merge origin

4 files changed, 147 insertions, 335 deletions

diff --git a/0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch b/0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch
deleted file mode 100644
index 911ffe64e..000000000
--- a/0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From a356646a56857c2e5ad875beec734d7145ecd49a Mon Sep 17 00:00:00 2001
-From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
-Date: Mon, 2 Dec 2019 16:25:27 -0500
-Subject: [PATCH] tracing: Do not create directories if lockdown is in affect
-
-If lockdown is disabling tracing on boot up, it prevents the tracing files
-from even bering created. But when that happens, there's several places that
-will give a warning that the files were not created as that is usually a
-sign of a bug.
-
-Add in strategic locations where a check is made to see if tracing is
-disabled by lockdown, and if it is, do not go further, and fail silently
-(but print that tracing is disabled by lockdown, without doing a WARN_ON()).
-
-Cc: Matthew Garrett <mjg59@google.com>
-Fixes: 17911ff38aa5 ("tracing: Add locked_down checks to the open calls of files created for tracefs")
-Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
----
- kernel/trace/ring_buffer.c |  6 ++++++
- kernel/trace/trace.c       | 17 +++++++++++++++++
- 2 files changed, 23 insertions(+)
-
-diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
-index 66358d66c933..4bf050fcfe3b 100644
---- a/kernel/trace/ring_buffer.c
-+++ b/kernel/trace/ring_buffer.c
-@@ -11,6 +11,7 @@
- #include <linux/trace_seq.h>
- #include <linux/spinlock.h>
- #include <linux/irq_work.h>
-+#include <linux/security.h>
- #include <linux/uaccess.h>
- #include <linux/hardirq.h>
- #include <linux/kthread.h>	/* for self test */
-@@ -5068,6 +5069,11 @@ static __init int test_ringbuffer(void)
- 	int cpu;
- 	int ret = 0;
-
-+	if (security_locked_down(LOCKDOWN_TRACEFS)) {
-+		pr_warning("Lockdown is enabled, skipping ring buffer tests\n");
-+		return 0;
-+	}
-+
- 	pr_info("Running ring buffer tests...\n");
-
- 	buffer = ring_buffer_alloc(RB_TEST_BUFFER_SIZE, RB_FL_OVERWRITE);
-diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
-index 02a23a6e5e00..23459d53d576 100644
---- a/kernel/trace/trace.c
-+++ b/kernel/trace/trace.c
-@@ -1888,6 +1888,12 @@ int __init register_tracer(struct tracer *type)
- 		return -1;
- 	}
-
-+	if (security_locked_down(LOCKDOWN_TRACEFS)) {
-+		pr_warning("Can not register tracer %s due to lockdown\n",
-+			   type->name);
-+		return -EPERM;
-+	}
-+
- 	mutex_lock(&trace_types_lock);
-
- 	tracing_selftest_running = true;
-@@ -8789,6 +8795,11 @@ struct dentry *tracing_init_dentry(void)
- {
- 	struct trace_array *tr = &global_trace;
-
-+	if (security_locked_down(LOCKDOWN_TRACEFS)) {
-+		pr_warning("Tracing disabled due to lockdown\n");
-+		return ERR_PTR(-EPERM);
-+	}
-+
- 	/* The top level trace array uses  NULL as parent */
- 	if (tr->dir)
- 		return NULL;
-@@ -9231,6 +9242,12 @@ __init static int tracer_alloc_buffers(void)
- 	int ring_buf_size;
- 	int ret = -ENOMEM;
-
-+
-+	if (security_locked_down(LOCKDOWN_TRACEFS)) {
-+		pr_warning("Tracing disabled due to lockdown\n");
-+		return -EPERM;
-+	}
-+
- 	/*
- 	 * Make sure we don't accidently add more trace options
- 	 * than we have bits for.
--- 
-2.24.1
-
diff --git a/drm-i915-gt-Detect-if-we-miss-WaIdleLiteRestore.patch b/drm-i915-gt-Detect-if-we-miss-WaIdleLiteRestore.patch
new file mode 100644
index 000000000..c0251d1b4
--- /dev/null
+++ b/drm-i915-gt-Detect-if-we-miss-WaIdleLiteRestore.patch
@@ -0,0 +1,129 @@
+From 90de578c81e983b3d992ca3e1a7e5910c803abba Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Mon, 30 Dec 2019 11:15:30 +0000
+Subject: [PATCH] drm/i915/gt: Detect if we miss WaIdleLiteRestore
+
+In order to avoid confusing the HW, we must never submit an empty ring
+during lite-restore, that is we should always advance the RING_TAIL
+before submitting to stay ahead of the RING_HEAD.
+
+Normally this is prevented by keeping a couple of spare NOPs in the
+request->wa_tail so that on resubmission we can advance the tail. This
+relies on the request only being resubmitted once, which is the normal
+condition as it is seen once for ELSP[1] and then later in ELSP[0]. On
+preemption, the requests are unwound and the tail reset back to the
+normal end point (as we know the request is incomplete and therefore its
+RING_HEAD is even earlier).
+
+However, if this w/a should fail we would try and resubmit the request
+with the RING_TAIL already set to the location of this request's wa_tail
+potentially causing a GPU hang. We can spot when we do try and
+incorrectly resubmit without advancing the RING_TAIL and spare any
+embarrassment by forcing the context restore.
+
+In the case of preempt-to-busy, we leave the requests running on the HW
+while we unwind. As the ring is still live, we cannot rewind our
+rq->tail without forcing a reload so leave it set to rq->wa_tail and
+only force a reload if we resubmit after a lite-restore. (Normally, the
+forced reload will be a part of the preemption event.)
+
+Fixes: 22b7a426bbe1 ("drm/i915/execlists: Preempt-to-busy")
+Closes: https://gitlab.freedesktop.org/drm/intel/issues/673
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20191209023215.3519970-1-chris@chris-wilson.co.uk
+(cherry picked from commit 82c69bf58650e644c61aa2bf5100b63a1070fd2f)
+---
+ drivers/gpu/drm/i915/gt/intel_lrc.c | 42 ++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_lrc.c b/drivers/gpu/drm/i915/gt/intel_lrc.c
+index d564bfcab6a3..49ce15553e7b 100644
+--- a/drivers/gpu/drm/i915/gt/intel_lrc.c
++++ b/drivers/gpu/drm/i915/gt/intel_lrc.c
+@@ -471,12 +471,6 @@ lrc_descriptor(struct intel_context *ce, struct intel_engine_cs *engine)
+ 	return desc;
+ }
+ 
+-static void unwind_wa_tail(struct i915_request *rq)
+-{
+-	rq->tail = intel_ring_wrap(rq->ring, rq->wa_tail - WA_TAIL_BYTES);
+-	assert_ring_tail_valid(rq->ring, rq->tail);
+-}
+-
+ static struct i915_request *
+ __unwind_incomplete_requests(struct intel_engine_cs *engine)
+ {
+@@ -495,7 +489,6 @@ __unwind_incomplete_requests(struct intel_engine_cs *engine)
+ 			continue; /* XXX */
+ 
+ 		__i915_request_unsubmit(rq);
+-		unwind_wa_tail(rq);
+ 
+ 		/*
+ 		 * Push the request back into the queue for later resubmission.
+@@ -650,13 +643,29 @@ execlists_schedule_out(struct i915_request *rq)
+ 	i915_request_put(rq);
+ }
+ 
+-static u64 execlists_update_context(const struct i915_request *rq)
++static u64 execlists_update_context(struct i915_request *rq)
+ {
+ 	struct intel_context *ce = rq->hw_context;
+-	u64 desc;
++	u64 desc = ce->lrc_desc;
++	u32 tail;
+ 
+-	ce->lrc_reg_state[CTX_RING_TAIL + 1] =
+-		intel_ring_set_tail(rq->ring, rq->tail);
++	/*
++	 * WaIdleLiteRestore:bdw,skl
++	 *
++	 * We should never submit the context with the same RING_TAIL twice
++	 * just in case we submit an empty ring, which confuses the HW.
++	 *
++	 * We append a couple of NOOPs (gen8_emit_wa_tail) after the end of
++	 * the normal request to be able to always advance the RING_TAIL on
++	 * subsequent resubmissions (for lite restore). Should that fail us,
++	 * and we try and submit the same tail again, force the context
++	 * reload.
++	 */
++	tail = intel_ring_set_tail(rq->ring, rq->tail);
++	if (unlikely(ce->lrc_reg_state[CTX_RING_TAIL + 1] == tail))
++		desc |= CTX_DESC_FORCE_RESTORE;
++	ce->lrc_reg_state[CTX_RING_TAIL + 1] = tail;
++	rq->tail = rq->wa_tail;
+ 
+ 	/*
+ 	 * Make sure the context image is complete before we submit it to HW.
+@@ -675,7 +684,6 @@ static u64 execlists_update_context(const struct i915_request *rq)
+ 	 */
+ 	mb();
+ 
+-	desc = ce->lrc_desc;
+ 	ce->lrc_desc &= ~CTX_DESC_FORCE_RESTORE;
+ 
+ 	return desc;
+@@ -1150,16 +1158,6 @@ static void execlists_dequeue(struct intel_engine_cs *engine)
+ 			if (!list_is_last(&last->sched.link,
+ 					  &engine->active.requests))
+ 				return;
+-
+-			/*
+-			 * WaIdleLiteRestore:bdw,skl
+-			 * Apply the wa NOOPs to prevent
+-			 * ring:HEAD == rq:TAIL as we resubmit the
+-			 * request. See gen8_emit_fini_breadcrumb() for
+-			 * where we prepare the padding after the
+-			 * end of the request.
+-			 */
+-			last->tail = last->wa_tail;
+ 		}
+ 	}
+ 
+-- 
+2.24.1
+
diff --git a/kernel.spec b/kernel.spec
index b3c4c07cc..fe8da6751 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -46,7 +46,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 150
+%global baserelease 102
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -556,6 +556,8 @@ Patch325: arm64-usb-host-xhci-tegra-set-MODULE_FIRMWARE-for-tegra186.patch
 # 400 - IBM (ppc/s390x) patches
 
 # 500 - Temp fixes/CVEs etc
+Patch500: PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch
+
 # rhbz 1431375
 Patch501: input-rmi4-remove-the-need-for-artifical-IRQ.patch
 
@@ -566,12 +568,10 @@ Patch502: 0001-Drop-that-for-now.patch
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
 Patch503: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 
-Patch500: PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch
-
 # it seems CONFIG_OPTIMIZE_INLINING has been forced now and is causing issues on ARMv7
 # https://lore.kernel.org/patchwork/patch/1132459/
 # https://lkml.org/lkml/2019/8/29/1772
-Patch505: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch
+Patch504: ARM-fix-__get_user_check-in-case-uaccess_-calls-are-not-inlined.patch
 
 # CVE-2019-19068 rhbz 1774963 1774965
 Patch511: rtl8xxxu-prevent-leaking-urb.patch
@@ -586,7 +586,7 @@ Patch513: scsi-bfa-release-allocated-memory-in-case-of-error.patch
 Patch514: ipmi-Fix-memory-leak-in-__ipmi_bmc_register.patch
 
 # CVE-2019-19064 rhbz 1775010 1775011
-Patch516: spi-lpspi-fix-memory-leak-in-fsl_lpspi_probe.patch
+Patch515: spi-lpspi-fix-memory-leak-in-fsl_lpspi_probe.patch
 
 # CVE-2019-19053 rhbz 1775956 1775110
 Patch521: rpmsg-char-release-allocated-memory.patch
@@ -595,29 +595,26 @@ Patch521: rpmsg-char-release-allocated-memory.patch
 Patch522: mwifiex-pcie-fix-memory-leak-in-mwifiex_pcie_alloc_cmdrsp_buf.patch
 
 # CVE-2019-19054 rhbz 1775063 1775117
-Patch524: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
+Patch523: media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
 
 # CVE-2019-14895 rhbz 1774870 1776139
-Patch526: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
+Patch524: mwifiex-fix-possible-heap-overflow-in-mwifiex_process_country_ie.patch
 
 # CVE-2019-14896 rhbz 1774875 1776143
 # CVE-2019-14897 rhbz 1774879 1776146
-Patch527: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
-
-# CVE-2019-14901 rhbz 1773519 1776184
-Patch528: mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
+Patch525: libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
 
 # CVE-2019-19078 rhbz 1776354 1776353
-Patch529: ath10k-fix-memory-leak.patch
+Patch526: ath10k-fix-memory-leak.patch
 
 # CVE-2019-18808 rhbz 1777418 1777421
-Patch531: 0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch
-
-# rhbz 1781288
-Patch610: 0001-tracing-Do-not-create-directories-if-lockdown-is-in-.patch
+Patch527: 0001-crypto-ccp-Release-all-allocated-memory-if-sha-type-.patch
 
 # rhbz 1788653
-Patch611: tpm-handle-negative-priv--response_len-in-tpm_common_read.patch
+Patch530: tpm-handle-negative-priv--response_len-in-tpm_common_read.patch
+
+# https://gitlab.freedesktop.org/drm/intel/issues/673
+Patch612: drm-i915-gt-Detect-if-we-miss-WaIdleLiteRestore.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1338,7 +1335,6 @@ BuildKernel() {
       cp Module.markers $RPM_BUILD_ROOT/lib/modules/$KernelVer/build
     fi
     # then drop all but the needed Makefiles/Kconfig files
-    rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/Documentation
     rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/scripts
     rm -rf $RPM_BUILD_ROOT/lib/modules/$KernelVer/build/include
     cp .config $RPM_BUILD_ROOT/lib/modules/$KernelVer/build
@@ -1862,6 +1858,10 @@ fi
 #
 #
 %changelog
+* Mon Jan 13 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.4.10-102
+- Add Documentation back to kernel-devel as it has Kconfig now (rhbz 1789641)
+- Linux v5.4.11
+
 * Thu Jan 09 2020 Jeremy Cline <jcline@redhat.com> - 5.4.10-100
 - Linux v5.4.10
 
diff --git a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch b/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
deleted file mode 100644
index bfd39e5a9..000000000
--- a/mwifiex-Fix-heap-overflow-in-mmwifiex_process_tdls_action_frame.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From patchwork Fri Nov 22 09:43:49 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: qize wang <wangqize888888888@gmail.com>
-X-Patchwork-Id: 11257535
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <SRS0=Y0IC=ZO=vger.kernel.org=linux-wireless-owner@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 311581390
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id 09A6920708
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 22 Nov 2019 09:44:01 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
-	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
- header.b="gFC1GPvm"
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1726802AbfKVJoA (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Fri, 22 Nov 2019 04:44:00 -0500
-Received: from mail-pj1-f65.google.com ([209.85.216.65]:35154 "EHLO
-        mail-pj1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
-        with ESMTP id S1726500AbfKVJoA (ORCPT
-        <rfc822;linux-wireless@vger.kernel.org>);
-        Fri, 22 Nov 2019 04:44:00 -0500
-Received: by mail-pj1-f65.google.com with SMTP id s8so2836990pji.2
-        for <linux-wireless@vger.kernel.org>;
- Fri, 22 Nov 2019 01:43:57 -0800 (PST)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=gmail.com; s=20161025;
-        h=from:content-transfer-encoding:mime-version:subject:message-id:date
-         :cc:to;
-        bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
-        b=gFC1GPvmciglvQH3QRWVdrtGLMliah1xCIA8nZta7Mis7sATxTwTG/XMZ/G4Zb8efA
-         bvc58q+E3uHBiZOOCVFqZrDhJzM1SJVkOtFKPIquJLhmKms1Rd7FLwLFKwbq9DKE28C4
-         crZUPOja7RMESC2jajleQdZ9YO/o/LEA+6QmEKIQFZ11R7j/qT/bNTdf08hDTINa7VVq
-         r20OL/q5iTBYBqodQaQVOPHH7f8iRs46gS/23GSX8E8Lo920r4wtTUPXXBidt0bay7ID
-         L2CF8vLLDGRe4Dohd71wCJgl54yVxF1Fi9qAvQluyVTulAtDVNw8Ol9hFdLa9R7j2M2z
-         9wWw==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
-        d=1e100.net; s=20161025;
-        h=x-gm-message-state:from:content-transfer-encoding:mime-version
-         :subject:message-id:date:cc:to;
-        bh=1kENrBK+Si8GTG/z7vluv90p0vaDDTLdLP0ZTBYtdys=;
-        b=lGAdjvr9L1WcGIvtpY5RO07jVV2t+CQ7rGsSqHcqyoDarWzcfl+FowtU0U+OV0Uf0k
-         Dxs4mJ+rml43X7SrPljpiHzQB1mRWWnTcIKwO9YFH1DbuMxYpTV/AdDtkyLGwQEPCTu2
-         U/RIv2CvLNWTGQYXAqUH4wZJ0MAo0w2fWX8QeMCWarAPRgOsyeT9LEZQT6ypWzy9bAKs
-         ri4P+HqxmhlvDFb3ij0pl0x7hhOOhDCSdzZEfy8MGL/wmxdbOLM5AV8DevGNLEZHZrJ9
-         AHHgRlkUPn5esIeIhTiYu3hox+z4GLrcRZccqcL3O9QM9rKX6SyNF9MjoEIgD5WK7ycl
-         Tlvg==
-X-Gm-Message-State: APjAAAVLU8HZian8Pqy8r1Iwnjga8cqc70tKNQWQHXIQ/WEWDgKWDzip
-        dkM+yuOUv3M4BD3u8wHsttGE4Sk9BqOSqA==
-X-Google-Smtp-Source: 
- APXvYqxWR1wx4sFD+yyfHofiemrR7B+b6xLDxQu9tS4dKDTYtMBUggkRWVG0Y4CUsP1DbHGVYW2rGg==
-X-Received: by 2002:a17:90a:c004:: with SMTP id
- p4mr17937350pjt.104.1574415837353;
-        Fri, 22 Nov 2019 01:43:57 -0800 (PST)
-Received: from [127.0.0.1] (187.220.92.34.bc.googleusercontent.com.
- [34.92.220.187])
-        by smtp.gmail.com with ESMTPSA id
- 71sm6800121pfx.107.2019.11.22.01.43.52
-        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
-        Fri, 22 Nov 2019 01:43:56 -0800 (PST)
-From: qize wang <wangqize888888888@gmail.com>
-Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
-Subject: [PATCH] mwifiex: Fix heap overflow in
- mmwifiex_process_tdls_action_frame()
-Message-Id: <E40E893E-D9B4-4C63-8139-1DD5E1C2CECB@gmail.com>
-Date: Fri, 22 Nov 2019 17:43:49 +0800
-Cc: amitkarwar <amitkarwar@gmail.com>, nishants <nishants@marvell.com>,
-        gbhat <gbhat@marvell.com>, huxinming820 <huxinming820@gmail.com>,
-        kvalo <kvalo@codeaurora.org>, Greg KH <greg@kroah.com>,
-        security <security@kernel.org>,
-        linux-distros <linux-distros@vs.openwall.org>,
-        "dan.carpenter" <dan.carpenter@oracle.com>,
-        Solar Designer <solar@openwall.com>
-To: linux-wireless@vger.kernel.org
-X-Mailer: Apple Mail (2.3445.6.18)
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-
-mwifiex_process_tdls_action_frame() without checking
-the incoming tdls infomation element's vality before use it,
-this may cause multi heap buffer overflows.
-
-Fix them by putting vality check before use it.
-
-Signed-off-by: qize wang <wangqize888888888@gmail.com>
----
-drivers/net/wireless/marvell/mwifiex/tdls.c | 70 ++++++++++++++++++++++++++---
-1 file changed, 64 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/tdls.c b/drivers/net/wireless/marvell/mwifiex/tdls.c
-index 18e654d..7f60214 100644
---- a/drivers/net/wireless/marvell/mwifiex/tdls.c
-+++ b/drivers/net/wireless/marvell/mwifiex/tdls.c
-@@ -954,59 +954,117 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
-
- 		switch (*pos) {
- 		case WLAN_EID_SUPP_RATES:
-+			if (pos[1] > 32)
-+				return;
- 			sta_ptr->tdls_cap.rates_len = pos[1];
- 			for (i = 0; i < pos[1]; i++)
- 				sta_ptr->tdls_cap.rates[i] = pos[i + 2];
- 			break;
-
- 		case WLAN_EID_EXT_SUPP_RATES:
-+			if (pos[1] > 32)
-+				return;
- 			basic = sta_ptr->tdls_cap.rates_len;
-+			if (pos[1] > 32 - basic)
-+				return;
- 			for (i = 0; i < pos[1]; i++)
- 				sta_ptr->tdls_cap.rates[basic + i] = pos[i + 2];
- 			sta_ptr->tdls_cap.rates_len += pos[1];
- 			break;
- 		case WLAN_EID_HT_CAPABILITY:
--			memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,
-+			if (pos > end - sizeof(struct ieee80211_ht_cap) - 2)
-+				return;
-+			if (pos[1] != sizeof(struct ieee80211_ht_cap))
-+				return;
-+			/* copy the ie's value into ht_capb*/
-+			memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos + 2,
- 			       sizeof(struct ieee80211_ht_cap));
- 			sta_ptr->is_11n_enabled = 1;
- 			break;
- 		case WLAN_EID_HT_OPERATION:
--			memcpy(&sta_ptr->tdls_cap.ht_oper, pos,
-+			if (pos > end -
-+			    sizeof(struct ieee80211_ht_operation) - 2)
-+				return;
-+			if (pos[1] != sizeof(struct ieee80211_ht_operation))
-+				return;
-+			/* copy the ie's value into ht_oper*/
-+			memcpy(&sta_ptr->tdls_cap.ht_oper, pos + 2,
- 			       sizeof(struct ieee80211_ht_operation));
- 			break;
- 		case WLAN_EID_BSS_COEX_2040:
-+			if (pos > end - 3)
-+				return;
-+			if (pos[1] != 1)
-+				return;
- 			sta_ptr->tdls_cap.coex_2040 = pos[2];
- 			break;
- 		case WLAN_EID_EXT_CAPABILITY:
-+			if (pos > end - sizeof(struct ieee_types_header))
-+				return;
-+			if (pos[1] < sizeof(struct ieee_types_header))
-+				return;
-+			if (pos[1] > 8)
-+				return;
- 			memcpy((u8 *)&sta_ptr->tdls_cap.extcap, pos,
- 			       sizeof(struct ieee_types_header) +
- 			       min_t(u8, pos[1], 8));
- 			break;
- 		case WLAN_EID_RSN:
-+			if (pos > end - sizeof(struct ieee_types_header))
-+				return;
-+			if (pos[1] < sizeof(struct ieee_types_header))
-+				return;
-+			if (pos[1] > IEEE_MAX_IE_SIZE -
-+			    sizeof(struct ieee_types_header))
-+				return;
- 			memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
- 			       sizeof(struct ieee_types_header) +
- 			       min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
- 				     sizeof(struct ieee_types_header)));
- 			break;
- 		case WLAN_EID_QOS_CAPA:
-+			if (pos > end - 3)
-+				return;
-+			if (pos[1] != 1)
-+				return;
- 			sta_ptr->tdls_cap.qos_info = pos[2];
- 			break;
- 		case WLAN_EID_VHT_OPERATION:
--			if (priv->adapter->is_hw_11ac_capable)
--				memcpy(&sta_ptr->tdls_cap.vhtoper, pos,
-+			if (priv->adapter->is_hw_11ac_capable) {
-+				if (pos > end -
-+				    sizeof(struct ieee80211_vht_operation) - 2)
-+					return;
-+				if (pos[1] !=
-+				    sizeof(struct ieee80211_vht_operation))
-+					return;
-+				/* copy the ie's value into vhtoper*/
-+				memcpy(&sta_ptr->tdls_cap.vhtoper, pos + 2,
- 				       sizeof(struct ieee80211_vht_operation));
-+			}
- 			break;
- 		case WLAN_EID_VHT_CAPABILITY:
- 			if (priv->adapter->is_hw_11ac_capable) {
--				memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos,
-+				if (pos > end -
-+				    sizeof(struct ieee80211_vht_cap) - 2)
-+					return;
-+				if (pos[1] != sizeof(struct ieee80211_vht_cap))
-+					return;
-+				/* copy the ie's value into vhtcap*/
-+				memcpy((u8 *)&sta_ptr->tdls_cap.vhtcap, pos + 2,
- 				       sizeof(struct ieee80211_vht_cap));
- 				sta_ptr->is_11ac_enabled = 1;
- 			}
- 			break;
- 		case WLAN_EID_AID:
--			if (priv->adapter->is_hw_11ac_capable)
-+			if (priv->adapter->is_hw_11ac_capable) {
-+				if (pos > end - 4)
-+					return;
-+				if (pos[1] != 2)
-+					return;
- 				sta_ptr->tdls_cap.aid =
- 					get_unaligned_le16((pos + 2));
-+			}
-+			break;
- 		default:
- 			break;
- 		}