Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.18.100 2017-12-20T09:01:34+00:00 2017-12-20T09:01:34+00:00 Miaoqing Pan miaoqing@codeaurora.org 2017-09-27T01:13:34+00:00 urn:sha1:07aa0bc0072e49c71caad90a3ab74aa34ccd64e4 [ Upstream commit ee0a47186e2fa9aa1c56cadcea470ca0ba8c8692 ] When the user sets count to zero the string buffer would remain completely uninitialized which causes the kernel to parse its own stack data, potentially leading to an info leak. In addition to that, the string might be not terminated properly when the user data does not contain a 0-terminator. Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-08-11T16:30:09+00:00 Lior David qca_liord@qca.qualcomm.com 2016-11-23T14:06:41+00:00 urn:sha1:60866c073c313ef3f72ccd0ea6f96cefa6beb167 commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream. When FW crashes with no_fw_recovery option, driver waits for manual recovery with wil->mutex held, this can easily create deadlocks. Fix the problem by moving the wait outside the lock. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-07-27T22:03:24+00:00 Miaoqing Pan miaoqing@codeaurora.org 2017-06-27T14:31:51+00:00 urn:sha1:5e061335a94d1be8dd39df46219968f062ab9dd0 commit bde717ab473668377fc65872398a102d40cb2d58 upstream. The hard coded register 0x9864 and 0x9924 are invalid for ar9300 chips. Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-07-27T22:03:24+00:00 Miaoqing Pan miaoqing@codeaurora.org 2017-06-27T14:31:49+00:00 urn:sha1:4088e4be1f8018c4d9dd97b44e5147264117dd94 commit cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 upstream. One scenario that could lead to UAF is two threads writing simultaneously to the "tx99" debug file. One of them would set the "start" value to true and follow to ath9k_tx99_init(). Inside the function it would set the sc->tx99_state to true after allocating sc->tx99skb. Then, the other thread would execute write_file_tx99() and call ath9k_tx99_deinit(). sc->tx99_state would be freed. After that, the first thread would continue inside ath9k_tx99_init() and call r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl); that would make use of the freed sc->tx99_skb memory. Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-25T12:17:57+00:00 Johan Hovold johan@kernel.org 2017-03-13T12:44:20+00:00 urn:sha1:603455cd8ee20da2bbdccfe1f16f2fbf618a5e09 commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream. Make sure to check the number of endpoints to avoid dereferencing a NULL-pointer or accessing memory beyond the endpoint array should a malicious device lack the expected endpoints. Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-07-12T12:47:38+00:00 Arnd Bergmann arnd@arndb.de 2016-03-14T14:18:36+00:00 urn:sha1:247bbbca631f2c98770374d8671d277b3cf2a6fb [ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ] Code that was added back in 2.6.38 has an obvious overflow when accessing a static array, and at the time it was added only a code comment was put in front of it as a reminder to have it reviewed properly. This has not happened, but gcc-6 now points to the specific overflow: drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs': drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds] maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ~~~~~~~~~~~~~~~~~~~~~~~~~^~~ It turns out that the correct array length exists in the local 'intercepts' variable of this function, so we can just use that instead of hardcoding '4', so this patch changes all three instances to use that variable. The other two instances were already correct, but it's more consistent this way. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs") Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2016-06-03T15:30:29+00:00 Vittorio Gambaletta (VittGam) linux-wireless@vittgam.net 2016-04-11T02:48:55+00:00 urn:sha1:83162897ac34fe8201a8d2fb59b005319acdef36 [ Upstream commit 0f9edcdd88a993914fa1d1dc369b35dc503979db ] The Wistron DNMA-92 and Compex WLM200NX have inverted LED polarity (active high instead of active low). The same PCI Subsystem ID is used by both cards, which are based on the same Atheros MB92 design. Cc: <linux-wireless@vger.kernel.org> Cc: <ath9k-devel@qca.qualcomm.com> Cc: <ath9k-devel@lists.ath9k.org> Cc: <stable@vger.kernel.org> Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2016-06-01T20:23:30+00:00 Joseph Salisbury joseph.salisbury@canonical.com 2016-03-14T18:51:48+00:00 urn:sha1:9c887eec6fe91dff902e5ec51c19c8b08e1efb53 [ Upstream commit 7b9bc799a445aea95f64f15e0083cb19b5789abe ] BugLink: http://bugs.launchpad.net/bugs/972604 Commit 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin configuration for compaq c700 laptop") added a pin configuration for the Compaq c700 laptop. However, the polarity of the led pin is reversed. It should be red for wifi off and blue for wifi on, but it is the opposite. This bug was reported in the following bug report: http://pad.lv/972604 Fixes: 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin configuration for compaq c700 laptop") Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com> Cc: stable@vger.kernel.org Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2015-11-15T17:51:45+00:00 Felix Fietkau nbd@openwrt.org 2015-09-24T14:59:46+00:00 urn:sha1:9eb61e6a6e9e64ec4426529adf64a40e8082f829 [ Upstream commit 029cd0370241641eb70235d205aa0b90c84dce44 ] ath9k inserts padding between the 802.11 header and the data area (to align it). Since it didn't declare this extra required headroom, this led to some nasty issues like randomly dropped packets in some setups. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> 2015-10-28T02:13:28+00:00 Michal Kazior michal.kazior@tieto.com 2015-08-19T11:10:43+00:00 urn:sha1:fa1b77ba7760833af7eb61bef319ee0b1f630634 [ Upstream commit 5e55e3cbd1042cffa6249f22c10585e63f8a29bf ] The function returns 1 when DMA mapping fails. The driver would return bogus values and could possibly confuse itself if DMA failed. Fixes: 767d34fc67af ("ath10k: remove DMA mapping wrappers") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>