AX88796_93CX6=y +# CONFIG_AX88796B_PHY is not set CONFIG_AX88796=m CONFIG_AXP20X_ADC=m CONFIG_AXP20X_POWER=m diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 9556f2f..8d2811a 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -368,7 +368,6 @@ CONFIG_ARM_VIRT_EXT=y CONFIG_ARM=y CONFIG_ARM_ZYNQ_CPUIDLE=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -462,6 +461,7 @@ CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m CONFIG_AX88796_93CX6=y +# CONFIG_AX88796B_PHY is not set CONFIG_AX88796=m CONFIG_AXI_DMAC=m CONFIG_AXP20X_ADC=m diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 0b87d7c..f89797c 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -251,7 +251,6 @@ CONFIG_ARCH_MULTIPLATFORM=y CONFIG_ARM64_ERRATUM_858921=y CONFIG_ARM_PTDUMP_DEBUGFS=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASUS_LAPTOP=m CONFIG_ASUS_NB_WMI=m CONFIG_ASUS_WIRELESS=m @@ -344,6 +343,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_B43_BCMA_PIO=y CONFIG_B43_BCMA=y CONFIG_B43_BUSES_BCMA_AND_SSB=y diff --git a/kernel-i686.config b/kernel-i686.config index 41057b9..fe4a054 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -250,7 +250,6 @@ CONFIG_ARCH_MULTIPLATFORM=y # CONFIG_ARCNET is not set CONFIG_ARM64_ERRATUM_858921=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASUS_LAPTOP=m CONFIG_ASUS_NB_WMI=m CONFIG_ASUS_WIRELESS=m @@ -343,6 +342,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_B43_BCMA_PIO=y CONFIG_B43_BCMA=y CONFIG_B43_BUSES_BCMA_AND_SSB=y diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index a37c61a..c9abec9 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -195,7 +195,6 @@ CONFIG_ARCH_MULTIPLATFORM=y CONFIG_ARM64_ERRATUM_858921=y CONFIG_ARM_PTDUMP_DEBUGFS=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -284,6 +283,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_B43_BCMA_PIO=y CONFIG_B43_BCMA=y CONFIG_B43_BUSES_BCMA_AND_SSB=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index a23326d..4884618 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -194,7 +194,6 @@ CONFIG_ARCH_MULTIPLATFORM=y # CONFIG_ARCNET is not set CONFIG_ARM64_ERRATUM_858921=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -283,6 +282,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_B43_BCMA_PIO=y CONFIG_B43_BCMA=y CONFIG_B43_BUSES_BCMA_AND_SSB=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index 894ded6..41f884a 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -200,7 +200,6 @@ CONFIG_ARCH_RANDOM=y CONFIG_ARM64_ERRATUM_858921=y CONFIG_ARM_PTDUMP_DEBUGFS=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -289,6 +288,7 @@ CONFIG_AUTOFS_FS=y # CONFIG_AUXDISPLAY is not set CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_B43_BCMA_PIO=y CONFIG_B43_BCMA=y CONFIG_B43_BUSES_BCMA_AND_SSB=y diff --git a/kernel-s390x.config b/kernel-s390x.config index d58fdfe..3d07d6e 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -199,7 +199,6 @@ CONFIG_ARCH_RANDOM=y # CONFIG_ARCNET is not set CONFIG_ARM64_ERRATUM_858921=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASYMMETRIC_KEY_TYPE=y CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m CONFIG_ASYNC_RAID6_TEST=m @@ -288,6 +287,7 @@ CONFIG_AUTOFS_FS=y # CONFIG_AUXDISPLAY is not set CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set CONFIG_B43_BCMA_PIO=y CONFIG_B43_BCMA=y CONFIG_B43_BUSES_BCMA_AND_SSB=y diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index db2ed00..ec5e711 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -254,7 +254,6 @@ CONFIG_ARCH_MULTIPLATFORM=y CONFIG_ARM64_ERRATUM_858921=y CONFIG_ARM_PTDUMP_DEBUGFS=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASUS_LAPTOP=m CONFIG_ASUS_NB_WMI=m CONFIG_ASUS_WIRELESS=m @@ -347,6 +346,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set # CONFIG_AXP20X_ADC is not set # CONFIG_AXP20X_POWER is not set CONFIG_AXP288_ADC=m diff --git a/kernel-x86_64.config b/kernel-x86_64.config index ef5038e..c45a4ec 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -253,7 +253,6 @@ CONFIG_ARCH_MULTIPLATFORM=y # CONFIG_ARCNET is not set CONFIG_ARM64_ERRATUM_858921=y # CONFIG_AS3935 is not set -# CONFIG_ASIX_PHY is not set CONFIG_ASUS_LAPTOP=m CONFIG_ASUS_NB_WMI=m CONFIG_ASUS_WIRELESS=m @@ -346,6 +345,7 @@ CONFIG_AUTOFS_FS=y CONFIG_AUXDISPLAY=y CONFIG_AX25_DAMA_SLAVE=y CONFIG_AX25=m +# CONFIG_AX88796B_PHY is not set # CONFIG_AXP20X_ADC is not set # CONFIG_AXP20X_POWER is not set CONFIG_AXP288_ADC=m diff --git a/kernel.spec b/kernel.spec index 8a2ce02..cb9c5eb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 17 +%define stable_update 18 # Set rpm version accordingly %if 0%{?stable_update} %define stablerev %{stable_update} @@ -594,9 +594,6 @@ Patch526: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch # CVE-2019-12378 rhbz 1715459 1715460 Patch528: ipv6_sockglue-fix-missing-check-bug-in-ip6_ra_control.patch -# CVE-2019-3846 rhbz 1713059 1715475 -Patch529: Buffer-overflow-read-checks-in-mwifiex.patch - # CVE-2019-12380 rhbz 1715494 1715495 Patch530: 0001-efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch @@ -621,9 +618,6 @@ Patch536: scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch # CVE-2019-12614 rhbz 1718176 1718185 Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch -# CVE-2019-10126 rhbz 1716992 1720122 -Patch541: mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch - # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2 Patch544: drm-panel-orientation-quirks.patch Patch545: efi-bgrt-acpi6.2-support.patch @@ -1873,6 +1867,9 @@ fi # # %changelog +* Mon Jul 15 2019 Jeremy Cline - 5.1.18-300 +- Linux v5.1.18 + * Wed Jul 10 2019 Jeremy Cline - 5.1.17-300 - Linux v5.1.17 diff --git a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch deleted file mode 100644 index c9a0f13..0000000 --- a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch +++ /dev/null @@ -1,173 +0,0 @@ -From patchwork Fri May 31 13:18:41 2019 -Content-Type: text/plain; charset="utf-8" -MIME-Version: 1.0 -Content-Transfer-Encoding: 7bit -X-Patchwork-Submitter: Takashi Iwai -X-Patchwork-Id: 10970141 -X-Patchwork-Delegate: kvalo@adurom.com -Return-Path: -Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org - [172.30.200.125]) - by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A2FA614C0 - for ; - Fri, 31 May 2019 13:19:19 +0000 (UTC) -Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 914E928CA2 - for ; - Fri, 31 May 2019 13:19:19 +0000 (UTC) -Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) - id 858EA28CA3; Fri, 31 May 2019 13:19:19 +0000 (UTC) -X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on - pdx-wl-mail.web.codeaurora.org -X-Spam-Level: -X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, - RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 -Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) - by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4AB628CB5 - for ; - Fri, 31 May 2019 13:19:18 +0000 (UTC) -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1726687AbfEaNTR (ORCPT - ); - Fri, 31 May 2019 09:19:17 -0400 -Received: from mx2.suse.de ([195.135.220.15]:46148 "EHLO mx1.suse.de" - rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP - id S1726330AbfEaNTR (ORCPT ); - Fri, 31 May 2019 09:19:17 -0400 -X-Virus-Scanned: by amavisd-new at test-mx.suse.de -Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx1.suse.de (Postfix) with ESMTP id A72A4AE4D; - Fri, 31 May 2019 13:19:15 +0000 (UTC) -From: Takashi Iwai -To: Kalle Valo -Cc: Amitkumar Karwar , - Nishant Sarmukadam , - Ganapathi Bhat , - Xinming Hu , - huangwen , - Solar Designer , - Marcus Meissner , - linux-wireless@vger.kernel.org -Subject: [PATCH] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() -Date: Fri, 31 May 2019 15:18:41 +0200 -Message-Id: <20190531131841.7552-1-tiwai@suse.de> -X-Mailer: git-send-email 2.16.4 -Sender: linux-wireless-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-wireless@vger.kernel.org -X-Virus-Scanned: ClamAV using ClamSMTP - -A few places in mwifiex_uap_parse_tail_ies() perform memcpy() -unconditionally, which may lead to either buffer overflow or read over -boundary. - -This patch addresses the issues by checking the read size and the -destination size at each place more properly. Along with the fixes, -the patch cleans up the code slightly by introducing a temporary -variable for the token size, and unifies the error path with the -standard goto statement. - -Reported-by: huangwen -Signed-off-by: Takashi Iwai ---- - drivers/net/wireless/marvell/mwifiex/ie.c | 47 ++++++++++++++++++++----------- - 1 file changed, 31 insertions(+), 16 deletions(-) - -diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c -index 6845eb57b39a..653d347a9a19 100644 ---- a/drivers/net/wireless/marvell/mwifiex/ie.c -+++ b/drivers/net/wireless/marvell/mwifiex/ie.c -@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - struct ieee80211_vendor_ie *vendorhdr; - u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0; - int left_len, parsed_len = 0; -+ unsigned int token_len; -+ int err = 0; - - if (!info->tail || !info->tail_len) - return 0; -@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - */ - while (left_len > sizeof(struct ieee_types_header)) { - hdr = (void *)(info->tail + parsed_len); -+ token_len = hdr->len + sizeof(struct ieee_types_header); -+ if (token_len > left_len) { -+ err = -EINVAL; -+ goto out; -+ } -+ - switch (hdr->element_id) { - case WLAN_EID_SSID: - case WLAN_EID_SUPP_RATES: -@@ -361,17 +369,20 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT, - WLAN_OUI_TYPE_MICROSOFT_WMM, - (const u8 *)hdr, -- hdr->len + sizeof(struct ieee_types_header))) -+ token_len)) - break; - /* fall through */ - default: -- memcpy(gen_ie->ie_buffer + ie_len, hdr, -- hdr->len + sizeof(struct ieee_types_header)); -- ie_len += hdr->len + sizeof(struct ieee_types_header); -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len); -+ ie_len += token_len; - break; - } -- left_len -= hdr->len + sizeof(struct ieee_types_header); -- parsed_len += hdr->len + sizeof(struct ieee_types_header); -+ left_len -= token_len; -+ parsed_len += token_len; - } - - /* parse only WPA vendor IE from tail, WMM IE is configured by -@@ -381,15 +392,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - WLAN_OUI_TYPE_MICROSOFT_WPA, - info->tail, info->tail_len); - if (vendorhdr) { -- memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, -- vendorhdr->len + sizeof(struct ieee_types_header)); -- ie_len += vendorhdr->len + sizeof(struct ieee_types_header); -+ token_len = vendorhdr->len + sizeof(struct ieee_types_header); -+ if (ie_len + token_len > IEEE_MAX_IE_SIZE) { -+ err = -EINVAL; -+ goto out; -+ } -+ memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len); -+ ie_len += token_len; - } - -- if (!ie_len) { -- kfree(gen_ie); -- return 0; -- } -+ if (!ie_len) -+ goto out; - - gen_ie->ie_index = cpu_to_le16(gen_idx); - gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON | -@@ -399,13 +412,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv, - - if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL, - NULL, NULL)) { -- kfree(gen_ie); -- return -1; -+ err = -EINVAL; -+ goto out; - } - - priv->gen_idx = gen_idx; -+ -+ out: - kfree(gen_ie); -- return 0; -+ return err; - } - - /* This function parses different IEs-head & tail IEs, beacon IEs, diff --git a/sources b/sources index 8169b5b..6ba5e2b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (linux-5.1.tar.xz) = ae96f347badc95f1f3acf506c52b6cc23c0bd09ce8f4ce6705d4b4058b62593059bba1bc603c8d8b00a2f19131e7e56c31ac62b45883a346fa61d655e178f236 -SHA512 (patch-5.1.17.xz) = df78bdd2e98731498ff45377dddbe8d4adf42e680ed9f0ea05b3fef43144114e4c7817c4e160d960fad666e5b7da6002a4687b1a15323908de8c6990a50215d9 +SHA512 (patch-5.1.18.xz) = 5efb26c4937b38d80e3b2f3b57a352839e6ed46d29552350128ff8db0fc7e1c08d419198da975044aa18ede4675c8f4be63b9a1c302660294e218f022ccab026