Fixup wireless patches

Patches/Linux_CVEs/CVE-2016-0806/prima/0001.patch

@@ -0,0 +1,41 @@
+From 1fac73337080712109029302599945d1ac36c799 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 09:55:27 -0700
+Subject: wlan:Check priviledge permission before processing
+
+for SET_OEM_DATA_REQ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I651656fe11d4235232b76c972b5460b57e608449
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c
+index c796abd..2bbb38f 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_oemdata.c
+@@ -203,6 +203,12 @@ int iw_set_oem_data_req(
+     hdd_adapter_t *pAdapter = (netdev_priv(dev));
+     hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0002.patch

@@ -0,0 +1,42 @@
+From e9dcd5aa01734b019c793220531e4ef1d82959f8 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 10:06:03 -0700
+Subject: wlan:Check priviledge permission before processing
+
+for SET_CHAR_GET_NONE IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: Iccf25a9d1f1a7c13d3aaf2fc4bd3aebba740dbb2
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 964ed65..5e03595 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -3864,6 +3864,13 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+     hdd_config_t  *pConfig = pHddCtx->cfg_ini;
+ #endif /* WLAN_FEATURE_VOWIFI */
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+ 
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0003.patch

@@ -0,0 +1,42 @@
+From fd13b59e5a75b761f68fe34f09df1dce7a49acc2 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 10:11:40 -0700
+Subject: wlan:Check priviledge permission before processing
+
+for SET_PACKET_FILTER IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I1edc65ee26c5e3e4260e0f6546434b0137493396
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 5e03595..6a806f4 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -5834,6 +5834,13 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     tpPacketFilterCfg pRequest = (tpPacketFilterCfg)wrqu->data.pointer;
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
+ }
+ #endif
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0004.patch

@@ -0,0 +1,42 @@
+From fbb8f120ee729d47869f0bebe5bc31e83bcf2876 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 10:28:36 -0700
+Subject: wlan:Check priviledge permission
+
+for SET_VAR_INTS_GETNONE IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: Ia2465433aab6366160a167a62ca03e0ba720bcdb
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 6a806f4..9b41a5e 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -4508,6 +4508,13 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
+     int cmd = 0;
+     int staId = 0;
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0005.patch

@@ -0,0 +1,42 @@
+From 518fd80981eefa9715e0851260b2c7aeb86551d7 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 10:34:06 -0700
+Subject: wlan:Check priviledge permission
+
+for QCSAP_IOCTL_SETWPSIE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
+making sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I66acff95d6151b32f1cb3c36a164e1de021e1e30
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+index 45c6f78..7598b99 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -2147,6 +2147,13 @@ static int iw_softap_setwpsie(struct net_device *dev,
+    u_int16_t length;   
+    ENTER();
+ 
++   if (!capable(CAP_NET_ADMIN))
++   {
++     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++	       FL("permission check failed"));
++     return -EPERM;
++   }
++
+    if(!wrqu->data.length)
+       return 0;
+ 
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0006.patch

@@ -0,0 +1,44 @@
+From 86fd66a451b2549f990b71013220e0a3f46b5a00 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 10:41:41 -0700
+Subject: wlan:Check priviledge permission
+
+for QCSAP_IOCTL_DISASSOC_STA
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
+making sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I7928789c0ce94a2b81495064496766b9e62d6ed8
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+index 7598b99..005c193 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -1338,7 +1338,14 @@ static iw_softap_disassoc_sta(struct net_device *dev,
+ {
+     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
+     v_U8_t *peerMacAddr;    
+-    
++   
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     ENTER();
+     /* iwpriv tool or framework calls this ioctl with
+      * data passed in extra (less than 16 octets);
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0007.patch

@@ -0,0 +1,42 @@
+From 4a75c965d2505ca2490a365a27309cc9dd68b2d1 Mon Sep 17 00:00:00 2001
+From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 10:54:37 -0700
+Subject: wlan:Check priviledge permission
+
+for SET_THREE_INT_GET_NONE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
+making sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I8661872786adfb5492da505ba3960e62064ddd7e
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 9b41a5e..1288bd0 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -4049,6 +4049,13 @@ int iw_set_three_ints_getnone(struct net_device *dev, struct iw_request_info *in
+     int sub_cmd = value[0];
+     int ret = 0;
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0008.patch

@@ -0,0 +1,42 @@
+From ede034fd604a9cdb20eb7accdaec4a8e70ffac41 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 16:55:17 -0700
+Subject: wlan:Check priviledge permission
+
+for SET_BAND_CONFIG IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I34e9d91f778b09eb73881aed5c6e3a10cbbd208c
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 1288bd0..7add243 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -6499,6 +6499,13 @@ static int iw_set_band_config(struct net_device *dev,
+     tANI_U8 *ptr = (tANI_U8*)wrqu->data.pointer;
+     int ret = 0;
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0009.patch

@@ -0,0 +1,42 @@
+From aaf7476fa7fdc8d1865f20217c7c57ce561e03f7 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 17:00:41 -0700
+Subject: wlan:Check priviledge permission
+
+for SET_POWER_PARAMS IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: Iaab3d55c2acc75f65d6daf5998713cc9ff92a32c
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 7add243..85d881a 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -6529,6 +6529,13 @@ static int iw_set_power_params_priv(struct net_device *dev,
+                            struct iw_request_info *info,
+                            union iwreq_data *wrqu, char *extra)
+ {
++  if (!capable(CAP_NET_ADMIN))
++  {
++    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++	      FL("permission check failed"));
++    return -EPERM;
++  }
++
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+                 "Set power params Private");
+   return iw_set_power_params(dev,info,wrqu,extra,0);
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0010.patch

@@ -0,0 +1,42 @@
+From 973503f0d411e13e01fa10c5ea802dcb8a12cf85 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 17:03:19 -0700
+Subject: wlan:Check priviledge permission
+
+for CLEAR_MCBC_FILTER IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
+sure user task has right permission to process the command.
+
+Bug: 27104184
+Change-Id: I2332845fa6793dc63b6f397a9ebf53d37a52a7c7
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 85d881a..558fc1b 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -5306,6 +5306,13 @@ static int iw_clear_dynamic_mcbc_filter(struct net_device *dev,
+     tpSirWlanSetRxpFilters wlanRxpFilterParam;
+     hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "%s: ", __func__);
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++		FL("permission check failed"));
++      return -EPERM;
++    }
++
+     //Reset the filter to INI value as we have to clear the dynamic filter
+     pHddCtx->configuredMcastBcastFilter = pHddCtx->cfg_ini->mcastBcastFilterSetting;
+ 
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0011.patch

@@ -0,0 +1,117 @@
+From 34953f9f66d9cd36616c5271a7d285b31d9142c2 Mon Sep 17 00:00:00 2001
+From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
+Date: Thu, 17 Mar 2016 17:15:02 -0700
+Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
+
+prima to qcacld-2.0 propagation
+
+Return failure to applications if genie ioctl is invoked to configure
+WPS/WPA/RSN IEs with arguments of improper length.
+
+Bug: 27104184
+Change-Id: I31e288db41e14b24be0e430afed3a5e360da1370
+Signed-off-by: Yuan Lin <yualin@google.com>
+---
+ drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c | 39 +++++++++++++++++-----
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+index 558fc1b..095aa9d 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_wext.c
+@@ -1531,9 +1531,10 @@ static int iw_set_genie(struct net_device *dev,
+         char *extra)
+ {
+    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+-    u_int8_t *genie;
+-    v_U16_t remLen;
++   hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
++   u_int8_t *genie;
++   v_U16_t remLen;
++   int ret = 0;
+ 
+    ENTER();
+    if(!wrqu->data.length) {
+@@ -1570,7 +1571,10 @@ static int iw_set_genie(struct net_device *dev,
+          {
+             case IE_EID_VENDOR:
+                 if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
+-                return -EINVAL;
++		  {
++		    ret = -EINVAL;
++		    goto exit;
++		  }
+ 
+                 if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
+                 {
+@@ -1583,7 +1587,8 @@ static int iw_set_genie(struct net_device *dev,
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+                                                       "Need bigger buffer space\n");
+                        VOS_ASSERT(0);
+-                       return -ENOMEM;
++		       ret = -EINVAL;
++		       goto exit;
+                     }
+                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
+                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
+@@ -1592,6 +1597,14 @@ static int iw_set_genie(struct net_device *dev,
+                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
+                 {
+                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
++                    if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
++		      {
++			hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
++			       "Need bigger buffer space");
++			ret = -EINVAL;
++			VOS_ASSERT(0);
++			goto exit;
++		      }
+                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
+                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
+                     pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
+@@ -1608,7 +1621,8 @@ static int iw_set_genie(struct net_device *dev,
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+                                                       "Need bigger buffer space\n");
+                        VOS_ASSERT(0);
+-                       return -ENOMEM;
++                       ret = -ENOMEM;
++                       goto exit;
+                     }
+                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
+                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
+@@ -1617,6 +1631,14 @@ static int iw_set_genie(struct net_device *dev,
+               break;
+          case DOT11F_EID_RSN:
+                 hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
++                if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
++		  {
++                    hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
++			   "Need bigger buffer space");
++                    ret = -EINVAL;
++                    VOS_ASSERT(0);
++                    goto exit;
++		  }
+                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
+                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
+                 pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
+@@ -1625,13 +1647,14 @@ static int iw_set_genie(struct net_device *dev,
+ 
+          default:
+                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
+-            return 0;
++		goto exit;
+     }
+         genie += eLen;
+         remLen -= eLen;
+     }
++ exit:
+     EXIT();
+-    return 0;
++    return ret;
+ }
+ 
+ static int iw_get_genie(struct net_device *dev,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/prima/0012.patch

@@ -0,0 +1,189 @@
+From 72d3908cc1bcb075015f1b86001f4292ac41d38a Mon Sep 17 00:00:00 2001
+From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
+Date: Wed, 13 Apr 2016 09:19:31 -0700
+Subject: qcacld 2.0: Validate ioctls for valid input length prima to
+ qcacld-2.0 propagation
+
+Return failure to applications if ioctl is invoked with arguments
+of improper length.
+
+Bug: 27104184
+Change-Id: I4459c5f39ca9c7a852772913578bd2122cb73879
+---
+ .../staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c  | 60 ++++++++++++++++++----
+ 1 file changed, 49 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+index 005c193..9441a2a 100644
+--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -2151,7 +2151,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+    u_int8_t *pos;
+    tpSap_WPSIE pSap_WPSIe;
+    u_int8_t WPSIeType;
+-   u_int16_t length;   
++   u_int16_t length;  
++   int ret = 0;
+    ENTER();
+ 
+    if (!capable(CAP_NET_ADMIN))
+@@ -2183,8 +2184,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+          case DOT11F_EID_WPA: 
+             if (wps_genie[1] < 2 + 4)
+             {
+-               vos_mem_free(pSap_WPSIe); 
+-               return -EINVAL;
++	       ret = -EINVAL;
++	       goto exit;
+             }
+             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
+             {
+@@ -2242,6 +2243,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2; 
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT; 
+                       pos += length;
+@@ -2256,8 +2262,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                    
+                    default:
+                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)\n", (*pos<<8 | *(pos+1)));
+-                      vos_mem_free(pSap_WPSIe);
+-                      return -EINVAL; 
++		      ret = -EINVAL;
++		      goto exit;
+                 }
+               }  
+             }
+@@ -2269,8 +2275,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                  
+          default:
+             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
+-            vos_mem_free(pSap_WPSIe);
+-            return 0;
++	    ret = -EINVAL;
++	    goto exit;
+       }
+     } 
+     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
+@@ -2282,8 +2288,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+          case DOT11F_EID_WPA: 
+             if (wps_genie[1] < 2 + 4)
+             {
+-               vos_mem_free(pSap_WPSIe); 
+-               return -EINVAL;
++	       ret = -EINVAL;
++	       goto exit;
+             }
+             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
+             {
+@@ -2347,6 +2353,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2; 
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
+                       pos += length;
+@@ -2356,6 +2367,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
+@@ -2366,6 +2382,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
+@@ -2375,6 +2396,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
+@@ -2384,6 +2410,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
+@@ -2394,7 +2425,6 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
+                       hddLog(LOG1, "primary dev category: %d\n", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);  
+                       pos += 2;
+-                      
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
+                       hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x\n", pos[0], pos[1], pos[2], pos[3]);
+                       pos += 4;
+@@ -2407,6 +2437,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++		      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
++		      {
++			ret = -EINVAL;
++			goto exit;
++		      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
+                       pos += length;
+@@ -2438,6 +2473,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+       } // switch
+     }
+     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
++    if (halStatus != eHAL_STATUS_SUCCESS)
++      ret = -EINVAL;
+     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
+     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
+     {
+@@ -2446,9 +2483,10 @@ static int iw_softap_setwpsie(struct net_device *dev,
+         WLANSAP_Update_WpsIe ( pVosContext );
+     }
+  
++ exit:
+     vos_mem_free(pSap_WPSIe);   
+     EXIT();
+-    return halStatus;
++    return ret;
+ }
+ 
+ static int iw_softap_stopbss(struct net_device *dev,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0013.patch

@@ -0,0 +1,120 @@
+From 055561f40f2baa5cdd74f952be55b61a3907279a Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 16:56:58 -0700
+Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
+
+prima to qcacld-2.0 propagation
+
+Return failure to applications if genie ioctl is invoked to configure
+WPS/WPA/RSN IEs with arguments of improper length.
+
+CRs-Fixed: 931451
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ .../qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c        | 37 ++++++++++++++++------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 38a13fa..93136df 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -2270,11 +2270,12 @@ static int iw_set_genie(struct net_device *dev,
+         union iwreq_data *wrqu,
+         char *extra)
+ {
+-   hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
++    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+     u_int8_t *genie = NULL;
+     u_int8_t *base_genie = NULL;
+     v_U16_t remLen;
++    int ret = 0;
+ 
+    ENTER();
+ 
+@@ -2324,8 +2325,8 @@ static int iw_set_genie(struct net_device *dev,
+             case IE_EID_VENDOR:
+                 if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
+                 {
+-                    kfree(base_genie);
+-                    return -EINVAL;
++                    ret = -EINVAL;
++                    goto exit;
+                 }
+ 
+                 if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
+@@ -2339,8 +2340,8 @@ static int iw_set_genie(struct net_device *dev,
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+                                                       "Need bigger buffer space");
+                        VOS_ASSERT(0);
+-                       kfree(base_genie);
+-                       return -ENOMEM;
++                       ret = -EINVAL;
++                       goto exit;
+                     }
+                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
+                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
+@@ -2349,6 +2350,14 @@ static int iw_set_genie(struct net_device *dev,
+                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
+                 {
+                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
++                    if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
++                    {
++                       hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
++                                                      "Need bigger buffer space");
++                       ret = -EINVAL;
++                       VOS_ASSERT(0);
++                       goto exit;
++                    }
+                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
+                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
+                     pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
+@@ -2365,8 +2374,8 @@ static int iw_set_genie(struct net_device *dev,
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+                                                       "Need bigger buffer space");
+                        VOS_ASSERT(0);
+-                       kfree(base_genie);
+-                       return -ENOMEM;
++                       ret = -ENOMEM;
++                       goto exit;
+                     }
+                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
+                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
+@@ -2375,6 +2384,14 @@ static int iw_set_genie(struct net_device *dev,
+               break;
+          case DOT11F_EID_RSN:
+                 hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
++                if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
++                {
++                    hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
++                                                  "Need bigger buffer space");
++                    ret = -EINVAL;
++                    VOS_ASSERT(0);
++                    goto exit;
++                }
+                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
+                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
+                 pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
+@@ -2383,15 +2400,15 @@ static int iw_set_genie(struct net_device *dev,
+ 
+          default:
+                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
+-            kfree(base_genie);
+-            return 0;
++                goto exit;
+     }
+         genie += eLen;
+         remLen -= eLen;
+     }
++exit:
+     EXIT();
+     kfree(base_genie);
+-    return 0;
++    return ret;
+ }
+ 
+ static int iw_get_genie(struct net_device *dev,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0014.patch

@@ -0,0 +1,36 @@
+From f31e58289c8ebded58ffe1d4709e2f878765b0a6 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 17:38:59 -0700
+Subject: qcacld 2.0: Address buffer overflow due to invalid length
+
+prima to qcacld-2.0 propagation
+
+Check for valid length before copying the packet filter data from
+userspace buffer to kernel space buffer to avoid buffer overflow
+issue.
+
+CRs-Fixed: 930533
+Git-commit: a079d716b5481223f0166c644e9ec7c75a31b02c
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 93136df..0b1ee24 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -8376,6 +8376,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
+ 
+                 hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
+                         pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
++                if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
++                           (pRequest->paramsData[i].dataLength))
++                    return -EINVAL;
+ 
+                 memcpy(&packetFilterSetReq.paramsData[i].compareData,
+                         pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0015.patch

@@ -0,0 +1,188 @@
+From 255dd931573beb3afca15909f483f26db22a5c98 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 20:58:02 -0700
+Subject: qcacld 2.0: Validate ioctls for valid input length
+
+prima to qcacld-2.0 propagation
+
+Return failure to applications if ioctl is invoked with arguments
+of improper length.
+
+CRs-Fixed: 930542
+Git-commit: 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ .../qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c     | 62 +++++++++++++++++-----
+ 1 file changed, 48 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+index 1f56db2..51ee547 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -3880,6 +3880,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
+    u_int8_t WPSIeType;
+    u_int16_t length;
+    struct iw_point s_priv_data;
++   int ret = 0;
+ 
+    ENTER();
+ 
+@@ -3925,9 +3926,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+          case DOT11F_EID_WPA:
+             if (wps_genie[1] < 2 + 4)
+             {
+-               vos_mem_free(pSap_WPSIe);
+-               kfree(fwps_genie);
+-               return -EINVAL;
++                ret = -EINVAL;
++                goto exit;
+             }
+             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
+             {
+@@ -3985,6 +3985,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
+                       pos += length;
+@@ -3999,9 +4004,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+ 
+                    default:
+                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
+-                      vos_mem_free(pSap_WPSIe);
+-                      kfree(fwps_genie);
+-                      return -EINVAL;
++                      ret = -EINVAL;
++                      goto exit;
+                 }
+               }
+             }
+@@ -4013,9 +4017,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+ 
+          default:
+             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
+-            vos_mem_free(pSap_WPSIe);
+-            kfree(fwps_genie);
+-            return 0;
++            ret = -EINVAL;
++            goto exit;
+       }
+     }
+     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
+@@ -4027,9 +4030,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+          case DOT11F_EID_WPA:
+             if (wps_genie[1] < 2 + 4)
+             {
+-               vos_mem_free(pSap_WPSIe);
+-               kfree(fwps_genie);
+-               return -EINVAL;
++                ret = -EINVAL;
++                goto exit;
+             }
+             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
+             {
+@@ -4093,6 +4095,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
+                       pos += length;
+@@ -4102,6 +4109,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
+@@ -4112,6 +4124,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
+@@ -4121,6 +4138,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
+@@ -4130,6 +4152,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
+@@ -4153,6 +4180,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                       pos += 2;
+                       length = *pos<<8 | *(pos+1);
+                       pos += 2;
++                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
++                      {
++                          ret = -EINVAL;
++                          goto exit;
++                      }
+                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
+                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
+                       pos += length;
+@@ -4189,6 +4221,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
+ #else
+     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
+ #endif
++    if (halStatus != eHAL_STATUS_SUCCESS)
++        ret = -EINVAL;
+     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
+     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
+     {
+@@ -4200,11 +4234,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
+         WLANSAP_Update_WpsIe ( pVosContext );
+ #endif
+     }
+-
++exit:
+     vos_mem_free(pSap_WPSIe);
+     kfree(fwps_genie);
+     EXIT();
+-    return halStatus;
++    return ret;
+ }
+ 
+ static int iw_softap_stopbss(struct net_device *dev,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0016.patch

@@ -0,0 +1,41 @@
+From d4b451bd06ad53ed785cbda4272c54788b1537d4 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 20:59:45 -0700
+Subject: wlan:Check priviledge permission before processing SET_OEM_DATA_REQ
+ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930549
+Git-commit: 6feb2faf80a05940618aa2eef2b62e4e2e54f148
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c
+index dbec0fc..26d0b5f 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_oemdata.c
+@@ -189,6 +189,12 @@ int iw_set_oem_data_req(
+     hdd_adapter_t *pAdapter = (netdev_priv(dev));
+     hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0017.patch

@@ -0,0 +1,41 @@
+From 2882941530cbf804e280f235f7f8d76179a423fe Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:03:01 -0700
+Subject: wlan:Check priviledge permission before processing  SET_CHAR_GET_NONE
+ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930935
+Git-commit: 0e53a89bfe0dbb50e0dde9a6960d274386247cd9
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 0b1ee24..88d75c1 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -6200,6 +6200,12 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+         return -EBUSY;
+     }
+ 
++    if (!capable(CAP_NET_ADMIN)){
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     /* helper function to get iwreq_data with compat handling. */
+     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
+        return -EINVAL;
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0018.patch

@@ -0,0 +1,41 @@
+From 825827ab2aa271f23f48aa683046a3aa3f7fe90e Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:04:10 -0700
+Subject: wlan:Check priviledge permission before processing SET_PACKET_FILTER
+ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930937
+Git-commit: 88ce639e7a0bba852f193b6f53b7ca1926a09b02
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 88d75c1..09d7288 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -8720,6 +8720,12 @@ static int iw_set_packet_filter_params(struct net_device *dev,
+     int ret;
+     struct iw_point s_priv_data;
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
+        return -EINVAL;
+     }
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0019.patch

@@ -0,0 +1,40 @@
+From 27d3007a7635ccca7ae9bfb98c89724652dcbc3b Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:05:26 -0700
+Subject: wlan:Check priviledge permission for QCSAP_IOCTL_SETWPSIE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
+making sure user task has right permission to process the command.
+
+CRs-Fixed: 930944
+Git-commit: 2905578424256be07e6b9d8c63bb83d40cc52a71
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+index 51ee547..77b4124 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -3884,6 +3884,12 @@ static int iw_softap_setwpsie(struct net_device *dev,
+ 
+    ENTER();
+ 
++   if (!capable(CAP_NET_ADMIN)) {
++       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                FL("permission check failed"));
++       return -EPERM;
++   }
++
+    /* helper function to get iwreq_data with compat handling. */
+    if (hdd_priv_get_data(&s_priv_data, wrqu)) {
+       return -EINVAL;
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0020.patch

@@ -0,0 +1,41 @@
+From 89c3372735486a2f7f6b35298fcf246e7e177ac0 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:06:39 -0700
+Subject: wlan:Check priviledge permission for QCSAP_IOCTL_DISASSOC_STA
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
+making sure user task has right permission to process the command.
+
+CRs-Fixed: 930946
+Git-commit: be62ecde85228b91c66fb047e27d25132f56bd0d
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+index 77b4124..b95a853 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -3243,6 +3243,13 @@ static iw_softap_disassoc_sta(struct net_device *dev,
+     struct tagCsrDelStaParams delStaParams;
+ 
+     ENTER();
++
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                 FL("permission check failed"));
++        return -EPERM;
++    }
++
+     /* iwpriv tool or framework calls this ioctl with
+      * data passed in extra (less than 16 octets);
+      */
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0021.patch

@@ -0,0 +1,40 @@
+From e2addf5aa2c7dfc537c2b80d8cc1cb5640346535 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:07:47 -0700
+Subject: wlan:Check priviledge permission for SET_BAND_CONFIG IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930952
+Git-commit: 6642bccf3ed8cba176dee7d4bbc21fc4580efb7b
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 09d7288..1cbdf32 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -9417,6 +9417,12 @@ static int iw_set_band_config(struct net_device *dev,
+         return -EBUSY;
+     }
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     return hdd_setBand(dev, value[0]);
+ }
+ 
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0022.patch

@@ -0,0 +1,40 @@
+From e474427496ccb784878e10978f25b6e85de68850 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:10:14 -0700
+Subject: wlan:Check priviledge permission for SET_POWER_PARAMS IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930953
+Git-commit: 6665a9697b404acf4d2e7d52d9c2b19512c9b239
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 1cbdf32..841ed4c 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -9434,6 +9434,12 @@ static int iw_set_power_params_priv(struct net_device *dev,
+   char *ptr;
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+                 "Set power params Private");
++
++  if (!capable(CAP_NET_ADMIN)) {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                 FL("permission check failed"));
++      return -EPERM;
++  }
+   /* ODD number is used for set, copy data using copy_from_user */
+   ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
+                                         wrqu->data.length);
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0023.patch

@@ -0,0 +1,40 @@
+From 967f88782e93809cfb27a60b82a3a069d2a52fc4 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:12:55 -0700
+Subject: wlan:Check priviledge permission for CLEAR_MCBC_FILTER IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930954
+Git-commit: 9eeafd788f53cc37c169b299f91ca9c558b228f9
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 841ed4c..fc8c917 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -8143,6 +8143,12 @@ static int iw_clear_dynamic_mcbc_filter(struct net_device *dev,
+     tpSirWlanSetRxpFilters wlanRxpFilterParam;
+     hddLog(VOS_TRACE_LEVEL_INFO_HIGH, "%s: ", __func__);
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                 FL("permission check failed"));
++        return -EPERM;
++    }
++
+     //Reset the filter to INI value as we have to clear the dynamic filter
+     pHddCtx->configuredMcastBcastFilter = pHddCtx->cfg_ini->mcastBcastFilterSetting;
+ 
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0024.patch

@@ -0,0 +1,40 @@
+From 2f7ecc8b88843b3b53bd7d2328f0d53f3794f456 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:17:28 -0700
+Subject: wlan:Check priviledge permission for SET_THREE_INT_GET_NONE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
+making sure user task has right permission to process the command.
+
+CRs-Fixed: 930948
+Git-commit: aaeeed43f9597631982835481c7cf2621f6455f0
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index fc8c917..51b52f3 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -6846,6 +6846,12 @@ int iw_set_three_ints_getnone(struct net_device *dev,
+         return -EBUSY;
+     }
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     switch(sub_cmd) {
+ 
+     case WE_SET_WLAN_DBG:
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0025.patch

@@ -0,0 +1,39 @@
+From 9fd4483e08349eb1570c42da8acbac33e70a6e02 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:23:09 -0700
+Subject: wlan:Check priviledge permission for SET_VAR_INTS_GETNONE IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
+sure user task has right permission to process the command.
+
+CRs-Fixed: 930942
+Git-commit: 0858d21caf17d56f8d2353590c1ec245073222e0
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 51b52f3..ba9d0ff 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -7520,6 +7520,11 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
+     int staId = 0;
+     struct iw_point s_priv_data;
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                FL("permission check failed"));
++        return -EPERM;
++    }
+     /* helper function to get iwreq_data with compat handling. */
+     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
+        return -EINVAL;
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0026.patch

@@ -0,0 +1,44 @@
+From fb3616763bd5909e86cddd19f3569a26b4f93f49 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:25:21 -0700
+Subject: wlan: ensure permission for WLAN_FTM_PRIV_SET_CHAR_GET_NONE
+
+prima to qcacld-2.0 propagation.
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation. Hence,
+in driver, before processing WLAN_FTM_PRIV_SET_CHAR_GET_NONE,
+making sure user task has right permission to process the command.
+
+CRs-Fixed: 930837
+Git-commit: c4928591bbcd131f10f6ea337a4bd6ee3e141c2a
+Git-repo: https://www.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index ba9d0ff..31205f3 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -6193,6 +6193,13 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+ #endif /* WLAN_FEATURE_VOWIFI */
+     struct iw_point s_priv_data;
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0027.patch

@@ -0,0 +1,44 @@
+From ca7c085fb70861a55d9d3a46de012a3e0998ca61 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Wed, 28 Oct 2015 21:27:11 -0700
+Subject: wlan:Check priviledge permission for SET_CHANNEL_RANGE
+
+prima to qcacld-2.0 propagation.
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_CHANNEL_RANGE IOCTL,
+making sure user task has right permission to process the command.
+
+CRs-Fixed: 930555
+Git-commit: bcb1abfd803c6bb98bad35228d7c4f85b754836d
+Git-repo: https://www.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+index 31205f3..1b8346d0 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
+@@ -3336,6 +3336,13 @@ static int iw_softap_set_channel_range( struct net_device *dev,
+     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pHostapdAdapter);
+     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pHostapdAdapter);
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     status = WLANSAP_SetChannelRange(hHal, startChannel, endChannel, band);
+ 
+     if (VOS_STATUS_SUCCESS != status)
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2016-0806/qcacld-2.0/0028.patch

@@ -0,0 +1,44 @@
+From f66afdc6840e7647a965487194873826de57e655 Mon Sep 17 00:00:00 2001
+From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+Date: Sun, 1 Nov 2015 23:04:42 -0800
+Subject: wlan:Check priviledge permission for SET_CHANNEL_RANGE
+
+prima to qcacld-2.0 propagation.
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_CHANNEL_RANGE IOCTL,
+making sure user task has right permission to process the command.
+
+CRs-Fixed: 930555
+Git-commit: bcb1abfd803c6bb98bad35228d7c4f85b754836d
+Git-repo: https://www.codeaurora.org/cgit/quic/la/platform/vendor/qcom-opensource/wlan/prima/
+Bug: 25344453
+Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
+---
+ drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+index b95a853..e534763 100644
+--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -3339,6 +3339,13 @@ static int iw_softap_set_channel_range(struct net_device *dev,
+     VOS_STATUS status;
+     int ret = 0; /* success */
+ 
++    if (!capable(CAP_NET_ADMIN))
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     status = WLANSAP_SetChannelRange(hHal,startChannel,endChannel,band);
+     if(status != VOS_STATUS_SUCCESS)
+     {
+-- 
+cgit v1.1
+

Patches/Linux_CVEs/CVE-2017-0457/3.10/0001.patch

@@ -1,68 +0,0 @@
-From 7d87c5cf051c49c7b3bdb8abe4051b0aef41c87d Mon Sep 17 00:00:00 2001
-From: Sathish Ambley <sathishambley@codeaurora.org>
-Date: Tue, 13 Dec 2016 15:27:30 -0800
-Subject: msm: ADSPRPC: Buffer length to be copied is truncated
-
-The buffer length that is being used to allocate gets truncated
-due to it being assigned to wrong type causing a much smaller
-buffer to be allocated than what is required for copying.
-
-Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
-Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
----
- drivers/char/adsprpc.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index f505d09..1224843 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -787,9 +787,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	void *args;
- 	remote_arg_t *pra = ctx->pra;
- 	remote_arg_t *rpra = ctx->rpra;
--	ssize_t rlen, used, size;
-+	ssize_t rlen, used, size, copylen = 0;
- 	uint32_t sc = ctx->sc, start;
--	int i, inh, bufs = 0, err = 0, oix, copylen = 0;
-+	int i, inh, bufs = 0, err = 0, oix;
- 	int inbufs = REMOTE_SCALARS_INBUFS(sc);
- 	int outbufs = REMOTE_SCALARS_OUTBUFS(sc);
- 	int cid = ctx->fdata->cid;
-@@ -838,13 +838,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	/* calculate len requreed for copying */
- 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
- 		int i = ctx->overps[oix]->raix;
-+		uintptr_t mstart, mend;
-+
- 		if (!pra[i].buf.len)
- 			continue;
- 		if (list[i].num)
- 			continue;
- 		if (ctx->overps[oix]->offset == 0)
- 			copylen = ALIGN(copylen, BALIGN);
--		copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
-+		mstart = ctx->overps[oix]->mstart;
-+		mend = ctx->overps[oix]->mend;
-+		VERIFY(err, (mend - mstart) <= LONG_MAX);
-+		if (err)
-+			goto bail;
-+		copylen += mend - mstart;
-+		VERIFY(err, copylen >= 0);
-+		if (err)
-+			goto bail;
- 	}
- 
- 	/* alocate new buffer */
-@@ -870,7 +880,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
- 	/* copy non ion buffers */
- 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
- 		int i = ctx->overps[oix]->raix;
--		int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
-+		ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
- 		if (!pra[i].buf.len)
- 			continue;
- 		if (list[i].num)
--- 
-cgit v1.1
-