Linux v5.2.11

HID-input-fix-a4tech-horizontal-wheel-custom-usage.patch

@@ -1,142 +0,0 @@
-From mboxrd@z Thu Jan  1 00:00:00 1970
-Return-Path: <SRS0=TvG7=UK=vger.kernel.org=linux-kernel-owner@kernel.org>
-X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
-	aws-us-west-2-korg-lkml-1.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-8.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
-	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,
-	USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
-Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
-	by smtp.lore.kernel.org (Postfix) with ESMTP id 25464C4321A
-	for <linux-kernel@archiver.kernel.org>; Tue, 11 Jun 2019 12:13:29 +0000 (UTC)
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.kernel.org (Postfix) with ESMTP id 0217A206E0
-	for <linux-kernel@archiver.kernel.org>; Tue, 11 Jun 2019 12:13:29 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S2387819AbfFKMN1 (ORCPT
-        <rfc822;linux-kernel@archiver.kernel.org>);
-        Tue, 11 Jun 2019 08:13:27 -0400
-Received: from mx2.suse.de ([195.135.220.15]:44798 "EHLO mx1.suse.de"
-        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
-        id S2387538AbfFKMN1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
-        Tue, 11 Jun 2019 08:13:27 -0400
-X-Virus-Scanned: by amavisd-new at test-mx.suse.de
-Received: from relay2.suse.de (unknown [195.135.220.254])
-        by mx1.suse.de (Postfix) with ESMTP id 5E5D7B00C;
-        Tue, 11 Jun 2019 12:13:25 +0000 (UTC)
-From:   Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
-To:     Jiri Kosina <jikos@kernel.org>,
-        Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Cc:     dmitry.torokhov@gmail.com, wbauer@tmo.at,
-        Nicolas Saenz Julienne <nsaenzjulienne@suse.de>,
-        linux-input@vger.kernel.org, linux-kernel@vger.kernel.org
-Subject: [PATCH v2] HID: input: fix a4tech horizontal wheel custom usage
-Date:   Tue, 11 Jun 2019 14:13:20 +0200
-Message-Id: <20190611121320.30267-1-nsaenzjulienne@suse.de>
-X-Mailer: git-send-email 2.21.0
-MIME-Version: 1.0
-Content-Transfer-Encoding: 8bit
-Sender: linux-kernel-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-kernel.vger.kernel.org>
-X-Mailing-List: linux-kernel@vger.kernel.org
-Archived-At: <https://lore.kernel.org/lkml/20190611121320.30267-1-nsaenzjulienne@suse.de/>
-List-Archive: <https://lore.kernel.org/lkml/>
-List-Post: <mailto:linux-kernel@vger.kernel.org>
-
-Some a4tech mice use the 'GenericDesktop.00b8' usage to inform whether
-the previous wheel report was horizontal or vertical. Before
-c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key") this
-usage was being mapped to 'Relative.Misc'. After the patch it's simply
-ignored (usage->type == 0 & usage->code == 0). Which ultimately makes
-hid-a4tech ignore the WHEEL/HWHEEL selection event, as it has no
-usage->type.
-
-We shouldn't rely on a mapping for that usage as it's nonstandard and
-doesn't really map to an input event. So we bypass the mapping and make
-sure the custom event handling properly handles both reports.
-
-Fixes: c01908a14bf73 ("HID: input: add mapping for "Toggle Display" key")
-Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
----
-
-NOTE: I CC'd Wolfgang as he's the one who can test this.
-
-Changes since v1:
-  - new approach, moved fix into hid-a4tech
-
- drivers/hid/hid-a4tech.c | 30 +++++++++++++++++++++++++++---
- 1 file changed, 27 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/hid/hid-a4tech.c b/drivers/hid/hid-a4tech.c
-index 98bf694626f7..3a8c4a5971f7 100644
---- a/drivers/hid/hid-a4tech.c
-+++ b/drivers/hid/hid-a4tech.c
-@@ -23,12 +23,36 @@
- #define A4_2WHEEL_MOUSE_HACK_7	0x01
- #define A4_2WHEEL_MOUSE_HACK_B8	0x02
- 
-+#define A4_WHEEL_ORIENTATION	(HID_UP_GENDESK | 0x000000b8)
-+
- struct a4tech_sc {
- 	unsigned long quirks;
- 	unsigned int hw_wheel;
- 	__s32 delayed_value;
- };
- 
-+static int a4_input_mapping(struct hid_device *hdev, struct hid_input *hi,
-+			    struct hid_field *field, struct hid_usage *usage,
-+			    unsigned long **bit, int *max)
-+{
-+	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
-+
-+	if (a4->quirks & A4_2WHEEL_MOUSE_HACK_B8 &&
-+	    usage->hid == A4_WHEEL_ORIENTATION) {
-+		/*
-+		 * We do not want to have this usage mapped to anything as it's
-+		 * nonstandard and doesn't really behave like an HID report.
-+		 * It's only selecting the orientation (vertical/horizontal) of
-+		 * the previous mouse wheel report. The input_events will be
-+		 * generated once both reports are recorded in a4_event().
-+		 */
-+		return -1;
-+	}
-+
-+	return 0;
-+
-+}
-+
- static int a4_input_mapped(struct hid_device *hdev, struct hid_input *hi,
- 		struct hid_field *field, struct hid_usage *usage,
- 		unsigned long **bit, int *max)
-@@ -52,8 +76,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field,
- 	struct a4tech_sc *a4 = hid_get_drvdata(hdev);
- 	struct input_dev *input;
- 
--	if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput ||
--			!usage->type)
-+	if (!(hdev->claimed & HID_CLAIMED_INPUT) || !field->hidinput)
- 		return 0;
- 
- 	input = field->hidinput->input;
-@@ -64,7 +87,7 @@ static int a4_event(struct hid_device *hdev, struct hid_field *field,
- 			return 1;
- 		}
- 
--		if (usage->hid == 0x000100b8) {
-+		if (usage->hid == A4_WHEEL_ORIENTATION) {
- 			input_event(input, EV_REL, value ? REL_HWHEEL :
- 					REL_WHEEL, a4->delayed_value);
- 			input_event(input, EV_REL, value ? REL_HWHEEL_HI_RES :
-@@ -131,6 +154,7 @@ MODULE_DEVICE_TABLE(hid, a4_devices);
- static struct hid_driver a4_driver = {
- 	.name = "a4tech",
- 	.id_table = a4_devices,
-+	.input_mapping = a4_input_mapping,
- 	.input_mapped = a4_input_mapped,
- 	.event = a4_event,
- 	.probe = a4_probe,
--- 
-2.21.0
-
-

fix-a-double-free-bug-in-rsi_91x_deinit.patch

@@ -0,0 +1,121 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <SRS0=+RQC=WP=vger.kernel.org=linux-kernel-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
+	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
+	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
+	SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
+	version=3.4.0
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id EBD3AC3A5A0
+	for <linux-kernel@archiver.kernel.org>; Mon, 19 Aug 2019 22:02:45 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.kernel.org (Postfix) with ESMTP id BCC05214DA
+	for <linux-kernel@archiver.kernel.org>; Mon, 19 Aug 2019 22:02:45 +0000 (UTC)
+Authentication-Results: mail.kernel.org;
+	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IRgzkkQ0"
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1728637AbfHSWCp (ORCPT
+        <rfc822;linux-kernel@archiver.kernel.org>);
+        Mon, 19 Aug 2019 18:02:45 -0400
+Received: from mail-io1-f67.google.com ([209.85.166.67]:33900 "EHLO
+        mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S1728494AbfHSWCo (ORCPT
+        <rfc822;linux-kernel@vger.kernel.org>);
+        Mon, 19 Aug 2019 18:02:44 -0400
+Received: by mail-io1-f67.google.com with SMTP id s21so7791675ioa.1;
+        Mon, 19 Aug 2019 15:02:44 -0700 (PDT)
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=gmail.com; s=20161025;
+        h=from:to:cc:subject:date:message-id:mime-version
+         :content-transfer-encoding;
+        bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=;
+        b=IRgzkkQ0QlYiIqgU9DslAGaSx9oz5wU5adcfTZWc60ibm3DHynGVVixJrWxAut0Pae
+         ARzqaY1/pxrAMSpTdcKfCBtRoFPMFS8+WZsScW495O7Pf7bJTCDAo3OOueleEgGs9Osv
+         59921BouToXc5Ovc92CQFjNHP3+/kGBqZvxV+QK34IvNWzoIEU93UHsUIxSn6eVvrsFU
+         g5treQ50nJkKHPa8rwc0Oh9s6WWKODy8zKxExTJhdznLdHOm5T7muHcEccqX8YZQ5L7d
+         ADPOmA+sRvWN3t/z9HxtD4g/Lgj4kzEYFnWJ9k7ClZwbnzn02QUlkT8waxriC/Wpe9nP
+         q53A==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+        d=1e100.net; s=20161025;
+        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
+         :content-transfer-encoding;
+        bh=nkPsYIq5p1Usn95zadxgW7erLbA98guz1UFddB9orFo=;
+        b=oYozfHj6p7SMaYdxmSXvkqz3omwdyg+ftHjVBaHiAqBlnLj6x9531et8jUk50jueoT
+         y2cU/oVuoVQsCwOEu43hu26qlol2JSmB1xXJj0Za8nKZa3h3GF5CKG8/dexHz8TzCJX1
+         vo/TNPdY3AlW7Sn9JLnWCqFK+QgbPhjdBs+6Hbh+5nkCxIG5dVn0FfYbLYATeh/888YB
+         pTCJ8dkbLQiWXEJam6b9NoOpcIzbpcb7rL3A355C/1AGZsCy/NlKmneuw0Va10AnswkK
+         KBYv+EisB1L8oCP9l6r5fp4PUqyMH3TjrBdJddx8EQ9cq8SORiLtmmRuF8e3kdImDEK4
+         6Gcw==
+X-Gm-Message-State: APjAAAXB6U8H/6BuBUmOb6K7bk/qaEOOS1bw9RIpAgXyrExtL8rl/B99
+        17LNTRGgJKvcUB6qlr4ZRbY=
+X-Google-Smtp-Source: APXvYqzjT1oN5/e8keSQCjVxoTzLRGG1vuf4kTYM+hq51sy7QzOV0GLDOYYsYVB78xsRtsZrFijh0Q==
+X-Received: by 2002:a6b:f30b:: with SMTP id m11mr21952710ioh.214.1566252163559;
+        Mon, 19 Aug 2019 15:02:43 -0700 (PDT)
+Received: from peng.science.purdue.edu (cos-128-210-107-27.science.purdue.edu. [128.210.107.27])
+        by smtp.googlemail.com with ESMTPSA id z9sm2850133ior.79.2019.08.19.15.02.42
+        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
+        Mon, 19 Aug 2019 15:02:43 -0700 (PDT)
+From:   Hui Peng <benquike@gmail.com>
+To:     security@kernel.org
+Cc:     Hui Peng <benquike@gmail.com>,
+        Mathias Payer <mathias.payer@nebelwelt.net>,
+        Kalle Valo <kvalo@codeaurora.org>,
+        "David S. Miller" <davem@davemloft.net>,
+        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
+        linux-kernel@vger.kernel.org
+Subject: [PATCH] Fix a double free bug in rsi_91x_deinit
+Date:   Mon, 19 Aug 2019 18:02:29 -0400
+Message-Id: <20190819220230.10597-1-benquike@gmail.com>
+X-Mailer: git-send-email 2.22.1
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Sender: linux-kernel-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+Archived-At: <https://lore.kernel.org/lkml/20190819220230.10597-1-benquike@gmail.com/>
+List-Archive: <https://lore.kernel.org/lkml/>
+List-Post: <mailto:linux-kernel@vger.kernel.org>
+
+`dev` (struct rsi_91x_usbdev *) field of adapter
+(struct rsi_91x_usbdev *) is allocated  and initialized in
+`rsi_init_usb_interface`. If any error is detected in information
+read from the device side,  `rsi_init_usb_interface` will be
+freed. However, in the higher level error handling code in
+`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
+again, in which `dev` will be freed again, resulting double free.
+
+This patch fixes the double free by removing the free operation on
+`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
+used in `rsi_disconnect`, in that code path, the `dev` field is not
+ (and thus needs to be) freed.
+
+This bug was found in v4.19, but is also present in the latest version
+of kernel.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
+index c0a163e40402..ac917227f708 100644
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -640,7 +640,6 @@ static int rsi_init_usb_interface(struct rsi_hw *adapter,
+ 	kfree(rsi_dev->tx_buffer);
+ 
+ fail_eps:
+-	kfree(rsi_dev);
+ 
+ 	return status;
+ }
+-- 
+2.22.1
+
+

for-v5.2-iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch

@@ -1,108 +0,0 @@
-From patchwork Wed Jul  3 08:10:49 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Luca Coelho <luca@coelho.fi>
-X-Patchwork-Id: 11029027
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <linux-wireless-owner@kernel.org>
-Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
- [172.30.200.125])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A4F061398
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed,  3 Jul 2019 08:11:03 +0000 (UTC)
-Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93D7228807
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed,  3 Jul 2019 08:11:03 +0000 (UTC)
-Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
-	id 82C5C28786; Wed,  3 Jul 2019 08:11:03 +0000 (UTC)
-X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
-	pdx-wl-mail.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
-	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A56D28786
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed,  3 Jul 2019 08:11:03 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1727179AbfGCILC (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Wed, 3 Jul 2019 04:11:02 -0400
-Received: from paleale.coelho.fi ([176.9.41.70]:54844 "EHLO
-        farmhouse.coelho.fi" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
-        with ESMTP id S1727052AbfGCILC (ORCPT
-        <rfc822;linux-wireless@vger.kernel.org>);
-        Wed, 3 Jul 2019 04:11:02 -0400
-Received: from 91-156-6-193.elisa-laajakaista.fi ([91.156.6.193]
- helo=redipa.ger.corp.intel.com)
-        by farmhouse.coelho.fi with esmtpsa
- (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
-        (Exim 4.92)
-        (envelope-from <luca@coelho.fi>)
-        id 1hiaLv-0004w3-Ei; Wed, 03 Jul 2019 11:10:55 +0300
-From: Luca Coelho <luca@coelho.fi>
-To: davem@davemloft.net
-Cc: kvalo@codeaurora.org, linux-wireless@vger.kernel.org,
-        emmanuel.grumbach@intel.com, johannes.hirte@datenkhaos.de,
-        steven@uplinklabs.net, Johannes Berg <johannes.berg@intel.com>,
-        Luca Coelho <luciano.coelho@intel.com>
-Subject: [PATCH for v5.2] iwlwifi: mvm: disable TX-AMSDU on older NICs
-Date: Wed,  3 Jul 2019 11:10:49 +0300
-Message-Id: <20190703081049.28831-1-luca@coelho.fi>
-X-Mailer: git-send-email 2.20.1
-MIME-Version: 1.0
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-X-Virus-Scanned: ClamAV using ClamSMTP
-
-From: Johannes Berg <johannes.berg@intel.com>
-
-On older NICs, we occasionally see issues with A-MSDU support,
-where the commands in the FIFO get confused and then we see an
-assert EDC because the next command in the FIFO isn't TX.
-
-We've tried to isolate this issue and understand where it comes
-from, but haven't found any errors in building the A-MSDU in
-software.
-
-At least for now, disable A-MSDU support on older hardware so
-that users can use it again without fearing the assert.
-
-This fixes https://bugzilla.kernel.org/show_bug.cgi?id=203315.
-
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
-Acked-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
-index fdbabca0280e..3a076e5e319f 100644
---- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
-+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
-@@ -468,7 +468,19 @@ int iwl_mvm_mac_setup_register(struct iwl_mvm *mvm)
- 	ieee80211_hw_set(hw, SUPPORTS_VHT_EXT_NSS_BW);
- 	ieee80211_hw_set(hw, BUFF_MMPDU_TXQ);
- 	ieee80211_hw_set(hw, STA_MMPDU_TXQ);
--	ieee80211_hw_set(hw, TX_AMSDU);
-+	/*
-+	 * On older devices, enabling TX A-MSDU occasionally leads to
-+	 * something getting messed up, the command read from the FIFO
-+	 * gets out of sync and isn't a TX command, so that we have an
-+	 * assert EDC.
-+	 *
-+	 * It's not clear where the bug is, but since we didn't used to
-+	 * support A-MSDU until moving the mac80211 iTXQs, just leave it
-+	 * for older devices. We also don't see this issue on any newer
-+	 * devices.
-+	 */
-+	if (mvm->cfg->device_family >= IWL_DEVICE_FAMILY_9000)
-+		ieee80211_hw_set(hw, TX_AMSDU);
- 	ieee80211_hw_set(hw, TX_FRAG_LIST);
- 
- 	if (iwl_mvm_has_tlc_offload(mvm)) {

kernel.spec

@@ -56,7 +56,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 10
+%define stable_update 11
 # Set rpm version accordingly
 %if 0%{?stable_update}
 %define stablerev %{stable_update}
@@ -588,16 +588,16 @@ Patch510: drm-panel-orientation-quirks.patch
 # rhbz 1732045
 Patch511: 0001-dma-direct-correct-the-physical-addr-in-dma_direct_s.patch
 
-# rhbz 1730762
-Patch512: HID-input-fix-a4tech-horizontal-wheel-custom-usage.patch
-
-# These should make stable soon
-Patch513: for-v5.2-iwlwifi-mvm-disable-TX-AMSDU-on-older-NICs.patch
-
 # CVE-2019-14814 CVE-2019-14815 CVE-2019-14816
 # rhbz 1744130 1744137 1744149 1746566 1746567 
 Patch514: mwifiex-Fix-three-heap-overflow-at-parsing-element-in-cfg80211_ap_settings.patch
 
+# CVE-2019-15504 rhbz 1746725 1746726
+Patch515: fix-a-double-free-bug-in-rsi_91x_deinit.patch
+
+# CVE-2019-15505 rhbz 1746732 1746734
+Patch516: technisat-usb2-break-out-of-loop-at-end-of-buffer.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1835,6 +1835,12 @@ fi
 #
 #
 %changelog
+* Thu Aug 29 2019 Justin M. Forbes <jforbes@fedoraproject.org> - 5.2.11-200
+- Linux v5.2.11
+- Fix CVE-2019-15504 (rhbz 1746725 1746726)
+- Fix CVE-2019-15505 (rhbz 1746732 1746734)
+- Fix CVE-2019-15538 (rhbz 1746777 1746779)
+
 * Wed Aug 28 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix mwifiex CVE-2019-14814 CVE-2019-14815 CVE-2019-14816
 - (rhbz 1744130 1744137 1744149 1746566 1746567)

sources

@@ -1,2 +1,2 @@
 SHA512 (linux-5.2.tar.xz) = 5a28f8a34c4e0470617f5638b7112e6252109b78f23b1eed484a228530970c7ef5c130d6e5a09cf25ea2f6a0329602dcc1ec66ce893182e15b27d99bd228789c
-SHA512 (patch-5.2.10.xz) = 1e90d4ed7e3e4ba67b8f2f6369b0038fb6a7c78040a86994ff09ff7cb9635dc621fff500b4f0c28c7f2c6d9136781637339fbc0d3363109d628ff686c2928c53
+SHA512 (patch-5.2.11.xz) = 585c5f2578201f302c8017c2b406bc863418b6ffca90d641c035a56b750aea8b837a8ae5401d1070bf63983861574f1bced4a16f1b5e385f81f0a286f46f52e5

technisat-usb2-break-out-of-loop-at-end-of-buffer.patch

@@ -0,0 +1,68 @@
+From 0c4df39e504bf925ab666132ac3c98d6cbbe380b Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Wed, 3 Jul 2019 10:52:39 -0400
+Subject: media: technisat-usb2: break out of loop at end of buffer
+
+Ensure we do not access the buffer beyond the end if no 0xff byte
+is encountered.
+
+Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+
+diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
+index c659e18..676d233 100644
+--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
++++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
+@@ -608,10 +608,9 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
+ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
+ {
+ 	struct technisat_usb2_state *state = d->priv;
+-	u8 *buf = state->buf;
+-	u8 *b;
+-	int ret;
+ 	struct ir_raw_event ev;
++	u8 *buf = state->buf;
++	int i, ret;
+ 
+ 	buf[0] = GET_IR_DATA_VENDOR_REQUEST;
+ 	buf[1] = 0x08;
+@@ -647,26 +646,25 @@ unlock:
+ 		return 0; /* no key pressed */
+ 
+ 	/* decoding */
+-	b = buf+1;
+ 
+ #if 0
+ 	deb_rc("RC: %d ", ret);
+-	debug_dump(b, ret, deb_rc);
++	debug_dump(buf + 1, ret, deb_rc);
+ #endif
+ 
+ 	ev.pulse = 0;
+-	while (1) {
+-		ev.pulse = !ev.pulse;
+-		ev.duration = (*b * FIRMWARE_CLOCK_DIVISOR * FIRMWARE_CLOCK_TICK) / 1000;
+-		ir_raw_event_store(d->rc_dev, &ev);
+-
+-		b++;
+-		if (*b == 0xff) {
++	for (i = 1; i < ARRAY_SIZE(state->buf); i++) {
++		if (buf[i] == 0xff) {
+ 			ev.pulse = 0;
+ 			ev.duration = 888888*2;
+ 			ir_raw_event_store(d->rc_dev, &ev);
+ 			break;
+ 		}
++
++		ev.pulse = !ev.pulse;
++		ev.duration = (buf[i] * FIRMWARE_CLOCK_DIVISOR *
++			       FIRMWARE_CLOCK_TICK) / 1000;
++		ir_raw_event_store(d->rc_dev, &ev);
+ 	}
+ 
+ 	ir_raw_event_handle(d->rc_dev);
+-- 
+cgit v0.10.2
+