Merge 4.4.197 into android-4.4-p

Changes in 4.4.197
	KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
	s390/topology: avoid firing events before kobjs are created
	s390/cio: avoid calling strlen on null pointer
	s390/cio: exclude subchannels with no parent from pseudo check
	KVM: nVMX: handle page fault in vmread fix
	ASoC: Define a set of DAPM pre/post-up events
	powerpc/powernv: Restrict OPAL symbol map to only be readable by root
	can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
	crypto: qat - Silence smp_processor_id() warning
	ieee802154: atusb: fix use-after-free at disconnect
	cfg80211: initialize on-stack chandefs
	ima: always return negative code for error
	fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
	9p: avoid attaching writeback_fid on mmap with type PRIVATE
	xen/pci: reserve MCFG areas earlier
	ceph: fix directories inode i_blkbits initialization
	drm/amdgpu: Check for valid number of registers to read
	thermal: Fix use-after-free when unregistering thermal zone device
	fuse: fix memleak in cuse_channel_open
	kernel/elfcore.c: include proper prototypes
	tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure
	perf stat: Fix a segmentation fault when using repeat forever
	crypto: caam - fix concurrency issue in givencrypt descriptor
	cfg80211: add and use strongly typed element iteration macros
	cfg80211: Use const more consistently in for_each_element macros
	nl80211: validate beacon head
	ASoC: sgtl5000: Improve VAG power and mute control
	panic: ensure preemption is disabled during panic()
	USB: rio500: Remove Rio 500 kernel driver
	USB: yurex: Don't retry on unexpected errors
	USB: yurex: fix NULL-derefs on disconnect
	USB: usb-skeleton: fix runtime PM after driver unbind
	USB: usb-skeleton: fix NULL-deref on disconnect
	xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
	xhci: Check all endpoints for LPM timeout
	usb: xhci: wait for CNR controller not ready bit in xhci resume
	xhci: Increase STS_SAVE timeout in xhci_suspend()
	USB: adutux: remove redundant variable minor
	USB: adutux: fix use-after-free on disconnect
	USB: adutux: fix NULL-derefs on disconnect
	USB: adutux: fix use-after-free on release
	USB: iowarrior: fix use-after-free on disconnect
	USB: iowarrior: fix use-after-free on release
	USB: iowarrior: fix use-after-free after driver unbind
	USB: usblp: fix runtime PM after driver unbind
	USB: chaoskey: fix use-after-free on release
	USB: ldusb: fix NULL-derefs on driver unbind
	serial: uartlite: fix exit path null pointer
	USB: serial: keyspan: fix NULL-derefs on open() and write()
	USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
	USB: serial: option: add Telit FN980 compositions
	USB: serial: option: add support for Cinterion CLS8 devices
	USB: serial: fix runtime PM after driver unbind
	USB: usblcd: fix I/O after disconnect
	USB: microtek: fix info-leak at probe
	USB: dummy-hcd: fix power budget for SuperSpeed mode
	usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()
	usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
	USB: legousbtower: fix slab info leak at probe
	USB: legousbtower: fix deadlock on disconnect
	USB: legousbtower: fix potential NULL-deref on disconnect
	USB: legousbtower: fix open after failed reset request
	USB: legousbtower: fix use-after-free on release
	staging: vt6655: Fix memory leak in vt6655_probe
	iio: adc: ad799x: fix probe error handling
	iio: light: opt3001: fix mutex unlock race
	perf llvm: Don't access out-of-scope array
	CIFS: Gracefully handle QueryInfo errors during open
	CIFS: Force reval dentry if LOOKUP_REVAL flag is set
	kernel/sysctl.c: do not override max_threads provided by userspace
	arm64: capabilities: Handle sign of the feature bit
	arm64: Rename cpuid_feature field extract routines
	Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
	cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary
	CIFS: Force revalidate inode when dentry is stale
	media: stkwebcam: fix runtime PM after driver unbind
	tracing: Get trace_array reference for available_tracers files
	x86/asm: Fix MWAITX C-state hint value
	xfs: clear sb->s_fs_info on mount failure
	Linux 4.4.197

Change-Id: I0879b08629040431c71dae0d8b5474863d5e0391
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

3 files changed, 40 insertions, 3 deletions

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 66da11734b48..2e910f418a7d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -210,6 +210,36 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
 }
 
+static int validate_beacon_head(const struct nlattr *attr)
+{
+	const u8 *data = nla_data(attr);
+	unsigned int len = nla_len(attr);
+	const struct element *elem;
+	const struct ieee80211_mgmt *mgmt = (void *)data;
+	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
+					 u.beacon.variable);
+
+	if (len < fixedlen)
+		goto err;
+
+	if (ieee80211_hdrlen(mgmt->frame_control) !=
+	    offsetof(struct ieee80211_mgmt, u.beacon))
+		goto err;
+
+	data += fixedlen;
+	len -= fixedlen;
+
+	for_each_element(elem, data, len) {
+		/* nothing */
+	}
+
+	if (for_each_element_completed(elem, data, len))
+		return 0;
+
+err:
+	return -EINVAL;
+}
+
 /* policy for the attributes */
 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
@@ -1934,6 +1964,8 @@ static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
 
 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
 
+	memset(chandef, 0, sizeof(*chandef));
+
 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
 	chandef->center_freq1 = control_freq;
@@ -2402,7 +2434,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
 
 	if (rdev->ops->get_channel) {
 		int ret;
-		struct cfg80211_chan_def chandef;
+		struct cfg80211_chan_def chandef = {};
 
 		ret = rdev_get_channel(rdev, wdev, &chandef);
 		if (ret == 0) {
@@ -3212,6 +3244,11 @@ static int nl80211_parse_beacon(struct nlattr *attrs[],
 	memset(bcn, 0, sizeof(*bcn));
 
 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
+		int ret = validate_beacon_head(attrs[NL80211_ATTR_BEACON_HEAD]);
+
+		if (ret)
+			return ret;
+
 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
 		if (!bcn->head_len)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 6a670a373e29..437ec52d5e71 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1604,7 +1604,7 @@ static void reg_call_notifier(struct wiphy *wiphy,
 
 static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
 {
-	struct cfg80211_chan_def chandef;
+	struct cfg80211_chan_def chandef = {};
 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
 	enum nl80211_iftype iftype;
 
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index fd682832a0e3..cd119943612b 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -821,7 +821,7 @@ static int cfg80211_wext_giwfreq(struct net_device *dev,
 {
 	struct wireless_dev *wdev = dev->ieee80211_ptr;
 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
-	struct cfg80211_chan_def chandef;
+	struct cfg80211_chan_def chandef = {};
 	int ret;
 
 	switch (wdev->iftype) {