From c0f2905fa9d60c39ade75bf35f401361d38e3a4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Date: Thu, 19 Dec 2019 08:40:12 +0100
Subject: mac80211: brcm: backport 5.5 and 5.6 kernel patches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This update doesn't include:
3b1e0a7bdfee brcmfmac: add support for SAE authentication offload
be898fed355e brcmfmac: send port authorized event for FT-802.1X
due to nl80211 dependencies.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c3aa33bf705027751b344bc668541e5d08ed9495)
---
 ...x-use-after-free-in-brcmf_sdio_readframes.patch | 31 ++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch

(limited to 'package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch')

diff --git a/package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch b/package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch
new file mode 100644
index 0000000000..1b56f6d7ce
--- /dev/null
+++ b/package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch
@@ -0,0 +1,31 @@
+From 216b44000ada87a63891a8214c347e05a4aea8fe Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 3 Dec 2019 12:58:55 +0300
+Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes()
+
+The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
+static checker warning:
+
+    drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
+    error: dereferencing freed memory 'pkt'
+
+It looks like there was supposed to be a continue after we free "pkt".
+
+Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+@@ -1935,6 +1935,7 @@ static uint brcmf_sdio_readframes(struct
+ 					       BRCMF_SDIO_FT_NORMAL)) {
+ 				rd->len = 0;
+ 				brcmu_pkt_buf_free_skb(pkt);
++				continue;
+ 			}
+ 			bus->sdcnt.rx_readahead_cnt++;
+ 			if (rd->len != roundup(rd_new.len, 16)) {
-- 
cgit v1.2.3