Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch b/queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch
new file mode 100644 (file)
index 0000000..1081c69
--- /dev/null
+++ b/queue-4.9/bluetooth-l2cap-fix-u8-overflow.patch
@@ -0,0 +1,65 @@
+From 7410f749c96a8ff2d377aa0f9668c8b27b9bbe09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 15:01:47 -0500
+Subject: Bluetooth: L2CAP: Fix u8 overflow
+
+From: Sungwoo Kim <iam@sung-woo.kim>
+
+[ Upstream commit bcd70260ef56e0aee8a4fc6cd214a419900b0765 ]
+
+By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
+multiple times and eventually it will wrap around the maximum number
+(i.e., 255).
+This patch prevents this by adding a boundary check with
+L2CAP_MAX_CONF_RSP
+
+Btmon log:
+Bluetooth monitor ver 5.64
+= Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594
+= Note: Bluetooth subsystem version 2.22                               0.264636
+@ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191
+= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604
+@ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741
+= Open Index: 00:00:00:00:00:00                                [hci0] 13.900426
+(...)
+> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106
+        invalid packet size (12 != 1033)
+        08 00 01 00 02 01 04 00 01 10 ff ff              ............
+> ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561
+        invalid packet size (14 != 1547)
+        0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....
+> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390
+        invalid packet size (16 != 2061)
+        0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......
+> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932
+        invalid packet size (16 != 2061)
+        0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......
+= bluetoothd: Bluetooth daemon 5.43                                   14.401828
+> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753
+        invalid packet size (12 != 1033)
+        08 00 01 00 04 01 04 00 40 00 00 00              ........@...
+
+Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 5e7fb30b2320..cbf0a9d5aabc 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4183,7 +4183,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
+ 
+       chan->ident = cmd->ident;
+       l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
+-      chan->num_conf_rsp++;
++      if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
++              chan->num_conf_rsp++;
+ 
+       /* Reset config buffer. */
+       chan->conf_len = 0;
+-- 
+2.35.1
+

diff --git a/queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch b/queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch
new file mode 100644 (file)
index 0000000..fc0d9c4
--- /dev/null
+++ b/queue-4.9/net-loopback-use-net_name_predictable-for-name_assig.patch
@@ -0,0 +1,50 @@
+From 4699319830727549ab2cf421010226bf92103679 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 15:18:28 +0100
+Subject: net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 31d929de5a112ee1b977a89c57de74710894bbbf ]
+
+When the name_assign_type attribute was introduced (commit
+685343fc3ba6, "net: add name_assign_type netdev attribute"), the
+loopback device was explicitly mentioned as one which would make use
+of NET_NAME_PREDICTABLE:
+
+    The name_assign_type attribute gives hints where the interface name of a
+    given net-device comes from. These values are currently defined:
+...
+      NET_NAME_PREDICTABLE:
+        The ifname has been assigned by the kernel in a predictable way
+        that is guaranteed to avoid reuse and always be the same for a
+        given device. Examples include statically created devices like
+        the loopback device [...]
+
+Switch to that so that reading /sys/class/net/lo/name_assign_type
+produces something sensible instead of returning -EINVAL.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/loopback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/loopback.c b/drivers/net/loopback.c
+index 1b65f0f975cf..f04f9a87840e 100644
+--- a/drivers/net/loopback.c
++++ b/drivers/net/loopback.c
+@@ -194,7 +194,7 @@ static __net_init int loopback_net_init(struct net *net)
+       int err;
+ 
+       err = -ENOMEM;
+-      dev = alloc_netdev(0, "lo", NET_NAME_UNKNOWN, loopback_setup);
++      dev = alloc_netdev(0, "lo", NET_NAME_PREDICTABLE, loopback_setup);
+       if (!dev)
+               goto out;
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.9/series b/queue-4.9/series
index 295c526e5730af2a1d7584e2c7458c96114f7ed5..9a0b2ee6d812e0b2dbeed418c025f90203f000da 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -11,3 +11,5 @@ udf-do-not-bother-looking-for-prealloc-extents-if-i_lenextents-matches-i_size.pa
 udf-fix-extending-file-within-last-block.patch
 usb-gadget-uvc-prevent-buffer-overflow-in-setup-handler.patch
 usb-serial-cp210x-add-kamstrup-rf-sniffer-pids.patch
+bluetooth-l2cap-fix-u8-overflow.patch
+net-loopback-use-net_name_predictable-for-name_assig.patch