4.19-stable patches

added patches:
	batman-adv-avoid-infinite-loop-trying-to-resize-local-tt.patch
	bluetooth-fix-memory-leak-in-hci_req_sync_complete.patch
	series

diff --git a/queue-4.19/batman-adv-avoid-infinite-loop-trying-to-resize-local-tt.patch b/queue-4.19/batman-adv-avoid-infinite-loop-trying-to-resize-local-tt.patch
new file mode 100644 (file)
index 0000000..9b62057
--- /dev/null
+++ b/queue-4.19/batman-adv-avoid-infinite-loop-trying-to-resize-local-tt.patch
@@ -0,0 +1,68 @@
+From b1f532a3b1e6d2e5559c7ace49322922637a28aa Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Mon, 12 Feb 2024 13:58:33 +0100
+Subject: batman-adv: Avoid infinite loop trying to resize local TT
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit b1f532a3b1e6d2e5559c7ace49322922637a28aa upstream.
+
+If the MTU of one of an attached interface becomes too small to transmit
+the local translation table then it must be resized to fit inside all
+fragments (when enabled) or a single packet.
+
+But if the MTU becomes too low to transmit even the header + the VLAN
+specific part then the resizing of the local TT will never succeed. This
+can for example happen when the usable space is 110 bytes and 11 VLANs are
+on top of batman-adv. In this case, at least 116 byte would be needed.
+There will just be an endless spam of
+
+   batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)
+
+in the log but the function will never finish. Problem here is that the
+timeout will be halved all the time and will then stagnate at 0 and
+therefore never be able to reduce the table even more.
+
+There are other scenarios possible with a similar result. The number of
+BATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too
+high to fit inside a packet. Such a scenario can therefore happen also with
+only a single VLAN + 7 non-purgable addresses - requiring at least 120
+bytes.
+
+While this should be handled proactively when:
+
+* interface with too low MTU is added
+* VLAN is added
+* non-purgeable local mac is added
+* MTU of an attached interface is reduced
+* fragmentation setting gets disabled (which most likely requires dropping
+  attached interfaces)
+
+not all of these scenarios can be prevented because batman-adv is only
+consuming events without the the possibility to prevent these actions
+(non-purgable MAC address added, MTU of an attached interface is reduced).
+It is therefore necessary to also make sure that the code is able to handle
+also the situations when there were already incompatible system
+configuration are present.
+
+Cc: stable@vger.kernel.org
+Fixes: a19d3d85e1b8 ("batman-adv: limit local translation table max size")
+Reported-by: syzbot+a6a4b5bb3da165594cff@syzkaller.appspotmail.com
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/translation-table.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -4198,7 +4198,7 @@ void batadv_tt_local_resize_to_mtu(struc
+ 
+       spin_lock_bh(&bat_priv->tt.commit_lock);
+ 
+-      while (true) {
++      while (timeout) {
+               table_size = batadv_tt_local_table_transmit_size(bat_priv);
+               if (packet_size_max >= table_size)
+                       break;

diff --git a/queue-4.19/bluetooth-fix-memory-leak-in-hci_req_sync_complete.patch b/queue-4.19/bluetooth-fix-memory-leak-in-hci_req_sync_complete.patch
new file mode 100644 (file)
index 0000000..a569154
--- /dev/null
+++ b/queue-4.19/bluetooth-fix-memory-leak-in-hci_req_sync_complete.patch
@@ -0,0 +1,37 @@
+From 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 Mon Sep 17 00:00:00 2001
+From: Dmitry Antipov <dmantipov@yandex.ru>
+Date: Tue, 2 Apr 2024 14:32:05 +0300
+Subject: Bluetooth: Fix memory leak in hci_req_sync_complete()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+commit 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 upstream.
+
+In 'hci_req_sync_complete()', always free the previous sync
+request state before assigning reference to a new one.
+
+Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=39ec16ff6cc18b1d066d
+Cc: stable@vger.kernel.org
+Fixes: f60cb30579d3 ("Bluetooth: Convert hci_req_sync family of function to new request API")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_request.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_request.c
++++ b/net/bluetooth/hci_request.c
+@@ -107,8 +107,10 @@ static void hci_req_sync_complete(struct
+       if (hdev->req_status == HCI_REQ_PEND) {
+               hdev->req_result = result;
+               hdev->req_status = HCI_REQ_DONE;
+-              if (skb)
++              if (skb) {
++                      kfree_skb(hdev->req_skb);
+                       hdev->req_skb = skb_get(skb);
++              }
+               wake_up_interruptible(&hdev->req_wait_q);
+       }
+ }

diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644 (file)
index 0000000..e7e060a
--- /dev/null
+++ b/queue-4.19/series
@@ -0,0 +1,2 @@
+batman-adv-avoid-infinite-loop-trying-to-resize-local-tt.patch
+bluetooth-fix-memory-leak-in-hci_req_sync_complete.patch