<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless, branch v4.9.41</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>wil6210: fix deadlock when using fw_no_recovery option</title>
<updated>2017-08-07T01:59:42+00:00</updated>
<author>
<name>Lior David</name>
<email>qca_liord@qca.qualcomm.com</email>
</author>
<published>2016-11-23T14:06:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f16bcd4dba9980a1d237b0fa0c697aa7547c2d6'/>
<id>2f16bcd4dba9980a1d237b0fa0c697aa7547c2d6</id>
<content type='text'>
commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream.

When FW crashes with no_fw_recovery option, driver
waits for manual recovery with wil-&gt;mutex held, this
can easily create deadlocks.
Fix the problem by moving the wait outside the lock.

Signed-off-by: Lior David &lt;qca_liord@qca.qualcomm.com&gt;
Signed-off-by: Maya Erez &lt;qca_merez@qca.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream.

When FW crashes with no_fw_recovery option, driver
waits for manual recovery with wil-&gt;mutex held, this
can easily create deadlocks.
Fix the problem by moving the wait outside the lock.

Signed-off-by: Lior David &lt;qca_liord@qca.qualcomm.com&gt;
Signed-off-by: Maya Erez &lt;qca_merez@qca.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix null deref on wmi-tlv when trying spectral scan</title>
<updated>2017-08-07T01:59:42+00:00</updated>
<author>
<name>Michal Kazior</name>
<email>michal.kazior@tieto.com</email>
</author>
<published>2016-11-14T13:25:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59153e6589366f09eb42b92c8bc8c2fce72fe8fe'/>
<id>59153e6589366f09eb42b92c8bc8c2fce72fe8fe</id>
<content type='text'>
commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.

WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.

The crash could be triggered with:

  ip link set dev wlan0 up
  echo background &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl

The crash looked like this:

  [  168.031989] BUG: unable to handle kernel NULL pointer dereference at           (null)
  [  168.037406] IP: [&lt;          (null)&gt;]           (null)
  [  168.040395] PGD cdd4067 PUD fa0f067 PMD 0
  [  168.043303] Oops: 0010 [#1] SMP
  [  168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
  [  168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G        W  O    4.8.0 #78
  [  168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
  [  168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
  [  168.061736] RIP: 0010:[&lt;0000000000000000&gt;]  [&lt;          (null)&gt;]           (null)
  ...
  [  168.100620] Call Trace:
  [  168.101910]  [&lt;ffffffffa03b9566&gt;] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
  [  168.104871]  [&lt;ffffffff811386e2&gt;] ? filemap_fault+0xb2/0x4a0
  [  168.106696]  [&lt;ffffffffa03b97e6&gt;] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
  [  168.109618]  [&lt;ffffffff812da3a1&gt;] full_proxy_write+0x51/0x80
  [  168.111443]  [&lt;ffffffff811957b8&gt;] __vfs_write+0x28/0x120
  [  168.113090]  [&lt;ffffffff812f1a2d&gt;] ? security_file_permission+0x3d/0xc0
  [  168.114932]  [&lt;ffffffff8109b912&gt;] ? percpu_down_read+0x12/0x60
  [  168.116680]  [&lt;ffffffff811965f8&gt;] vfs_write+0xb8/0x1a0
  [  168.118293]  [&lt;ffffffff81197966&gt;] SyS_write+0x46/0xa0
  [  168.119912]  [&lt;ffffffff818f2972&gt;] entry_SYSCALL_64_fastpath+0x1a/0xa4
  [  168.121737] Code:  Bad RIP value.
  [  168.123318] RIP  [&lt;          (null)&gt;]           (null)

Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.

WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.

The crash could be triggered with:

  ip link set dev wlan0 up
  echo background &gt; /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl

The crash looked like this:

  [  168.031989] BUG: unable to handle kernel NULL pointer dereference at           (null)
  [  168.037406] IP: [&lt;          (null)&gt;]           (null)
  [  168.040395] PGD cdd4067 PUD fa0f067 PMD 0
  [  168.043303] Oops: 0010 [#1] SMP
  [  168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
  [  168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G        W  O    4.8.0 #78
  [  168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
  [  168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
  [  168.061736] RIP: 0010:[&lt;0000000000000000&gt;]  [&lt;          (null)&gt;]           (null)
  ...
  [  168.100620] Call Trace:
  [  168.101910]  [&lt;ffffffffa03b9566&gt;] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
  [  168.104871]  [&lt;ffffffff811386e2&gt;] ? filemap_fault+0xb2/0x4a0
  [  168.106696]  [&lt;ffffffffa03b97e6&gt;] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
  [  168.109618]  [&lt;ffffffff812da3a1&gt;] full_proxy_write+0x51/0x80
  [  168.111443]  [&lt;ffffffff811957b8&gt;] __vfs_write+0x28/0x120
  [  168.113090]  [&lt;ffffffff812f1a2d&gt;] ? security_file_permission+0x3d/0xc0
  [  168.114932]  [&lt;ffffffff8109b912&gt;] ? percpu_down_read+0x12/0x60
  [  168.116680]  [&lt;ffffffff811965f8&gt;] vfs_write+0xb8/0x1a0
  [  168.118293]  [&lt;ffffffff81197966&gt;] SyS_write+0x46/0xa0
  [  168.119912]  [&lt;ffffffff818f2972&gt;] entry_SYSCALL_64_fastpath+0x1a/0xa4
  [  168.121737] Code:  Bad RIP value.
  [  168.123318] RIP  [&lt;          (null)&gt;]           (null)

Signed-off-by: Michal Kazior &lt;michal.kazior@tieto.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Amit Pundir &lt;amit.pundir@linaro.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>wlcore: fix 64K page support</title>
<updated>2017-07-27T22:07:58+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2017-05-11T11:52:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=754f4e05e9994e734bf620bfd77a9d04ac55e7b4'/>
<id>754f4e05e9994e734bf620bfd77a9d04ac55e7b4</id>
<content type='text'>
commit 4a4274bf2dbbd1c7a45be0c89a1687c9d2eef4a0 upstream.

In the stable linux-3.16 branch, I ran into a warning in the
wlcore driver:

drivers/net/wireless/ti/wlcore/spi.c: In function 'wl12xx_spi_raw_write':
drivers/net/wireless/ti/wlcore/spi.c:315:1: error: the frame size of 12848 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]

Newer kernels no longer show the warning, but the bug is still there,
as the allocation is based on the CPU page size rather than the
actual capabilities of the hardware.

This replaces the PAGE_SIZE macro with the SZ_4K macro, i.e. 4096 bytes
per buffer.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4a4274bf2dbbd1c7a45be0c89a1687c9d2eef4a0 upstream.

In the stable linux-3.16 branch, I ran into a warning in the
wlcore driver:

drivers/net/wireless/ti/wlcore/spi.c: In function 'wl12xx_spi_raw_write':
drivers/net/wireless/ti/wlcore/spi.c:315:1: error: the frame size of 12848 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]

Newer kernels no longer show the warning, but the bug is still there,
as the allocation is based on the CPU page size rather than the
actual capabilities of the hardware.

This replaces the PAGE_SIZE macro with the SZ_4K macro, i.e. 4096 bytes
per buffer.

Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k: fix an invalid pointer dereference in ath9k_rng_stop()</title>
<updated>2017-07-27T22:07:55+00:00</updated>
<author>
<name>Miaoqing Pan</name>
<email>miaoqing@codeaurora.org</email>
</author>
<published>2017-06-27T14:31:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=48879676a8c3f481e1ae51ccde6d6e7515753476'/>
<id>48879676a8c3f481e1ae51ccde6d6e7515753476</id>
<content type='text'>
commit 07246c115801c27652700e3679bb58661ef7ed65 upstream.

The bug was triggered when do suspend/resuming continuously
on Dell XPS L322X/0PJHXN version 9333 (2013) with kernel
4.12.0-041200rc4-generic. But can't reproduce on DELL
E5440 + AR9300 PCIE chips.

The warning is caused by accessing invalid pointer sc-&gt;rng_task.
sc-&gt;rng_task is not be cleared after kthread_stop(sc-&gt;rng_task)
be called in ath9k_rng_stop(). Because the kthread is stopped
before ath9k_rng_kthread() be scheduled.

So set sc-&gt;rng_task to null after kthread_stop(sc-&gt;rng_task) to
resolve this issue.

WARNING: CPU: 0 PID: 984 at linux/kernel/kthread.c:71 kthread_stop+0xf1/0x100
CPU: 0 PID: 984 Comm: NetworkManager Not tainted 4.12.0-041200rc4-generic #201706042031
Hardware name: Dell Inc.          Dell System XPS L322X/0PJHXN, BIOS A09 05/15/2013
task: ffff950170fdda00 task.stack: ffffa22c01538000
RIP: 0010:kthread_stop+0xf1/0x100
RSP: 0018:ffffa22c0153b5b0 EFLAGS: 00010246
RAX: ffffffffa6257800 RBX: ffff950171b79560 RCX: 0000000000000000
RDX: 0000000080000000 RSI: 000000007fffffff RDI: ffff9500ac9a9680
RBP: ffffa22c0153b5c8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffa22c0153b648 R11: ffff9501768004b8 R12: ffff9500ac9a9680
R13: ffff950171b79f70 R14: ffff950171b78780 R15: ffff9501749dc018
FS:  00007f0d6bfd5540(0000) GS:ffff95017f200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc190161a08 CR3: 0000000232906000 CR4: 00000000001406f0
Call Trace:
  ath9k_rng_stop+0x1a/0x20 [ath9k]
  ath9k_stop+0x3b/0x1d0 [ath9k]
  drv_stop+0x33/0xf0 [mac80211]
  ieee80211_stop_device+0x43/0x50 [mac80211]
  ieee80211_do_stop+0x4f2/0x810 [mac80211]

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196043
Reported-by: Giulio Genovese &lt;giulio.genovese@gmail.com&gt;
Tested-by: Giulio Genovese &lt;giulio.genovese@gmail.com&gt;
Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 07246c115801c27652700e3679bb58661ef7ed65 upstream.

The bug was triggered when do suspend/resuming continuously
on Dell XPS L322X/0PJHXN version 9333 (2013) with kernel
4.12.0-041200rc4-generic. But can't reproduce on DELL
E5440 + AR9300 PCIE chips.

The warning is caused by accessing invalid pointer sc-&gt;rng_task.
sc-&gt;rng_task is not be cleared after kthread_stop(sc-&gt;rng_task)
be called in ath9k_rng_stop(). Because the kthread is stopped
before ath9k_rng_kthread() be scheduled.

So set sc-&gt;rng_task to null after kthread_stop(sc-&gt;rng_task) to
resolve this issue.

WARNING: CPU: 0 PID: 984 at linux/kernel/kthread.c:71 kthread_stop+0xf1/0x100
CPU: 0 PID: 984 Comm: NetworkManager Not tainted 4.12.0-041200rc4-generic #201706042031
Hardware name: Dell Inc.          Dell System XPS L322X/0PJHXN, BIOS A09 05/15/2013
task: ffff950170fdda00 task.stack: ffffa22c01538000
RIP: 0010:kthread_stop+0xf1/0x100
RSP: 0018:ffffa22c0153b5b0 EFLAGS: 00010246
RAX: ffffffffa6257800 RBX: ffff950171b79560 RCX: 0000000000000000
RDX: 0000000080000000 RSI: 000000007fffffff RDI: ffff9500ac9a9680
RBP: ffffa22c0153b5c8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffa22c0153b648 R11: ffff9501768004b8 R12: ffff9500ac9a9680
R13: ffff950171b79f70 R14: ffff950171b78780 R15: ffff9501749dc018
FS:  00007f0d6bfd5540(0000) GS:ffff95017f200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc190161a08 CR3: 0000000232906000 CR4: 00000000001406f0
Call Trace:
  ath9k_rng_stop+0x1a/0x20 [ath9k]
  ath9k_stop+0x3b/0x1d0 [ath9k]
  drv_stop+0x33/0xf0 [mac80211]
  ieee80211_stop_device+0x43/0x50 [mac80211]
  ieee80211_do_stop+0x4f2/0x810 [mac80211]

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=196043
Reported-by: Giulio Genovese &lt;giulio.genovese@gmail.com&gt;
Tested-by: Giulio Genovese &lt;giulio.genovese@gmail.com&gt;
Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k: fix tx99 bus error</title>
<updated>2017-07-27T22:07:55+00:00</updated>
<author>
<name>Miaoqing Pan</name>
<email>miaoqing@codeaurora.org</email>
</author>
<published>2017-06-27T14:31:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=99f96831083bb23dff471ff1b4e16cc8370ecaec'/>
<id>99f96831083bb23dff471ff1b4e16cc8370ecaec</id>
<content type='text'>
commit bde717ab473668377fc65872398a102d40cb2d58 upstream.

The hard coded register 0x9864 and 0x9924 are invalid
for ar9300 chips.

Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit bde717ab473668377fc65872398a102d40cb2d58 upstream.

The hard coded register 0x9864 and 0x9924 are invalid
for ar9300 chips.

Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath9k: fix tx99 use after free</title>
<updated>2017-07-27T22:07:55+00:00</updated>
<author>
<name>Miaoqing Pan</name>
<email>miaoqing@codeaurora.org</email>
</author>
<published>2017-06-27T14:31:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b729a1aea14d482e8a29186bd4a930282961a43c'/>
<id>b729a1aea14d482e8a29186bd4a930282961a43c</id>
<content type='text'>
commit cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 upstream.

One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc-&gt;tx99_state to true
after allocating sc-&gt;tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc-&gt;tx99_state would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc-&gt;tx99_skb, &amp;txctl);
that would make use of the freed sc-&gt;tx99_skb memory.

Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 upstream.

One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc-&gt;tx99_state to true
after allocating sc-&gt;tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc-&gt;tx99_state would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc-&gt;tx99_skb, &amp;txctl);
that would make use of the freed sc-&gt;tx99_skb memory.

Signed-off-by: Miaoqing Pan &lt;miaoqing@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain</title>
<updated>2017-07-21T05:42:19+00:00</updated>
<author>
<name>Peter S. Housel</name>
<email>housel@acm.org</email>
</author>
<published>2017-06-12T10:46:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5f69bb1d18c503a24a576509826f82aabca0a4bd'/>
<id>5f69bb1d18c503a24a576509826f82aabca0a4bd</id>
<content type='text'>
commit 5ea59db8a375216e6c915c5586f556766673b5a7 upstream.

An earlier change to this function (3bdae810721b) fixed a leak in the
case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
glom_skb buffer, used for emulating a scattering read, is never used
or referenced after its contents are copied into the destination
buffers, and therefore always needs to be freed by the end of the
function.

Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
Signed-off-by: Peter S. Housel &lt;housel@acm.org&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5ea59db8a375216e6c915c5586f556766673b5a7 upstream.

An earlier change to this function (3bdae810721b) fixed a leak in the
case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
glom_skb buffer, used for emulating a scattering read, is never used
or referenced after its contents are copied into the destination
buffers, and therefore always needs to be freed by the end of the
function.

Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
Signed-off-by: Peter S. Housel &lt;housel@acm.org&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach'</title>
<updated>2017-07-21T05:42:19+00:00</updated>
<author>
<name>Christophe Jaillet</name>
<email>christophe.jaillet@wanadoo.fr</email>
</author>
<published>2017-06-21T05:45:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fd325ddd58843dd518e2cd09994ef4691a1f4b5c'/>
<id>fd325ddd58843dd518e2cd09994ef4691a1f4b5c</id>
<content type='text'>
commit 57c00f2fac512837f8de73474ec1f54020015bae upstream.

If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
handling path to free it in such a case.

Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 57c00f2fac512837f8de73474ec1f54020015bae upstream.

If 'wiphy_new()' fails, we leak 'ops'. Add a new label in the error
handling path to free it in such a case.

Fixes: 5c22fb85102a7 ("brcmfmac: add wowl gtk rekeying offload support")
Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()</title>
<updated>2017-07-21T05:42:19+00:00</updated>
<author>
<name>Arend van Spriel</name>
<email>arend.vanspriel@broadcom.com</email>
</author>
<published>2017-07-07T20:09:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=414848bba6ab91fe12ca8105b4652c4aa6f4b574'/>
<id>414848bba6ab91fe12ca8105b4652c4aa6f4b574</id>
<content type='text'>
commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame-&gt;data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame-&gt;data, &amp;buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame-&gt;len));

Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" &lt;freenerguo@tencent.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream.

The lower level nl80211 code in cfg80211 ensures that "len" is between
25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
"len" so thats's max of 2280.  However, the action_frame-&gt;data[] buffer is
only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
overflow.

	memcpy(action_frame-&gt;data, &amp;buf[DOT11_MGMT_HDR_LEN],
	       le16_to_cpu(action_frame-&gt;len));

Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
Reported-by: "freenerguo(郭大兴)" &lt;freenerguo@tencent.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: override CE5 config for QCA9377</title>
<updated>2017-07-12T13:01:06+00:00</updated>
<author>
<name>Bartosz Markowski</name>
<email>bartosz.markowski@tieto.com</email>
</author>
<published>2016-12-15T09:23:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f986d63d788c2c65b734f951be890abaa412a4a1'/>
<id>f986d63d788c2c65b734f951be890abaa412a4a1</id>
<content type='text'>
commit b08b5b53a1ed2bd7a883f8fd29232c8f03604671 upstream.

Similarly to QCA6174, QCA9377 requires the CE5 configuration to be
available for other feature. Use the ath10k_pci_override_ce_config()
for it as well.

This is required for TF2.0 firmware. Previous FW revisions were
working fine without this patch.

Fixes: a70587b3389a ("ath10k: configure copy engine 5 for HTT messages")
Signed-off-by: Bartosz Markowski &lt;bartosz.markowski@tieto.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b08b5b53a1ed2bd7a883f8fd29232c8f03604671 upstream.

Similarly to QCA6174, QCA9377 requires the CE5 configuration to be
available for other feature. Use the ath10k_pci_override_ce_config()
for it as well.

This is required for TF2.0 firmware. Previous FW revisions were
working fine without this patch.

Fixes: a70587b3389a ("ath10k: configure copy engine 5 for HTT messages")
Signed-off-by: Bartosz Markowski &lt;bartosz.markowski@tieto.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
