--- /dev/null
+From d5bb334a8e171b262e48f378bd2096c0ea458265 Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Wed, 24 Apr 2019 22:19:17 +0200
+Subject: Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
+
+From: Marcel Holtmann <marcel@holtmann.org>
+
+commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
+
+The minimum encryption key size for LE connections is 56 bits and to
+align LE with BR/EDR, enforce 56 bits of minimum encryption key size for
+BR/EDR connections as well.
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/bluetooth/hci_core.h | 3 +++
+ net/bluetooth/hci_conn.c | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -178,6 +178,9 @@ struct adv_info {
+
+ #define HCI_MAX_SHORT_NAME_LENGTH 10
+
++/* Min encryption key size to match with SMP */
++#define HCI_MIN_ENC_KEY_SIZE 7
++
+ /* Default LE RPA expiry time, 15 minutes */
+ #define HCI_DEFAULT_RPA_TIMEOUT (15 * 60)
+
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1165,6 +1165,14 @@ int hci_conn_check_link_mode(struct hci_
+ !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+ return 0;
+
++ /* The minimum encryption key size needs to be enforced by the
++ * host stack before establishing any L2CAP connections. The
++ * specification in theory allows a minimum of 1, but to align
++ * BR/EDR and LE transports, a minimum of 7 is chosen.
++ */
++ if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE)
++ return 0;
++
+ return 1;
+ }
+
--- /dev/null
+From a1616a5ac99ede5d605047a9012481ce7ff18b16 Mon Sep 17 00:00:00 2001
+From: Young Xiao <YangX92@hotmail.com>
+Date: Fri, 12 Apr 2019 15:24:30 +0800
+Subject: Bluetooth: hidp: fix buffer overflow
+
+From: Young Xiao <YangX92@hotmail.com>
+
+commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.
+
+Struct ca is copied from userspace. It is not checked whether the "name"
+field is NULL terminated, which allows local users to obtain potentially
+sensitive information from kernel stack memory, via a HIDPCONNADD command.
+
+This vulnerability is similar to CVE-2011-1079.
+
+Signed-off-by: Young Xiao <YangX92@hotmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hidp/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bluetooth/hidp/sock.c
++++ b/net/bluetooth/hidp/sock.c
+@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket
+ sockfd_put(csock);
+ return err;
+ }
++ ca.name[sizeof(ca.name)-1] = 0;
+
+ err = hidp_connection_add(&ca, csock, isock);
+ if (!err && copy_to_user(argp, &ca, sizeof(ca)))
--- /dev/null
+From 5cbdae10bf11f96e30b4d14de7b08c8b490e903c Mon Sep 17 00:00:00 2001
+From: Andrew Vasquez <andrewv@marvell.com>
+Date: Tue, 2 Apr 2019 14:24:25 -0700
+Subject: scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
+
+From: Andrew Vasquez <andrewv@marvell.com>
+
+commit 5cbdae10bf11f96e30b4d14de7b08c8b490e903c upstream.
+
+Commit e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs
+code") incorrectly set 'optrom_region_size' to 'start+size', which can
+overflow option-rom boundaries when 'start' is non-zero. Continue setting
+optrom_region_size to the proper adjusted value of 'size'.
+
+Fixes: e6f77540c067 ("scsi: qla2xxx: Fix an integer overflow in sysfs code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Vasquez <andrewv@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -345,7 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size;
++ ha->optrom_region_size = size;
+
+ ha->optrom_state = QLA_SREADING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -418,7 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size;
++ ha->optrom_region_size = size;
+
+ ha->optrom_state = QLA_SWRITING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
usb-cdc-acm-fix-unthrottle-races.patch
usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch
intel_th-pci-add-comet-lake-support.patch
+scsi-qla2xxx-fix-incorrect-region-size-setting-in-optrom-sysfs-routines.patch
+bluetooth-hidp-fix-buffer-overflow.patch
+bluetooth-align-minimum-encryption-key-size-for-le-and-br-edr-connections.patch
+uas-fix-alignment-of-scatter-gather-segments.patch
--- /dev/null
+From 3ae62a42090f1ed48e2313ed256a1182a85fb575 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 30 Apr 2019 12:21:45 +0200
+Subject: UAS: fix alignment of scatter/gather segments
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 3ae62a42090f1ed48e2313ed256a1182a85fb575 upstream.
+
+This is the UAS version of
+
+747668dbc061b3e62bc1982767a3a1f9815fcf0e
+usb-storage: Set virt_boundary_mask to avoid SG overflows
+
+We are not as likely to be vulnerable as storage, as it is unlikelier
+that UAS is run over a controller without native support for SG,
+but the issue exists.
+The issue has been existing since the inception of the driver.
+
+Fixes: 115bb1ffa54c ("USB: Add UAS driver")
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/uas.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -796,24 +796,33 @@ static int uas_slave_alloc(struct scsi_d
+ {
+ struct uas_dev_info *devinfo =
+ (struct uas_dev_info *)sdev->host->hostdata;
++ int maxp;
+
+ sdev->hostdata = devinfo;
+
+ /*
+- * USB has unusual DMA-alignment requirements: Although the
+- * starting address of each scatter-gather element doesn't matter,
+- * the length of each element except the last must be divisible
+- * by the Bulk maxpacket value. There's currently no way to
+- * express this by block-layer constraints, so we'll cop out
+- * and simply require addresses to be aligned at 512-byte
+- * boundaries. This is okay since most block I/O involves
+- * hardware sectors that are multiples of 512 bytes in length,
+- * and since host controllers up through USB 2.0 have maxpacket
+- * values no larger than 512.
++ * We have two requirements here. We must satisfy the requirements
++ * of the physical HC and the demands of the protocol, as we
++ * definitely want no additional memory allocation in this path
++ * ruling out using bounce buffers.
+ *
+- * But it doesn't suffice for Wireless USB, where Bulk maxpacket
+- * values can be as large as 2048. To make that work properly
+- * will require changes to the block layer.
++ * For a transmission on USB to continue we must never send
++ * a package that is smaller than maxpacket. Hence the length of each
++ * scatterlist element except the last must be divisible by the
++ * Bulk maxpacket value.
++ * If the HC does not ensure that through SG,
++ * the upper layer must do that. We must assume nothing
++ * about the capabilities off the HC, so we use the most
++ * pessimistic requirement.
++ */
++
++ maxp = usb_maxpacket(devinfo->udev, devinfo->data_in_pipe, 0);
++ blk_queue_virt_boundary(sdev->request_queue, maxp - 1);
++
++ /*
++ * The protocol has no requirements on alignment in the strict sense.
++ * Controllers may or may not have alignment restrictions.
++ * As this is not exported, we use an extremely conservative guess.
+ */
+ blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1));
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
